amazon-web-servicesaws-organizationsaws-control-tower

How can I add AWS QuickSight access to the SCPs controlled by Control Tower?


I'm using AWS Control Tower for the first time to setup an new environment. I need to provide an organizational unit with access to QuickSight. Under AWS Organization I found an SCP named aws-guardrails-oFLbdq which Deny's access to a list of services so I edited this, adding "quicksight:*" to the list of "NotAction" services. This edit allowed me access to QuickSight.

However - AWS Control Tower is now reporting the following:

AWS Control Tower has detected drift in one or more preventive controls. A managed SCP was deleted, detached, or modified, so AWS Control Tower cannot enforce control compliance for accounts in OU... To fix this, re-register the OU.

I've looked at the documentation but I can't work this out. Can someone tell me how I can allow QuickSight access for a specific Organizational Unit without upsetting Control Tower?

Things I've tried:

I created a new SCP with the following policy, then I attached it to the OU. But it didn't work - I still see a 'not authorized to perform: quicksight:DescribeAccountSubscription on resource: arn:aws:quicksight:... with an explicit deny in a service control policy':

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Statement1",
      "Effect": "Allow",
      "Action": [
        "quicksight:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}

Solution

  • Looking at the SCP which I'd tried to edit, I noticed it had "Sid": "GRREGIONDENY". I traced this identifier to the AWS-GR_REGION_DENY control in the AWS Control Tower Controls Library.

    The control has this description:

    Disallows access to unlisted operations in global and regional services outside of the specified Regions. To configure the Region deny control, go to the Landing zone settings page and select Modify settings. When enabled, the Region deny control applies to the entire landing zone and all registered OUs. It cannot be configured for individual OUs

    This caused me to head to the Landing Zone settings

    In the Landing zone settings I noted that the 'Region deny setting' was enabled with no apparent configuration options that might allow me to modify the SCP. I took the following steps: