You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue #278 is really no longer applicable and W41 should be removed. All S3 buckets encrypt objects by default with the SSE-S3/AES256 algorithm if no encryption is specified when the bucket is created.
This also creates an issue with CloudFormation templates that will be deployed in the Security OU created by AWS Control Tower because the elective control AWS-GR_AUDIT_BUCKET_ENCRYPTION_ENABLED is enabled by default in that account. Having that control puts an explicit deny on s3:PutEncryptionConfiguration for everyone except the Control Tower service role. So CloudFormation templates that conform to this rule will fail in the Security OU, whereas non-conforming templates will succeed and still result in encrypted buckets.
The text was updated successfully, but these errors were encountered:
Issue #278 is really no longer applicable and W41 should be removed. All S3 buckets encrypt objects by default with the SSE-S3/AES256 algorithm if no encryption is specified when the bucket is created.
This also creates an issue with CloudFormation templates that will be deployed in the Security OU created by AWS Control Tower because the elective control AWS-GR_AUDIT_BUCKET_ENCRYPTION_ENABLED is enabled by default in that account. Having that control puts an explicit deny on
s3:PutEncryptionConfigurationfor everyone except the Control Tower service role. So CloudFormation templates that conform to this rule will fail in the Security OU, whereas non-conforming templates will succeed and still result in encrypted buckets.The text was updated successfully, but these errors were encountered: