AWS Config Resources with Control Tower

Question

I was trying to onboard 1 AWS account onto Control Tower but hit with an error saying AWS Config Recorder has already existed. In AWS Config, I have a number of Resources created using CloudFormation stack and are in use. I would like to ask, if I disable AWS Config Recorder (following the guide below), will the existing AWS Config Resources be retained or cause a drift to CloudFormation?

(Failure Error that Mentions AWS Config) https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html

**(Failure Error that Mentions AWS Config)**
[https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html]()

Answer

Hello jinyou,

With the answer Kumar gave, I'd like to add one more on your question. When CT create a Config recorder, it store logs into the one of the S3 buckets Log account has and the name of the log file starts with "aws-controltower-logs-LOGACCOUNTID...". That means, your previous Config records will be remained at the S3 bucket where it's been created.

Hope this answer useful for you. :)  
Best regards,

Answer

**Delete the configuration recorder and delivery channel in all supported regions.**

> Disabling AWS Config is not enough, the configuration recorder and delivery channel must be deleted by means of the CLI. After you’ve deleted the configuration recorder and delivery channel from the CLI, you can try again to launch AWS Control Tower and enroll the account.

`[NOTE] If disabling AWS Config Resources create any impact on CT then re-enable it.`

References:
==========
* [1]https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html
* [2] https://repost.aws/questions/QU5Pr_IjaRR66ppfatJVZmUA/how-to-stop-or-disable-aws-config-recorder-in-control-tower
* [3] https://repost.aws/questions/QUG-5LSU5gQxCwUBO6U3UvvA/can-i-disable-config-in-control-tower

AWS Config Resources with Control Tower

References:

Contenido relevante