How do I resolve the "A managed SCP was attached, deleted, detached, or modified" error in AWS Control Tower?

2 minute read

I get an error message on the AWS Control Tower console when I modify a service control policy (SCP) that's attached to the Security organizational unit (OU).

Short description

You receive the following error message on the AWS Control Tower console:

"A managed SCP was attached, deleted, detached, or modified on the OU Security (ou-xyzzxy). This action has compromised the shared accounts and their functionality. For example, the log archive and audit accounts may no longer be working because their permissions have changed.

Until you fix this problem, you cannot view or manage your AWS Control Tower landing zone. Provisioning new accounts is not recommended, because logging and auditing may not be functioning."

The preceding error message occurs when you modify an SCP in a multi-account environment for AWS Control Tower. You can customize SCPs to meet your organization's requirements, but governance drift occurs when you modify SCPs that AWS Control Tower manages. SCPs that you attach to the Security OU can initiate drift. Managed SCPs have identifiers that begin with aws-guardrails.

Note: The Security OU is formerly known as the Core OU.

Resolution

Reset or update your landing zone

To resolve this issue, reset or update your landing zone to restore your drifted resources to the saved AWS Control Tower configuration. The reset operation restores your landing zone to the last known configuration as defined in the manifest file and redeploys the correct SCPs based on your activated controls. For more information, see Detect and resolve drift in AWS Control Tower.

(Optional) Determine the cause of the drift

To identify the action or user that initiated the SCP modification, view the event history in AWS CloudTrail.

Search for the following API events:

DeletePolicy
AttachPolicy
UpdatePolicy
DetachPolicy
DisablePolicyType

Note: To review API events beyond the 90-day period, query the CloudTrail trail log that captures events in the US East (N. Virginia) AWS Region of the management account in AWS Organizations. For more information, see Logging API calls with AWS CloudTrail for AWS Organizations.

Topics: Management & Governance
Tags: AWS Control Tower
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

Landing zone drift detection error
rePost-User-8352972
asked a year ago
If I fix Landing Zone drift, will it interrupt or break services?
mallen
asked 3 years ago
Make Control Tower to stop telling us theres a landing zone drift
andre
asked 2 years ago
Landing zone drift detected
Accepted Answer
pasusu
asked 3 years ago
Landing zone drift detected
rePost-User-6100057
asked 4 years ago
How do I resolve "Not authorized to baseline the VPC in the enrolled account" errors in AWS Control Tower?
AWS OFFICIALUpdated 2 months ago
How do I gain access as an AWS account root user to accounts created by Account Factory or Account Vending Machine in AWS Control Tower?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot an AWSControlTowerExecution role error that occurs during AWS Control Tower account enrollment?
AWS OFFICIALUpdated 8 months ago
How do I resolve drift detection errors in CloudFormation with my AWS managed rule "cloudformation-stack-drift-detection-check" for AWS Config?
AWS OFFICIALUpdated 5 years ago
AWS Control Tower Backup Integration: Best Practices Guide
EXPERT
Tyler_P
published a year ago