AWS Control Tower - Not Governed Regions
Hi all,
We are using AWS Control Tower to manage AWS Accounts in our Landing Zone, Unfortunately one of our principal regions (eu-south-1) isn't governed by Control Tower, so in this case we need to setup/create resoures manually or using Terraform.
What we are trying to achieve is to setup a Terraform Pipeline which will enable ** AWS Config** and Create some Config Rules we are using usually in the regions Not-Governed by Control Tower.
But the main issue right now is the following statement of an SCP created by Control Tower to prevent any modifications to AWS Config within the AWS Organization :
{
"Condition": {
"ArnNotLike": {
"aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
}
},
"Action": [
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:DeleteRetentionConfiguration",
"config:PutConfigurationRecorder",
"config:PutDeliveryChannel",
"config:PutRetentionConfiguration",
"config:StopConfigurationRecorder"
],
"Resource": [
"*"
],
"Effect": "Deny",
"Sid": "GRCOXXXXXX"
}
We tried to disable the Deny Regions feature in out Landing Zone but no success, the SCP is still there !!
Does anyone have idea how to overcome this issue ? any help would be greatly appreciated
Thanks
Peter
- 최신
- 최다 투표
- 가장 많은 댓글
Hello. You need to remove that region from governance by your Control Tower landing zone. Go to AWS Control Tower in the console then find landing zone settings in the menu. Once there, click the modify settings button then remove the eu-south-1 region. Let me know if that fixes your issue.
Hi, actually eu-south-1 isn't among the list of regions that can be governed by Control-Tower right now
This SCP is applied by Control Tower guardrail and not by the Deny Region feature. That guardrail is mandatory.
I would try and temporarily assume ControlTowerExecution role and setup whatever resources you need in that region. Just keep in mind that you would need to remove the Config setup once the region will be available for governance under Control Tower.
Hey Anna, Thanks for the comment, seems to be the only way to do so is to assume the ControlTowerExecutionRole !! Anyway I'm talking to our TAM to check if there are any other solutions