AWS Control Tower - controls



I am implementing Controls (guardrails) with Control Tower. Per example I have enabled "Disallow Actions as a Root User" in ine OU, so when I try to do something with root user, it is no permitted, the SCP works. But I would like to know if logs for this access denied is stored in some place? or if this generates some notifications.

Control Tower creates Cloudtrails, Cloudwatch Logs in all accounts, but I want to know in which accounts, I should search logs or events related to Control Tower Guardrails, Config packs.

The SNS notification created in audit account, when sends notifications?

Thank you.

1개 답변


The account in question is the Log archive account. When you set up your landing zone, one of the shared accounts created is the log archive account, dedicated to collecting all logs centrally, including logs for all of your other accounts. These log files allow administrators and auditors to review actions and events that have occurred. You can query the CloudTrail logs in the Log Archive from the Audit account using the role aws-controltower-AuditReadOnlyRole with Lambda to gain access to the logs in the Log Archive. The role assumes aws-controltower-ReadOnlyExecutionRole in the Log Archive account granting read only access. Notifications are usually for non-compliance through detective controls with AWS Config.

If you want to view activities in your Control Tower management account, you can navigate to the Activities Page. The Activities page shows all AWS Control Tower actions initiated from the management account. It includes actions that are logged automatically when you navigate through the AWS Control Tower console. See (

As for SNS notifications, to receive compliance change notifications in email sent to your audit account, subscribe to this Amazon SNS topic: arn:aws:sns:AWSRegion:AuditAccount:aws-controltower-AggregateSecurityNotifications. See: for more information on what SNS topics and notifications you can receive and other considerations.

답변함 9달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠