AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Control Tower SCP

0

I deployed Control Tower manually. Then I enabled multiple Controls manually to an OU under which there is my workload account. As soon as deployed all controls, I started getting multiple issues. it seems due to control:

"[CT.CLOUDFORMATION.PR.1] Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry".

When I login to the member account, I am not able to see any Role, user, policies etc. I get below errors :

Access denied You don't have permission to iam:ListRoles. To request access, copy the following text and send it to your AWS administrator. Learn more about troubleshooting access denied errors.

Access denied You don't have permission to iam:ListUsers. To request access, copy the following text and send it to your AWS administrator. Context: with an explicit deny in a service control policy

Access denied You don't have permission to iam:ListPolicies. To request access, copy the following text and send it to your AWS administrator.

When I try to deploy a cloudformation template I get errors : The following Hook(s) failed: [ControlTower::Guard::Hook]

If I try to disable the control CT.CLOUDFORMATION.PR.1, it says it can't disable this contol because proactive controls are still active on this OU. That means I will have to disable all the Proactive control before disabling CT.CLOUDFORMATION.PR.1.

And I am not sure if this one is the cause of issue.

주제
관리 및 거버넌스보안, 신원 및 규정 준수코드로서의 인프라
태그
AWS 컨트롤 타워서비스 제어 정책AWS 기반 랜딩 존 액셀러레이터
언어
English
Ayodhya
질문됨 3달 전637회 조회
1개 답변
0

This control restricts permissions to manage CloudFormation resources like IAM roles. When this control is enabled:

It prevents principals in child accounts from modifying or deleting IAM roles, including the AWSControlTowerAdmin role required by Control Tower.

This role is needed by Control Tower to deploy and manage resources across accounts using CloudFormation stack sets.

Without this role, Control Tower cannot perform its management functions and you will see access denied errors.

A few things you can try:

Check if the AWSControlTowerAdmin role exists and has the correct trust policy in the affected accounts Temporarily disable the "[CT.CLOUDFORMATION.PR.1]" control and see if the issues clear up Refer to the AWS documentation on updating mandatory controls for the recommended process Open a support case with AWS if disabling the control does not resolve the problems

profile picture
전문가
Giovanni Lauria
답변함 3달 전
  • Ayodhya
    3달 전

    Thank you for your response. I believe you meant AWSControlTowerExecution . yes this role exists in child account. I also get error as "Following Hook(s) failed [ControlTower::Guard::Hook] " when I try to deploy a cloudformation template to provision resources.

    Control Tower doesn't allow me to simply disable the control [CT.CLOUDFORMATION.PR.1] as it is connected to all other proactive controls. so in order to disable this, i will have to disable all other proactive control then [CT.CLOUDFORMATION.PR.1], which is quite a hectic task specially when I am not sure if this Control is the culprit.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠