By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Control Tower Audit account

0

Hello, Is it possible to have 2 audit accounts in the same Control Tower. The idea behind this is one audit account to be responsible for some OUs and the "second" audit account to be responsible only for 1 OU.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Control TowerAWS OrganizationsAWS Audit ManagerAWS Account Management
Language
English
George
asked 10 months ago875 views
2 Answers
0

The audit account is an account that is automatically added when ControlTower is activated.
I thought it would be difficult to create this for each OU.
https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#what-is-audit

The audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts, by means of a role that is granted to Lambda functions only. The audit account does not allow you to log in to other accounts manually. For more information about Lambda functions and roles, see Configure a Lambda function to assume a role from another AWS account.

profile picture
EXPERT
Riku_Kobayashi
answered 10 months ago
profile picture
EXPERT
Hiroki Takahashi
reviewed 10 months ago
  • George
    10 months ago

    I know how audit account works. The question was if is it possible to have 2 audit accounts beneath the same Control Tower setup. Since the "first" and default audit account is responsible for all accounts in your landing zone. I mean - if I setup and deploy all Cloudformation stack pointing to a different audit and a different log-archive account wouldn't that be a duplicate kind of a setup? Or is it possible anyway?

  • Riku_Kobayashi EXPERT
    10 months ago

    You probably won't be able to do what you want to do. I think you will get duplicate errors as you perceive them.

0

yes but it becomes a bit of a manual process. As the audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. . You would also need to ensure that you create the resources required in the new audit account that are specific for accounts in the new OU. https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#what-shared Additionally, you will need to use a solution like CfCT to apply changes to the OU and the accounts within it that are specific to the 2nd audit account. You can also create new trails if. The issue is that there would be duplication. Another option would be to simply have an OU created in organizations and not managed by CT... you can apply the same principles manually and not have duplication.

AWS
Tony Santiago - AWS
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content