By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Customization for Control Tower - error when enabling recommended control from proposed list

0

Hi, I've installed the CfCT solution for customizing the landing zone and it works fine with the example provided. The next step was to enable AWS::ControlTower::EnabledControl for some recommended controls using the CfCT solution. However, during the "CloudformationResource" pipeline step it fails. The error I get from the StackSet called is "ResourceLogicalId:RecommendedControlAWSGREC2VOLUMEINUSECHECK, ResourceType:AWS::ControlTower::EnabledControl, ResourceStatusReason:Resource handler returned message: "Organizational unit ou-xxxx-xxxxxxx is not registered with AWS Control Tower. (Service: AWSControlTower; Status Code: 404; Error Code: ResourceNotFoundException; Request ID: xxxxxxxx; Proxy: null)" (RequestToken: xxxxxxxx, HandlerErrorCode: NotFound)." I've tried using the "deployment_targets" set to OU and also to account numbers, but the error stays the same. The OU exists, is registered with the Organisation and has 2 accounts. Any ideas to correct this would be appreciated.

2 Answers
0

It seems like there's an issue with AWS Control Tower recognizing the Organizational Unit (OU) for the deployment of the control. This could be due to a few reasons.

  1. The OU ID is not registered with Control Tower: Control Tower maintains its own management of OUs separate from AWS Organizations. Even if the OU exists and is recognized by AWS Organizations, if it hasn't been registered with Control Tower, you'll face this issue. Make sure to register the OU with Control Tower. You can verify it by logging into your AWS Management Console, navigating to Control Tower, and checking the Organizational Units under the "Organizational units" section. You can read more in the following documentation article: Register an existing organizational unit with AWS Control Tower

  2. The OU was not created through Control Tower: If the OU was created directly in AWS Organizations and not through the Control Tower console or the Control Tower account factory, this could be the cause of the issue. AWS Control Tower applies a set of guardrails and settings to the OUs and accounts it manages. If an OU is created directly through AWS Organizations, Control Tower might not recognize it. Read the following article if you are failing to register the OU: Common causes of failure during registration or re-registration

  3. There could be a delay in the Control Tower recognizing the OU: If you just created or registered the OU, there might be a delay in Control Tower recognizing it. You can wait for a while and try again.

If you have already verified the above and are still encountering issues, you might want to reach out to AWS Support for a more in-depth analysis. It's hard to pinpoint without a more detailed understanding of your environment.

If the answer is helpful, please click "Accept Answer" and upvote it.

profile picture
EXPERT
answered a year ago
  • Thank you for the proposed solutions! Yes, I've already checked all the above. The OU was created and registered with CT more than a week ago. Also the 2 AWS accounts where provisioned at the same moment. I'll reach out to AWS support.

0

It seems that the current deployment method "stack_set" does not take into consideration the enabling of recommended controls listed in the Control Tower console page. The CfCT solution deploys only CloudFormation stacks in the child accounts, but the AWS::ControlTower::EnabledControl needs to be made in the management account. The error showed comes in fact from the child accounts.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions