Hello there,

From the description, I understood that you have encountered drift in your Landing Zone and you suspect that this must have happened before 3 months. Therefore, you don’t have access to the CloudTrail logs happened prior to 3 months ( 90 days) in order to check the cause. You would like to repair the landing zone and would like to confirm if repairing would break any existing functionality in your account.

When you click on “Repair” to repair the Landing Zone, Control Tower will try to update the landing zone and during this process control tower will try to baseline the resources which will help in governing the accounts and OU’s. During this phase, Control Tower will try to attach the managed SCP to the OU in the Organization and if incase you have modified the managed SCP’s Control Tower will replace them with original SCP’s as it was prior to modification.

Moreover, Control Tower will not attach any custom SCP’s to the OU on its own. If there are no custom SCP which will interfere the functionality, then your existing functionality should not break.

The managed SCP which Control Tower tries to attach are for restricting the users from deleting or changing the resources created by Control Tower.

Further, if your present Control Tower Landing Zone version is 2.7 / 2.8, performing repair will update the Control Tower to latest version 3.2 [1]. The new Control Tower Landing Zone version will provide you the option to choose organization-level AWS CloudTrail trails, or to opt out of CloudTrail trails managed by AWS Control Tower. Control Tower will no longer create the IAM role aws-controltower-CloudWatchLogsRole and the CloudWatch log group aws-controltower/CloudTrailLogs in each enrolled account. Previously, it created these in each account for its account trail. With organization trails, it will only create one in the management account.

Moreover, if you opt for organzation-level AWS CloudTrail logs, AWS Control Tower deletes the existing account-level trails for enrolled accounts after a 24-hour waiting period. AWS Control Tower does not delete account-level trails for unenrolled accounts. Going forward from landing zone 3.0, AWS Control Tower no longer will support account-level trails that AWS manages. Instead, AWS Control Tower creates an organization-level trail, which is active or inactive, according to your selection.

Please note: After you update to version 3.0 or later, you do not have the option to continue with account-level CloudTrail trails managed by AWS Control Tower.

Also, there have been few changes introduced between Control landing Zone Version 2.7 to 3.2 . I would request you to kindly go through this document [2-5] to understand the new features.

References:

[1]. https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#lz-3-2 [2].https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#lz-3-1 [3]. https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-3.0 [4].https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-2.8 [5]. https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-2.9