By using AWS re:Post, you agree to the Terms of Use

Enabling AWS Configuration on Control Tower Main Account


Control Tower has been enabled and has a number of accounts setup under it. These accounts have all got AWS Config setup logging their changes to the Log Archive account central control tower bucket.

The Control Tower Main account however does not have AWS Config setup. Is there a way it can be setup to allow it to log to the control tower main buckets in the log archive account?

2 Answers

The Control Tower management account (along with the other shared accounts) are not intended to have custom changes deployed to them (1). The permissions and guardrails should generally prevent such changes, and working around these limitations to make changes may lead to issues with Landing Zone updates or account registration.

That said, API activity from the management account should be available in CloudTrail (2) for auditing purposes.

(1) : Best practices for AWS Control Tower administrators - Guidance for Creating and Modifying AWS Control Tower Resources

(2) : Monitoring Events with CloudTrail

answered 7 months ago
  • If im activating SecHub in the ControlTower Organization it send this as Finding. So what is the recommendation?


I agree. The reality is, with AWS Organizations and service interrogations along with AWS SSO you end up using the management account quite a lot, so feel it should be covered - especially to get a "whole platform" security posture. There is some sample code for the Security Reference Architecture that helps fill this gap:


answered 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions