- Newest
- Most votes
- Most comments
The Control Tower management account (along with the other shared accounts) are not intended to have custom changes deployed to them (1). The permissions and guardrails should generally prevent such changes, and working around these limitations to make changes may lead to issues with Landing Zone updates or account registration.
That said, API activity from the management account should be available in CloudTrail (2) for auditing purposes.
(1) https://docs.aws.amazon.com/controltower/latest/userguide/best-practices.html#getting-started-guidance : Best practices for AWS Control Tower administrators - Guidance for Creating and Modifying AWS Control Tower Resources
(2) https://docs.aws.amazon.com/controltower/latest/userguide/cloudtrail.html : Monitoring Events with CloudTrail
I agree. The reality is, with AWS Organizations and service interrogations along with AWS SSO you end up using the management account quite a lot, so feel it should be covered - especially to get a "whole platform" security posture. There is some sample code for the Security Reference Architecture that helps fill this gap: https://github.com/aws-samples/aws-security-reference-architecture-examples/tree/main/aws_sra_examples/solutions/config/config_management_account
HTH
Relevant content
- asked 10 months ago
- asked a year ago
- asked a year ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
If im activating SecHub in the ControlTower Organization it send this as Finding. So what is the recommendation?