Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How to disable Config Mandatory Control

0

There are some unimportant accounts that we want to disable config recordings on to minimize costs, so we were planning on adding exceptions to the mandatory control for config so that we can disable the recording for specific accounts as we are currently blocked by the scp.

But this documentation https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-guidance.html recommends against modifying any resources created by the control tower. So is there anything that we can do to bypass the scp and disable config recordings?

What does it mean by controls entering an unknown state if we modify an SCP attached to an OU in this doc? https://docs.aws.amazon.com/controltower/latest/userguide/orgs-guidance.html

Topics
Management & GovernanceAWS Well-Architected Framework
Tags
AWS OrganizationsAWS ConfigSecurityAWS Control Tower
Language
English
asked a year ago915 views
1 Answer
7

1. Disabling Config Recordings for Specific Accounts

AWS Control Tower uses Service Control Policies (SCPs) to enforce governance and compliance across member accounts in your organization. If you want to disable AWS Config recordings for specific accounts, you generally need to manage this through SCPs. However, directly modifying SCPs attached to OUs (Organizational Units) managed by Control Tower is not recommended due to potential unintended consequences, such as controls entering an unknown state.

Understanding SCPs in AWS Control Tower:

Service Control Policies (SCPs): These are policy documents that specify the maximum permissions for AWS accounts in your organization. SCPs can either allow or deny access to AWS services or actions.

**Control Tower and SCPs: **AWS Control Tower uses SCPs to enforce governance and compliance. SCPs are applied at the organization root or specific OUs, controlling what actions accounts within those OUs can perform.

Addressing Your Concerns:

Bypassing SCPs for Config Recordings:

AWS Control Tower typically applies a set of SCPs that enforce AWS Config recordings to ensure compliance and governance.

Directly modifying these SCPs can lead to controls entering an unknown state, which means the expected governance and compliance mechanisms may no longer function correctly.

Alternative Approach:

Instead of modifying SCPs, consider adjusting AWS Config settings directly within each AWS account:

Log in to each AWS account where you want to disable Config recordings.

Navigate to AWS Config service settings and disable recording configurations.

This approach avoids modifying SCPs and their intended governance controls enforced by AWS Control Tower.

Risk and Compliance Considerations:

Disabling Config recordings may affect your ability to track and audit changes to AWS resources, impacting compliance and security auditing requirements. Ensure any changes align with your organization's risk management and compliance policies.

EXPERT
answered a year ago
  • Albert
    a year ago

    Thanks for your response Kumar, but we cannot disable config recordings by going into each individual account as that action is explicitly denied by the scp.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content