By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Control Tower - Not Governed Regions

0

Hi all,

We are using AWS Control Tower to manage AWS Accounts in our Landing Zone, Unfortunately one of our principal regions (eu-south-1) isn't governed by Control Tower, so in this case we need to setup/create resoures manually or using Terraform.

What we are trying to achieve is to setup a Terraform Pipeline which will enable ** AWS Config** and Create some Config Rules we are using usually in the regions Not-Governed by Control Tower.

But the main issue right now is the following statement of an SCP created by Control Tower to prevent any modifications to AWS Config within the AWS Organization :

    {
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution"
        }
      },
      "Action": [
        "config:DeleteConfigurationRecorder",
        "config:DeleteDeliveryChannel",
        "config:DeleteRetentionConfiguration",
        "config:PutConfigurationRecorder",
        "config:PutDeliveryChannel",
        "config:PutRetentionConfiguration",
        "config:StopConfigurationRecorder"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Deny",
      "Sid": "GRCOXXXXXX"
    }

We tried to disable the Deny Regions feature in out Landing Zone but no success, the SCP is still there !!

Does anyone have idea how to overcome this issue ? any help would be greatly appreciated

Thanks

Peter

  • Anna
    a year ago

    This SCP is applied by Control Tower guardrail and not by the Deny Region feature. That guardrail is mandatory.

    I would try and temporarily assume ControlTowerExecution role and setup whatever resources you need in that region. Just keep in mind that you would need to remove the Config setup once the region will be available for governance under Control Tower.

  • Peter Eskandar
    a year ago

    Hey Anna, Thanks for the comment, seems to be the only way to do so is to assume the ControlTowerExecutionRole !! Anyway I'm talking to our TAM to check if there are any other solutions

Topics
Management & Governance
Tags
AWS ConfigAWS Control TowerAWS OrganizationsService Control Policy
Language
English
profile picture
Peter Eskandar
asked a year ago848 views
1 Answer
0

Hello. You need to remove that region from governance by your Control Tower landing zone. Go to AWS Control Tower in the console then find landing zone settings in the menu. Once there, click the modify settings button then remove the eu-south-1 region. Let me know if that fixes your issue.

AWS
GrantAWS
answered a year ago
  • Peter Eskandar
    a year ago

    Hi, actually eu-south-1 isn't among the list of regions that can be governed by Control-Tower right now

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content