By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWSControlTowerExecution recreation catch22

0

Long story short I was tidying up an account I have deleted AWSControlTowerExecution role and I'm unable to re-enrol the account nor am I able to create the AWSControlTowerExecution role as it is blocked by a SCP. I only see two options as I need the exact name the account currently has. I still have cli/console admin access to the account. The reason I need the name is for aft as the account in question is called AFT-Management. I only see three ways out

  1. Delete the account although I can't afford to wait 90 days
  2. Bypass SCP somehow
  3. The name AFT-Management isn't a requirement of AFT

Any Ideas?

Topics
Management & Governance
Tags
AWS Control Tower
Language
English
Kyle R
asked 7 months ago174 views
2 Answers
1

Have you tried temporarily removing the SCP from the account (this is done in the Org Management account), re-creating the role and then re-applying the SCP back to the account? There's no way to bypass the SCP other than removing it temporarily.

AWS
LondonX
answered 7 months ago
1

Hello,

With console and CLI access to the account, you can try running the below command if the account is under an organization [1].

aws organizations list-accounts

The command will list all the accounts in an organization and their names under the 'Name' property.

Another way to get the full name of the account, click to the account profile on the top right corner of the console > under the drop down menu, click on the 'Account' option > then look for 'Full name' under Contact Information.

[1] https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts.html

AWS
SUPPORT ENGINEER
Koketjo_S
answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content