- Newest
- Most votes
- Most comments
Hi, thank you for the question. Sounds like a tricky situation, but lets try and get you through it.
The Security OU (where the Audit and LogArchive accounts are) is a managed OU, this means Control Tower puts some very distinct controls on it to prevent modification of the resources it deploys. It also shouldn't allow you to provision an account into it, at least while using the Control Tower Account Factory. Did you create the account directly in AWS Organizations?
What would be recommended is you create another OU such as "Security-Tooling" or similar. (It can help to follow the AWS multi-account whitepaper, https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/organizing-your-aws-environment.html). Make sure that OU is registered with Control Tower. Move this new account to that OU and enroll it in Control Tower. That enrollment process should enable AWS Config and setup aggregation of findings to the Audit account.
If AWS Config hasn't been enabled, I'm assuming it's not enrolled in Control Tower correctly. A thing to note, is if you want to create accounts in a Control Tower environment, use the Control Tower Account Factory rather than AWS Organizations directly. This ensures all of the Control Tower controls and configuration is applied to the account(s).
Thank you for your reply.
Interestingly, we did use account factory to deploy the account into the Security OU. We use AF to deploy to the sandbox OU and a few others, and it does a great job of applying all the controls we have enabled. We are new to AWS and are just starting to our journey so it is entirely possible we missed something that should have been configured inside CT/AF to stop it from deploying into the Security OU.
I will follow your steps to create a new managed OU and get the account moved there instead.
Thanks.
