By using AWS re:Post, you agree to the Terms of Use

Landing zone drift detected

0

I am getting "Landing zone drift detected" while accessing control tower and cause of this issue is listed as

The core account, Log archive **** was removed from your organization in AWS Organizations. The core account, Audit (********), was removed from your organization in AWS Organizations. Until you fix this problem, you cannot view or manage your AWS Control Tower landing zone. Provisioning new accounts is not recommended, because logging and auditing may not be functioning.

I used repair as suggested by documentation but it does not work.

1 Answer
0

Hi There

You will need to manually repair your landing zone by re-inviting the shared accounts back to your organization.

See https://docs.aws.amazon.com/controltower/latest/userguide/external-resources.html#removed-shared-account

To restore a shared account using the AWS Control Tower and AWS Organizations consoles (Manual remediation)

1. Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/
2. You must sign in as an IAM user or role with the AWSOrganizationsFullAccess managed policy or equivalent.
3. Invite the shared account back to the organization. For information on the requirements, prerequisites, and procedure for inviting an account to AWS Organizations, see Inviting an AWS account to your organization in the AWS Organizations User Guide.
4. Sign in to the shared account that was removed, then go to https://console.aws.amazon.com/organizations/home#/invites to accept the invitation.
5. Sign in to the management account again.
6. Sign in to the AWS Control Tower console as an IAM user or role with the AWSControlTowerServiceRolePolicy managed policy or equivalent, and permissions to run all AWS Control Tower actions (controltower:*).
7. You'll see the Landing zone drift page with an option to repair the landing zone. Choose Repair to repair the landing zone.
8. Wait for the repair process to complete.

If remediation is successful, the shared account appears in a normal state and compliance.

If the remediation steps don't restore the account, contact AWS Support.
profile picture
answered 17 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions