2 Answers
- Newest
- Most votes
- Most comments
0
Hi There
When you deployed, did you opt in to allow Control Tower to manage CloudTrail for you?
You can check by navigating to the Control Tower service in the Management account, and clicking Landing Zone Settings from the left menu bar.
When you deploy Control Tower, you have the option to allow Control Tower to manage CloudTrail automatically, or you can manage it yourself. You can still opt in by
- Navigate to the Control Tower service in the management account
- Choose Landing Zone Settings on the left menu bar
- Choose Modify Settings
- Click Next to proceed to Step 2
- Under AWS CloudTrail configuration, choose Enabled
- Proceed through the rest of the steps.
Control Tower will then deploy an Organizational CloudTrail across all accounts in your landing zone and automatically manage settings.
0
Just to close the loop here - the errors actually resolved on their own after several days. I've opened a case with support to hopefully find out what might have caused them during that interim.
answered 10 months ago
Relevant content
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
Hi Matt-B, Thanks for the prompt reply. Unfortunately I did opt-in at set up and still ended up with this issue. Based on your feedback, I went through the process of Modify Settings, made not changes (since I was already opt-in) and updated the landing zone. Unfortunately, the same state still persists (accounts enrolled, but noncompliant due to CloudTrail). Any further advice is appreciated.
If you login to the Audit account and go to CloudTrail do you see a trail called "aws-controltower-BaselineCloudTrail" with a status of "Logging"?
Thanks, Matt. When I attempt to switch role into the Audit account using "OrganizationAccountAccessRole" I receive error: "Invalid information in one or more fields." I am copy/pasting the Audit account number. Does Control Tower use a different default role than AWS Organizations?
Hi Matt - edit/update - I see now the role is AWSControlTowerExecution. Using this, I have switched to the Audit account and I do see "aws-controltower-BaselineCloudTrail" with a status of logging. Edit/update: I have also confirmed this in the Log account as well.
Additional detail - The only Control Tower setting that I used that was not default is: I enabled "Region deny control" - could this be the cause?