By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Control Tower successful run, but immediate CloudTrail compliance error: AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS

0

Hi, I have just run Control Tower successfully in a new account. Everything created without error, however, when I go to the dashboard, the newly created Audit and Log shared accounts both show Noncompliant with the error: AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS Detects whether a shared account in the Security organizational unit has AWS CloudTrail or CloudTrail Lake enabled. The rule is NON_COMPLIANT if either CloudTrail or CloudTrail Lake is not enabled in an account.

It would seem then that CloudTrial needs to be enabled on both created shard accounts (Audit and Log) however since this was intended to be configured by Control Tower, I am unsure how to proceed/resolve without potentially causing more issues with Control Tower.

TIA for any insight.

Topics
Management & GovernanceDeveloper Tools
Tags
AWS Control TowerManagement & GovernanceAWS OrganizationsMonitoring & LoggingAWS CloudTrail
Language
English
tomg
asked 10 months ago347 views
2 Answers
0

Hi There

When you deployed, did you opt in to allow Control Tower to manage CloudTrail for you?

You can check by navigating to the Control Tower service in the Management account, and clicking Landing Zone Settings from the left menu bar.

Enter image description here

When you deploy Control Tower, you have the option to allow Control Tower to manage CloudTrail automatically, or you can manage it yourself. You can still opt in by

  1. Navigate to the Control Tower service in the management account
  2. Choose Landing Zone Settings on the left menu bar
  3. Choose Modify Settings
  4. Click Next to proceed to Step 2
  5. Under AWS CloudTrail configuration, choose Enabled
  6. Proceed through the rest of the steps.

Control Tower will then deploy an Organizational CloudTrail across all accounts in your landing zone and automatically manage settings.

profile pictureAWS
EXPERT
Matt-B
answered 10 months ago
  • tomg
    10 months ago

    Hi Matt-B, Thanks for the prompt reply. Unfortunately I did opt-in at set up and still ended up with this issue. Based on your feedback, I went through the process of Modify Settings, made not changes (since I was already opt-in) and updated the landing zone. Unfortunately, the same state still persists (accounts enrolled, but noncompliant due to CloudTrail). Any further advice is appreciated.

  • Matt-B EXPERT
    10 months ago

    If you login to the Audit account and go to CloudTrail do you see a trail called "aws-controltower-BaselineCloudTrail" with a status of "Logging"?

  • tomg
    10 months ago

    Thanks, Matt. When I attempt to switch role into the Audit account using "OrganizationAccountAccessRole" I receive error: "Invalid information in one or more fields." I am copy/pasting the Audit account number. Does Control Tower use a different default role than AWS Organizations?

  • tomg
    10 months ago

    Hi Matt - edit/update - I see now the role is AWSControlTowerExecution. Using this, I have switched to the Audit account and I do see "aws-controltower-BaselineCloudTrail" with a status of logging. Edit/update: I have also confirmed this in the Log account as well.

  • tomg
    10 months ago

    Additional detail - The only Control Tower setting that I used that was not default is: I enabled "Region deny control" - could this be the cause?

0

Just to close the loop here - the errors actually resolved on their own after several days. I've opened a case with support to hopefully find out what might have caused them during that interim.

tomg
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content