By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Landing zone drift detected

0

I am getting "Landing zone drift detected" while accessing control tower and cause of this issue is listed as: ""A managed SCP was deleted, detached, or modified on the core OU Security (****), so shared accounts and their functionality are compromised. For example, the log archive and audit accounts may no longer be working because their permissions have changed. Until you fix this problem, you cannot view or manage your AWS Control Tower landing zone. Provisioning new accounts is not recommended, because logging and auditing may not be functioning.""

Please support me when making repairs that do not affect the system that is currently running. Will the following options cause a system reset?

  • Region deny setting : Should choose Enable or Not Enable. Has it changed with the running configurations ?
  • AWS account access configuration: Have the account and IAM settings changed?
  • AWS CloudTrail configuration : Enable or Not Enable should be selected. Has it changed with the running configurations ?
  • Log configuration for Amazon S3 : I already have a full Log configuration, has it changed ?
  • pasusu
    10 months ago

    Pls support me !

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Control TowerAWS Organizations
Language
English
pasusu
asked 10 months ago413 views
1 Answer
0
Accepted Answer

Hi,

the error states that a managed Service Control Policy was either deleted, detached or modified on a specific OU, in this case the "Security OU". In order to understand what happened, you can check events in CloudTrail which SCP was affected. With that information you should be able to recreate the previous configuration.

Please also note that it's not clear to me what you mean by "Will the following options cause a system reset?"

What you choose for these options depends on your requirements and use-case. For example, it might make sense to you to only allow access to a specific set of regions but you might also have a use-case that requires unrestricted access.

profile pictureAWS
EXPERT
ben-from-aws
answered 10 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • pasusu
    10 months ago

    Hi Ben, Thank for your support . I have reattached SCP to the OU Security , but the drift still occurs, this error requires us to repair. https://docs.aws.amazon.com/controltower/latest/userguide/drift.html. My concern here is when we make a repair, how does the process affect the running system? I am especially confused with the options in the AWS account access configuration section.

    • Option 1: AWS Control Tower sets up AWS account access with IAM Identity Center.
    • Option 2: Self-managed AWS account access with IAM Identity Center or another method.

    I have synchronously configured with AD in on prem (user/group). Do options change the permission sets created and assigned to users and groups?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content