By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Make Control Tower to stop telling us theres a landing zone drift

0

we use control tower, organizations, and iam identity center, for all of our accounts. in the management account, we have one prod OU that has an service control policies pre-attached by CT (the name is aws-guardrails-****), this OU is causing our 3rd party compliance tool unable to perform its tasks which are related to describe ec2 and cloudwatch. the 3rd party tool has 2 roles which are in our prod account (that has the SCP attached) and in our management account (where our CT and org are established).

whenever we added the 3rd party compliance role in the ARN of the SCP manually OR we unattach that particular SCP, the 3rd party tool works perfectly. However, control tower will always tell us there is a drift in the landing zone

so my question is, is there a way to tell control tower that what we did (either manually adding role ARN into the particular SCP or unattaching it) was intended and okay, stop telling us there is a drift? or other alternatives?

btw, we also tried replicating that particular SCP and create our own but it doesnt allow the 3rd party tool to work (we think because the 2 SCPs are conflicting)

Topics
Management & GovernanceSecurity, Identity, & Compliance
Tags
AWS Control TowerAWS OrganizationsIAM PoliciesService Control Policy
Language
English
andre
asked a month ago135 views
1 Answer
0

Hi There

Control Tower wont stop telling you about the drift. The reason is because your change to the SCP will be reversed/overwritten the next time you make changes to your landing zone, or do an upgrade.

Can you provide more detail on what the tool needs access to? which SCP are you removing/modifying?

profile pictureAWS
EXPERT
Matt-B
answered a month ago
  • andre
    a month ago

    I know CT is telling us there is a drift because we modified the managed SCP, but we have to in our case. the 3rd party tool needs access to describe instances and read cw logs which it cant if the managed SCP (the one with the name aws-guardrails-****) is attached; hence, we unattached it. does that make sense? we want to unattach the SCP but we dont want CT to tell us there is a drift

  • Matt-B EXPERT
    a month ago

    It wont be possible. If you modify or unattach any SCP or other resource that Control Tower manages, you will see drift. See https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-guidance.html.

    Control Tower doesn't deploy an SCP that would deny access to describing instances or reading CloudWatch logs. If the tool is trying to access the CloudTrail logs bucket that CT manages, then you would need to modify the bucket policy using the procedure outlined in this post: https://repost.aws/questions/QUOh2j9EkES3uqMeIVakwdNQ/questions/QUOh2j9EkES3uqMeIVakwdNQ/grant-access-to-control-tower-created-cloudtrail-s3-bucket?

    If you can provide more info on the tool you are trying to use and exactly which resources it needs access to, I'll be able to help you come up with a solution that doesnt involve modifying Control Tower resources.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content