Control Tower dependency to other regions?


My customer wanted to launch the Control Tower in eu-west-1 but the launch failed. After he went through the support case, the identified problem was that the customer has disabled STS (in IAM) for all regions except eu-west-1 and the global one (us-east-1). He needed to additionally enable us-east-2 and us-west-2 regions.

He is asking why he needs to enable us-east-2 and us-west-2 for Control Tower when he is not using these regions? Is there some dependency that Control Tower has to these regions?


asked 3 years ago116 views
1 Answer
Accepted Answer

Control tower rolls out Guard rails in these 4 regions.

You can see this e.g. when you look at the Cloudformation StackSets in the CT payer account, like AWSControlTowerBP-BASELINE-CONFIG. This StackSet contains stack instances for every managed accounts in these 4 regions.

If STS is disabled in these regions then CloudFormation cannot assume the right role to deploy the template and therefore your account deployment / baselining will fail.

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions