Disabling AWS Config before moving account to Organization with ControlTower set up

0

We are currently in the process of migrating old accounts to a new AWS Organization. The new Organization is set up with Control Tower, which means all accounts in the Organization automatically have a Config recorder configured from the top down. The old accounts have their own Config recorders configured on a per-account basis.

Should the Config records in the accounts to be migrated be deleted before migrating the account to the new Organization?

Will
asked 9 months ago650 views
2 Answers
2
Accepted Answer

If you plan to bring existing AWS accounts into AWS Control Tower as Audit and Log archive accounts, and if those accounts have existing AWS Config resources, you must delete the existing AWS Config resources completely, before you can enroll these accounts into AWS Control Tower for this purpose. For accounts that are not intended to become Audit and Log archive accounts, you can modify the existing Config resources.

This blog covers the process of enrolling accounts with existing config resources - https://docs.aws.amazon.com/controltower/latest/userguide/existing-config-resources.html

AWS
EXPERT
answered 9 months ago
profile picture
EXPERT
reviewed 5 months ago
1

It is recommended that the existing accounts being enrolled does not have an AWS Config configuration recorder or delivery channel. These may be deleted or modified through the AWS CLI before you can enroll an account. Please refer for more details: https://docs.aws.amazon.com/controltower/latest/userguide/enrollment-prerequisites.html

profile pictureAWS
Anand
answered 9 months ago
profile picture
EXPERT
reviewed 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions