- Newest
- Most votes
- Most comments
This control restricts permissions to manage CloudFormation resources like IAM roles. When this control is enabled:
It prevents principals in child accounts from modifying or deleting IAM roles, including the AWSControlTowerAdmin role required by Control Tower.
This role is needed by Control Tower to deploy and manage resources across accounts using CloudFormation stack sets.
Without this role, Control Tower cannot perform its management functions and you will see access denied errors.
A few things you can try:
Check if the AWSControlTowerAdmin role exists and has the correct trust policy in the affected accounts Temporarily disable the "[CT.CLOUDFORMATION.PR.1]" control and see if the issues clear up Refer to the AWS documentation on updating mandatory controls for the recommended process Open a support case with AWS if disabling the control does not resolve the problems
Relevant content
- asked 9 months ago
- asked 7 months ago
- asked 3 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
Thank you for your response. I believe you meant AWSControlTowerExecution . yes this role exists in child account. I also get error as "Following Hook(s) failed [ControlTower::Guard::Hook] " when I try to deploy a cloudformation template to provision resources.
Control Tower doesn't allow me to simply disable the control [CT.CLOUDFORMATION.PR.1] as it is connected to all other proactive controls. so in order to disable this, i will have to disable all other proactive control then [CT.CLOUDFORMATION.PR.1], which is quite a hectic task specially when I am not sure if this Control is the culprit.