By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Control Tower SCP

0

I deployed Control Tower manually. Then I enabled multiple Controls manually to an OU under which there is my workload account. As soon as deployed all controls, I started getting multiple issues. it seems due to control:

"[CT.CLOUDFORMATION.PR.1] Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry".

When I login to the member account, I am not able to see any Role, user, policies etc. I get below errors :

Access denied You don't have permission to iam:ListRoles. To request access, copy the following text and send it to your AWS administrator. Learn more about troubleshooting access denied errors.

Access denied You don't have permission to iam:ListUsers. To request access, copy the following text and send it to your AWS administrator. Context: with an explicit deny in a service control policy

Access denied You don't have permission to iam:ListPolicies. To request access, copy the following text and send it to your AWS administrator.

When I try to deploy a cloudformation template I get errors : The following Hook(s) failed: [ControlTower::Guard::Hook]

If I try to disable the control CT.CLOUDFORMATION.PR.1, it says it can't disable this contol because proactive controls are still active on this OU. That means I will have to disable all the Proactive control before disabling CT.CLOUDFORMATION.PR.1.

And I am not sure if this one is the cause of issue.

Topics
Management & GovernanceSecurity, Identity, & ComplianceInfrastructure as Code
Tags
AWS Control TowerService Control PolicyLanding Zone Accelerator on AWS
Language
English
Ayodhya
asked 3 months ago566 views
1 Answer
0

This control restricts permissions to manage CloudFormation resources like IAM roles. When this control is enabled:

It prevents principals in child accounts from modifying or deleting IAM roles, including the AWSControlTowerAdmin role required by Control Tower.

This role is needed by Control Tower to deploy and manage resources across accounts using CloudFormation stack sets.

Without this role, Control Tower cannot perform its management functions and you will see access denied errors.

A few things you can try:

Check if the AWSControlTowerAdmin role exists and has the correct trust policy in the affected accounts Temporarily disable the "[CT.CLOUDFORMATION.PR.1]" control and see if the issues clear up Refer to the AWS documentation on updating mandatory controls for the recommended process Open a support case with AWS if disabling the control does not resolve the problems

profile picture
EXPERT
Giovanni Lauria
answered 3 months ago
  • Ayodhya
    3 months ago

    Thank you for your response. I believe you meant AWSControlTowerExecution . yes this role exists in child account. I also get error as "Following Hook(s) failed [ControlTower::Guard::Hook] " when I try to deploy a cloudformation template to provision resources.

    Control Tower doesn't allow me to simply disable the control [CT.CLOUDFORMATION.PR.1] as it is connected to all other proactive controls. so in order to disable this, i will have to disable all other proactive control then [CT.CLOUDFORMATION.PR.1], which is quite a hectic task specially when I am not sure if this Control is the culprit.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content