Browse through the questions and answers listed below or filter and sort to narrow down your results.
Generated policy failing during proccess
Hi, Actually we try to generate a policy based on CloudTrail events, but we have Control Tower and a centralized bucket for all cloudtrails to all our accounts. We follow this blog: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-policy-generation.html#access-analyzer-policy-generation-cross-account but still give the error: "Incorrect permissions assigned to access CloudTrail S3 bucket. Please fix before trying again." We already update the bucket policy, bucket ownership and we dont use KMS on it. Any advise or glue about what we miss ? Thanks in advance,
Have security group related config rule at organisation level
The issue is our accounts are in control tower environment and in control tower there are no options to add config rules other than Predefined ones, in those predefined ones there is non for security groups. How can we enable more config rules at organization level e.g. *security group verification rule.* I have the option to enable this at per account level but not at aggregator level, but there are hundreds of account and it is not feasible to have this one by one for each account.
Landing zone drift detected
I am getting "Landing zone drift detected" while accessing control tower and cause of this issue is listed as The core account, Log archive **** was removed from your organization in AWS Organizations. The core account, Audit (********), was removed from your organization in AWS Organizations. Until you fix this problem, you cannot view or manage your AWS Control Tower landing zone. Provisioning new accounts is not recommended, because logging and auditing may not be functioning. I used repair as suggested by documentation but it does not work.
AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is not authorized to baseline the VPC in the enrolled account.
Hi all, I got this issue when setup Control Tower. "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is not authorized to baseline the VPC in the enrolled account." Firstly, I tried to add all required permissions, tried again but still failed. Then, I removed all the relevant settings, and policies and re-try but still failed. When I click retry, it shows more errors messages below: "AWS Control Tower could not update your landing zone at this time. Retry updating your landing zone for access to AWS Control Tower. If the problem persists, contact AWS Support." and "Error Failed to assume role arn:aws:iam::3084000xxxxx:role/service-role/AWSControlTowerAdmin" For the assume role error, I've created and manually added all the required permission but still failed. Please share your experienced on this issues. I'm stuck now.
Account enrollment failed.
Hi, I am trying to enrol an existing account into my Control Tower Landing zone. The account was originally a member of a different AWS Organization, it was removed from that organization and joined to the same organization as the CT management account. I had already added the AWSControlTowerExecution role to the account and successfully joined it to the new AWS Organization. When I tried to enrol the account in CT the enrolment failed. I then discovered that I had the wrong account number in the trust relationship for the role. I corrected this, removed the account from the organization and removed the stack from Service Catalogue and tried again. The account has joined the AWS organization successfully and is in the Root OU, as before, however when I go to CT to enrol the account the state is Enrolment failed, I had expected it to say Not enrolled as I have not yet tried to enrol the account this time. It is almost like the enrolment hasn't cleared from the first failed attempt. Any suggestions would be appreciated, Thanks in advance, D
Why does AWS Control Tower enable access logging on the access logging bucket?
After setting up AWS Control Tower I noticed that the S3 access logging bucket created under the Log Archive account, has logging enabled (and logging to the same bucket). This creates a situation where even doing nothing, the log bucket fills with recursive logs - any time a file is written to the log bucket, it generate another event to log to the log bucket. This just creates clutter and increased cost - is there any value in doing this? Or is this a bug/oversight?
AWS Control Tower 3.0 creates two Config Aggregators - why?
I created a new organization using AWS Control Tower (version 3.0). It seems that it has created two aggregators: * An accounts aggregator under the audit account named control `aws-controltower-GuardrailsComplianceAggregator`. This aggregator is defined to collect from specific accounts (all member accounts, excluding the management account), and from all regions. However, at least in my case, the authorizations given from these accounts to aggregation seem messed up - each account was only set up to authorize aggregation from 5 regions, and the aggregator indeed identifies the aggregation from some accounts and regions as failed as a result. FYI, I currently created my control tower landing zone on a single region, not sure why this setup happened. * An organization aggregator in the management account named `aws-controltower-ConfigAggregatorForOrganizations`. This organization aggregator automatically collects from all accounts and regions in the organization, and it is working well. Any idea why both aggregators were defined? I know that until a recent version of the landing zone, there was no support for organization aggregators. But now that it has been added, why keep the account-specific aggregator in the audit account (that seems to be misconfigured anyway)? On the flip side, given that the best practice is to use the audit account for, well, auditing - why is the organization aggregator defined on the management account and not the audit account? Doesn't that mean that to enjoy its aggregation I need to login to the management account? Thanks,
AWS Control Tower - Ownership account
Hello, I am trying to figure something out that I noticed during my deployment of AWS Control Tower. There seems to be something different then I expected in the account page of the Control Tower landing page. The accounts like Log Archive and Audit all have their ownership to AWS Control Tower, you can see this via de GUI on the Control Tower Landing page. However, I used the account factory to spawn an account in a new OU (Shared Services). This account is called the Network account. The ownership of this account is set to: "Self" My question really is: Why is it set to "Self", what influences this decision? ![SelfOwner](/media/postImages/original/IMIbfWjlH4RY2wYF5Y_8OL1g)
is it possible to creating Control Tower OUs programmatically with selected guardrails?
Hi im am not very familiar with AWS CLI or any iac code there but im looking for an option to create OUs in Control Tower programmatically with a bundle of selected Guardrails. Because the Guardrails based on AWS Config Rules are not put automatically on new created OUs :/. Highly appreciated if there would be a way to iac this creation. We do not want to do this with account factory customization if there it would be possible. We just need the OUs created.
Multiple AWS Control Tower(Landing Zone) in single management account
I'd like to know it is possible or not to build multiple control tower in single management(payer) account. If possible, how to implement it? I think it would be good to organize resources when it's able to make a dedicated control-tower in multi account environments because implementation of control-tower might be changed to correct something.
Guardrail: Deny access to AWS based on the requested AWS RegionInfo - how to customize the Guardrail SCP??
Hello if you use the Region deny option in AWS Control Tower ist set the Guardrail: Deny access to AWS based on the requested AWS RegionInfo. In this Guardrail the SCP is missing the global Service "Artifact" in the SCP Part` "Resource": "*", "Effect": "Deny", "NotAction": [....` How can i customize this SCP?
AWS Control Tower cannot create an account because you have reached the limit on the number of accounts in your organization
Hello, I'm trying to create accounts with AWS Control Tower. However, when creating the 6th account the message is displayed "AWS Control Tower cannot create an account because you have reached the limit on the number of accounts in your organization". I'm not logged in with the root user. I checked the guidelines in the document https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html Can anyone help me. The people at AWS have already configured the possibility of configuring up to 10 accounts, but I still can't.