Questions tagged with AWS Control Tower

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

How do I resolve unexpected CodeBuild AccountLimitExceededException error?

I have a CodeBuild project that was created by AWS Control Tower Account Factory for Terraform. Every time I tried to "Start build" in the console, it spits out following error: Build failed to Start. The following error occurred: Cannot have more than 0 builds in queue for the account Log events from CloudWatch: [ERROR] 2022-02-27T01:01:56.498Z 5aaae098-f77f-457d-8ff8-ee202b27c308 {'FILE': 'codebuild_invoker.py', 'METHOD': 'lambda_handler', 'EXCEPTION': 'An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account'} Traceback (most recent call last): File "/var/task/codebuild_invoker.py", line 30, in lambda_handler job_id = client.start_build(projectName=codebuild_project_name)["build"]["id"] File "/var/runtime/botocore/client.py", line 386, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 705, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.AccountLimitExceededException: An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account [ERROR] 2022-02-27T01:01:56.498Z 5aaae098-f77f-457d-8ff8-ee202b27c308 {'FILE': 'codebuild_invoker.py', 'METHOD': 'lambda_handler', 'EXCEPTION': 'An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account'} Traceback (most recent call last): File "/var/task/codebuild_invoker.py", line 30, in lambda_handler job_id = client.start_build(projectName=codebuild_project_name)["build"]["id"] File "/var/runtime/botocore/client.py", line 386, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 705, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.AccountLimitExceededException: An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account Any pointer to solve the error?
2
answers
0
votes
191
views
asked 9 months ago
1
answers
0
votes
69
views
asked 9 months ago

Cloudtrail event notifications

Hello, we have configured configured Control Tower landing zone and enrolled tens of accounts in our organization. We would like to monitor some of the actions (ConsoleLogin, SwitchRole, CreateUser, CreatePolicy, CreateRole, PutGroupPolicy, ...) across all accounts in organization and be notified when the action occurs via Slack or Pagerduty. Is there any out of box solution or recommended approach? I am considering two approaches: 1. Listen Cloudtrail S3 logs bucket Create an account which will have read only access to cloudtrail logs S3 bucket in Log Archive account. Lambda function will be triggered on new records in bucket. It will download the files from S3 and parse the events. Huge disadvantage is that it'll have to parse all cloudtrail entries which could be expensive and in inefficient. 2. Aggregate events using EventBridge buses Create dedicated account "Audit Notifications" where will be EventBridge event bus aggregating matched events from all other accounts. There will be configured event rule with Lambda target forwarding matched events from all accounts to Slack/Pagerduty/... in "Audit Notifications" account. Event rule forwarding matched events to Event Bus target in "Audit Notifications" will be deployed into each governed region in each member account. Similar as described in https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/ I favor second approach, but maybe there are some other options. thanks
1
answers
0
votes
194
views
asked 10 months ago

Member account root user best practices

Hello, we are using AWS Control Tower and Account Factory for account provisioning. We have protected management account root email following [recomended best practices](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html), but we are not sure about member accounts. Provisioned member accounts are created with random pregenerated password, if we wan't to secure new account root user we have to reset its password manually using Forgotten password and then configure its MFA. What we'd like to do is - Enable `Disallow actions as a root user` Guardrail for all OUs, which blocks all actions for root user including its MFA setup. - Don't enable a password for root user after the account is enrolled as mentioned in https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password In this case root email won't be able to do any actions. But the MFA won't be enabled so [MFA for root user](https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_mfa) best practise and guardrail won't be satisfied. Also IAM dashboard will scream to all users that MFA is not enabled for root user (But we can explain our users that root email is "disabled" by SCPs). What is the best practise here for protecting member account root user? It looks like best practices [Disallow Actions as a Root User](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-root-auser-actions) and [Detect Whether MFA for the Root User is Enabled](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#enable-root-mfa) are mutually exclusive. thanks Martin
1
answers
0
votes
314
views
asked 10 months ago