Questions tagged with AWS Control Tower

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Control Tower - Disable Compliance Change Notifications

Hello, we are using Control Tower and we have subscribed email (Slack) notifications to `aws-controltower-AggregateSecurityNotifications` SNS Topics. We are receiving Control Tower drift notifications and AWS Config compliance change notifications as described in https://docs.aws.amazon.com/controltower/latest/userguide/compliance.html We are interested especially in Control Tower drift notifications. Unfortunately AWS Config compliance change notifications are too noisy, it notifies on all compliance, noncompliance, and not_applicable events. The noise is caused by rule `AWSControlTower_AWS-GR_ENCRYPTED_VOLUMES` which triggers COMPLIANT notification each time new EC2 node with EBS is provisioned and NOT_APPLICABLE when the node is shut down. We are interested only in non-compliant notifications, is it possible to change the behaviour? Or alternatively is it possible to disable at all sending AWS Config compliance change notifications to aws-con`troltower-AggregateSecurityNotifications` topic? So only Control Tower drift notifications would be send to this topic. I've noticed that Event Rules which are forwarding compliance notifications changes are deployed by stackset `AWSControlTowerBP-BASELINE-CLOUDWATCH` from management account to all accounts and there is possibility to disable these notifications by parameter `EnableConfigRuleChangeNotification`. Since the stackset is managed by ControlTower I am not sure if we can change these settings? Could you please guide us what is the recommended approach? thanks Martin
1
answers
1
votes
248
views
asked 7 months ago

Unable to purchase prepaid Hits

Hi, I am new to Mturk and very confused about the process for purchasing prepaid Hits. I was following the process described in the FAQ of the Amazon Mturk page (https://www.mturk.com/help#enable_aws_billing): ========================================= How do I purchase prepaid HITs on Amazon Mechanical Turk? Follow these steps to purchase prepaid HITs: 1. From your Amazon Mechanical Turk account, go to My Account -> Purchase Prepaid HITs. 2. Enter in the amount you would like to purchase. 3. Select the credit or debit card on file or enter in new credit or debit card information. 4. Confirm your purchase. Note: As a US Requester, you may be prompted to establish a verified Amazon Payments account if you plan to make a purchase above certain amounts. You can create a verified Amazon Payments account at any time here. ========================================= First of all, I am NOT ABLE TO find "Purchase Prepaid HITs" on "My Account" page. So, I tried to establish "a verified Amazon Payments account" as it directs, and I am in the stage when I encounter "We’re verifying your identity now, and we’ll send you an email when the verification is complete. This can take up to 24 hours. You can’t use your account until we’ve verified your identity." But it has been more than two weeks since I saw that message. What is wrong with my whole process? I really do want to purchase prepaid HITs but I am not able to...
1
answers
0
votes
81
views
asked 8 months ago

Enrolling existing AWS accounts in new OU

Hi , I have created new AWS account and set up Control tower, a landing zone, account factory and a new OU, with the intention of enrolling a number of our existing AWS accounts into a the new OU. (these accounts had previously been enrolled in another OU in a different AWS account but they were removed from that account prior to begining this process). In my new account, the accounts are added to the relevant OU, but when I try to enroll them in control tower by re-registering the OU I get the following error : *AWS Control Tower is unable to assume the AWSControlTowerExecution role in the account. Be sure the role is present in the account, or add it.* I had to log onto each account and update the AWSControlTowerExecution to allow access from the new Management account ( the role was there,but it was only allowing access to the previous management account). Once that was done, I removed the constraints, products, users and deleted the portfolio for the landing zone provisioned product in the service catalouge. As recommened in this article : https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html I then tried to re enroll these accounts again , but I am still having issues. I got the error *AWS Control Tower can't create your account due to potential drift in your landing zone. Check your landing zone and try using the advanced account provisioning method to create your account* so I tried repairing the landing zone - this didn't work. I have also tried to remove the account and re add it to the OU & re - register the OU, but I am getting the following error : Pre-check location OU or account ID OU or account name Pre-check type Landing Zone "xxxxx" Landing zone Add the IAM user to the AWS Service Catalog portfolio before registering your OU. But I don't know what IAM user to add to the service catalog profolio. I would be greatfull for any advice / guidence, thanks
2
answers
0
votes
826
views
asked 8 months ago

Enforce Tags SCP for DynamoDB is not working

Hi, I followed this official guide from aws in order to implement a tagging strategy for resources in my AWS Organization https://aws.amazon.com/de/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/ The example is for EC2 instances, I followed all steps and this worked, however when I wanted to replicate the steps for S3, RDS and DynamoDB it did not work. The following is the SCP I want to use in order to enforce the tag *test* to be on every created dynamodb table. This is exactly how it is done in the Guide for EC2. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "dynamodb:CreateTable" ], "Resource": [ "arn:aws:dynamodb:*:*:table/*" ], "Condition": { "Null": { "aws:RequestTag/test": "true" } } } ] } ``` However when I try to create a DynamoDB Table with the tag *test* I get the following error message. I am passing the tag test, however I still get a deny. ``` User: arn:aws:sts::<account>:assumed-role/<role>/<email> is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:eu-central-1:<table>:<table> with an explicit deny. ``` I tried creating this SCP for the Services RDS, S3 and DynamoDB, only EC2 seems to work. Do you have an idea what the error could be or is anyone using this tagging strategy in their AWS Organization/AWS Control Tower. Would be interested to hear what your experience is as this seems really complicated to me to implement and does not work so far. Looking forward to hear form you people :)
0
answers
0
votes
49
views
asked 8 months ago