Control Tower Audit account

0

Hello, Is it possible to have 2 audit accounts in the same Control Tower. The idea behind this is one audit account to be responsible for some OUs and the "second" audit account to be responsible only for 1 OU.

2 回答
0

The audit account is an account that is automatically added when ControlTower is activated.
I thought it would be difficult to create this for each OU.
https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#what-is-audit

The audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts, by means of a role that is granted to Lambda functions only. The audit account does not allow you to log in to other accounts manually. For more information about Lambda functions and roles, see Configure a Lambda function to assume a role from another AWS account.

profile picture
专家
已回答 1 年前
profile picture
专家
已审核 1 年前
  • I know how audit account works. The question was if is it possible to have 2 audit accounts beneath the same Control Tower setup. Since the "first" and default audit account is responsible for all accounts in your landing zone. I mean - if I setup and deploy all Cloudformation stack pointing to a different audit and a different log-archive account wouldn't that be a duplicate kind of a setup? Or is it possible anyway?

  • You probably won't be able to do what you want to do. I think you will get duplicate errors as you perceive them.

0

yes but it becomes a bit of a manual process. As the audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. . You would also need to ensure that you create the resources required in the new audit account that are specific for accounts in the new OU. https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.html#what-shared Additionally, you will need to use a solution like CfCT to apply changes to the OU and the accounts within it that are specific to the 2nd audit account. You can also create new trails if. The issue is that there would be duplication. Another option would be to simply have an OU created in organizations and not managed by CT... you can apply the same principles manually and not have duplication.

AWS
已回答 1 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则