Control Tower dependency to other regions?

0

My customer wanted to launch the Control Tower in eu-west-1 but the launch failed. After he went through the support case, the identified problem was that the customer has disabled STS (in IAM) for all regions except eu-west-1 and the global one (us-east-1). He needed to additionally enable us-east-2 and us-west-2 regions.

He is asking why he needs to enable us-east-2 and us-west-2 for Control Tower when he is not using these regions? Is there some dependency that Control Tower has to these regions?

Thanks

已提问 4 年前539 查看次数
1 回答
0
已接受的回答

Control tower rolls out Guard rails in these 4 regions.

You can see this e.g. when you look at the Cloudformation StackSets in the CT payer account, like AWSControlTowerBP-BASELINE-CONFIG. This StackSet contains stack instances for every managed accounts in these 4 regions.

If STS is disabled in these regions then CloudFormation cannot assume the right role to deploy the template and therefore your account deployment / baselining will fail.

专家
已回答 4 年前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则