AWSControlTowerExecution recreation catch22

Question

Long story short I was tidying up an account I have deleted AWSControlTowerExecution role and I'm unable to re-enrol the account nor am I able to create the AWSControlTowerExecution role as it is blocked by a SCP. I only see two options as I need the exact name the account currently has. I still have cli/console admin access to the account. The reason I need the name is for aft as the account in question is called AFT-Management. I only see three ways out

Delete the account although I can't afford to wait 90 days
Bypass SCP somehow
The name AFT-Management isn't a requirement of AFT

Any Ideas?

1. Delete the account although I can't afford to wait 90 days
2. Bypass SCP somehow
3. The name AFT-Management isn't a requirement of AFT

Any Ideas?

Answer

Have you tried temporarily removing the SCP from the account (this is done in the Org Management account), re-creating the role and then re-applying the SCP back to the account? There's no way to bypass the SCP other than removing it temporarily.

Answer

Hello,

With console and CLI access to the account, you can try running the below command if the account is under an organization [1].

`aws organizations list-accounts`

The command will list all the accounts in an organization and their names under the 'Name' property.

Another way to get the full name of the account, click to the account profile on the top right corner of the console > under the drop down menu, click on the 'Account' option > then look for 'Full name' under Contact Information.

[1] https://docs.aws.amazon.com/cli/latest/reference/organizations/list-accounts.html

AWSControlTowerExecution recreation catch22

相關內容