Questions tagged [aws-control-tower]
The aws-control-tower tag has no usage guidance.
aws-control-tower
46
questions
0
votes
0
answers
19
views
AWS Control Tower- You must unsubscribe your organization from AWS config
I get this message "You must unsubscribe your organization from AWS config " while configuring the landing zone in my account.
Can someone please help what will happen if I disable the ...
0
votes
0
answers
61
views
AWS ControlTower AFT Account Factory - How to Provision new accounts without SSO parameters?
Working on a project where we are migrating to Control Tower from ADF and opted for Self-managed during setup as the use case is to use SSO of the existing AWSOrganisation.
Requirements
Use the ...
0
votes
0
answers
30
views
Is it possible to Change the Root Email address of the Audit and Log Archive AWS Account created by AWS Control Tower
I have previously set up AWS Control Tower that created the "Audit" and "Log Archive" AWS accounts under the Security OU.
Now I want to change the Root Email address associated ...
0
votes
0
answers
34
views
Enrolling AFT-Provisioned Account in a Child OU
I am trying to enroll an account created with the Account Factory Tool (AFT) into a child Organizational Unit (OU) within my AWS organization. However, I am currently unable to dynamically set the ...
0
votes
0
answers
18
views
AWS Amplify CLI S3 Properties Contradicts AWS Control Tower Recommendation
AWS Amplify creates a DeploymentBucket with the following characteristics:
The bucket is public.
There's no versioning enabled.
No logging policy is applied.
REF: https://github.com/aws/aws-sam-cli/...
0
votes
1
answer
303
views
How can I add AWS QuickSight access to the SCPs controlled by Control Tower?
I'm using AWS Control Tower for the first time to setup an new environment. I need to provide an organizational unit with access to QuickSight. Under AWS Organization I found an SCP named aws-...
0
votes
1
answer
161
views
AWS Control Tower error create account using AWS Control Tower
I had an AWS account named "Developer-Test" that was enrolled with AWS Control Tower. I wanted to rename it to "Developer-Test-version-1" and create a new account using the same ...
0
votes
1
answer
173
views
AWS SCP to mandate rds encryption with cmk
I'm trying to write a scp to mandate rds encryption with specific kms cmk. I came up with following policy but the below policy is accepting default encryption as well. I'm trying to mandate ...
0
votes
1
answer
308
views
AWS Control Tower and KMS Keys
AWS Control Tower successfully created Security-OU and a management account. I specified KMS key while creating the landing zone.
Where is this AWS key used by control tower? I don't see it being used ...
0
votes
1
answer
209
views
Implement AWS Cost allocation tags via Account factory for terraform(AFT) or Landing zone accelerator(LZA)
I manage AWS account with AWS Control Tower, Account Factory for terraform and Landing zone accelerator. my question is are there any way to implement cost allocation tags with AFT or LZA? I didn't ...
0
votes
1
answer
360
views
Baseline Config not deployed in Control Tower regions
I have a Control Tower setup that includes eu-west-1 as the default region and a couple of other regions as governed regions (us-east-1, us-east-2, us-west-2, ap-southeast-2 and af-south-1).
I have ...
0
votes
1
answer
533
views
Aws config vs detective guardrails
Can anyone help me in sorting out my queries on aws config.
Firstly, when I am launching control tower, I see 2 config aggregators, one in management account and other in archive account. What is the ...
1
vote
0
answers
219
views
Enforce AWS::ElasticLoadBalancingV2::Listener + TLS >= 1.2
What is the best way to force all "AWS::ElasticLoadBalancingV2::Listener" (in particular the application load balancer) to use at least TLS 1.2 at the organization level with a large number ...
2
votes
0
answers
339
views
AWS Control Tower could not delete some account trails error
screenshot
I'm getting this error in Control Tower.
I've tried to re-register all OU's, update landing zone but i left AWS CloudTrail disabled because we have a solution to manage CloudTrail trails ...
0
votes
1
answer
353
views
How to use CloudWatch after Control Tower version 3.0 update
We have a multi-account setup where we deployed an organizational-level CloudTrail in our root account's Control Tower.
For the newest version of the Control Tower (3.0), AWS introduced Organizational-...