Stack Overflow
Stack Overflow

Questions tagged [aws-control-tower]

44 questions
4
votes
2 answers

How to run aws-nuke across 2 different AWS organizations

I'm learning to use aws-nuke to delete all the resources in my organization AWS account. I was able to successfully remove my personal resource in my own organization manage the nuking. Wondering will it works across organization? Let's say we have…
Jeff
  • 493
  • 3
  • 19
3
votes
0 answers

Can we Delete or Disable the AWS SSO admins created by AWS Control Tower Account Factory?

We are using Federation & Role-switching and have no current need to use the SSO admin users which are necessarily created via Account Factory. Ideally, we'd like to delete them, but I worry about Control Tower drift. I would also consider…
user18041914
  • 31
  • 1
3
votes
1 answer

How do I unsubscribe my AWS organization from CloudTrail?

I'm trying to create an AWS Control Tower landing zone for my AWS organization, and am getting a message saying You must unsubscribe your organization from AWS CloudTrail so that AWS Control Tower can proceed. During the setup process, AWS Control…
Celina
  • 33
  • 5
2
votes
1 answer

Why do Control Tower Accounts also need an SSO User

Why when creating a new AWS account via the AWS Control Tower Account Factory does an SSO user also need to be created? There is already an email for the root user can through AWS SSO you can assign users/groups anyway, so what purpose does it serve…
Derrops
  • 7,651
  • 5
  • 30
  • 60
2
votes
1 answer

AWS Enable EBS Encryption via cloudformation

Is there a way to create a cloudformation script which enables EBS encryption by default for all organizations? There is a aws config rule for this what I am looking for a remediation for this config rule.…
user2562618
  • 327
  • 6
  • 14
2
votes
2 answers

Terraform in aws multi account env created by AWS Control Tower

I have just moved to a multi account set up using Control Tower and am having a 'mare using Terraform to deploy resources in different accounts. My (simplified) account structure is: |--Master |--management (backends etc) |--images (s3,…
Chanonry
  • 423
  • 7
  • 19
1
vote
0 answers

Enforce AWS::ElasticLoadBalancingV2::Listener + TLS >= 1.2

What is the best way to force all "AWS::ElasticLoadBalancingV2::Listener" (in particular the application load balancer) to use at least TLS 1.2 at the organization level with a large number of subaccounts? I've tried to create an SCP, but the…
GTXBxaKgCANmT9D9
  • 276
  • 4
  • 12
1
vote
0 answers

AWS Control Tower could not delete some account trails error

screenshot I'm getting this error in Control Tower. I've tried to re-register all OU's, update landing zone but i left AWS CloudTrail disabled because we have a solution to manage CloudTrail trails implemented. Is This issue related to this? Do I…
Martin Golis
  • 25
  • 3
1
vote
0 answers

AWS CloudShell not working after creating a new account with Control Tower

I have created a new testing AWS account in my organization with Control Tower, a new user was assigned to the new account with IAM Identity Center, and as I'm using this account to run testing, so my user has been assigned with an explicit full…
Benjamin Valiente
  • 11
  • 3
1
vote
1 answer

aws-controltower-GuardrailsComplianceAggregator does not have access to config data from enrolled accounts

AWS Control Tower installs aws-controltower-GuardrailsComplianceAggregator as an AWS Config Aggregator in the Audit account, referencing all accounts (except Master) as source accounts. However, the config aggregator does not have access to the data…
Eirik Lygre
  • 290
  • 2
  • 5
  • 16
1
vote
0 answers

Does AWS Athena partition projection support more than one `storage.location.template`?

AWS ControlTower managed CloutTrail created account-trail-logs which used /org id/AWSLogs/… log path in S3 bucket, until Landing Zone 3.0 update which replaced it with organization-trail logs whose new log path is /org id/AWSLogs/org…
Pal Ramasamy
  • 11
  • 4
1
vote
1 answer

AWS Control Tower Logging - Best Practice CloudWatch Logs

We are looking to implement this solution for centralized CloudWatch Logs. However, in implementing the solution it doesn't specify if the Log Archive account created with Control Tower should be used, or if a separate account should be created for…
Jay Bonk
  • 37
  • 4
1
vote
1 answer

AWS landing zone home region and resource restrictions

My current understanding is that if I were to set up a Multi Account Landing Zone ( MALZ) in one region , say for example Ireland, I will still be able to have accounts that can contain resources in other regions ( US , Frankfurt et al ) assuming…
IT_novice
  • 1,211
  • 3
  • 13
  • 22
1
vote
0 answers

AWS Control Tower and Organizations

I have used AWS Control Tower and Organizations in order to create three different Environment (dev, test and prod) account. It worked great for two of the three accounts butt for some reason. My test account isn't showing up under "Service Catalog"…
Frankster
  • 653
  • 7
  • 26
1
vote
2 answers

AWS Control Tower Automation

Is there any document or is there any way to create AWS control towel using APIs or boto3? I'm unable to find any documentation in AWS for automating this process. or do we have any API to register an OU to control tower?
Prashanth
  • 93
  • 11
1
2 3