0

I have a Control Tower setup that includes eu-west-1 as the default region and a couple of other regions as governed regions (us-east-1, us-east-2, us-west-2, ap-southeast-2 and af-south-1).

I have noticed that the only region that has the baseline AWS Config resources deployed is the af-south-1 region, this is strange because the config baseline CloudFormation stack is present in each account for each of the above-mentioned regions and in the "UPDATE_COMPLETE" state.

We have a few accounts and all of them are in a similar state regarding their AWS Config deployments.

What would be the best approach to ensure the AWS Config Baseline resources get deployed in the other regions?

Thanks in advance!

Tegue Morrison
  • 21
  • 4

1 Answers1

0

After adding regions in your Control Tower Landing Zone, you must update each account. From Control Tower, when you click the Organization link on the left menu, it should display the account list. If any account says "Update Available" then you need to update that account. This will essentially deploy the Control Tower settings for that account. Note, you can update an Organization Unit (OU) all at once by using the Re-Register action.

Once you have done that and the account show as "Enrolled" on that Organization page, you can go to CloudFormation and look at the stack sets. For the stack set you mentioned, AWSControlTowerBP-BASELINE-CONFIG, you should see each account listed under the "Stack instances" tab for each region. You can run drift detection on the stack set to see if there is any drift. If the stack instance shows Detailed Status on that page for the account/region as SUCCEEDED, then it means it was deployed to the account.

If someone has modified something or made a change at the account level that breaks/removes something, the drift detection will reveal that. You can then use CloudTrail to look through event history to see who may have made such a change if necessary.

You can also do a Repair to resolve issues with accounts governed by Control Tower.

See

Shawn
  • 8,374
  • 5
  • 37
  • 60