Questions tagged [aws-control-tower]
44 questions
1
vote
0 answers
"Templates with transforms requires capabilities: CAPABILITY_AUTO_EXPAND" During Control Tower Customization deployment
I am doing some Stackset Deployment through AWS Control Tower Customizations. Following the latest guide here. I am doing this for ease of deployment to multiple regions for a DevOps setup.
For one of my lambda templates, I ran into the Templates…
user1655072
- 572
- 2
- 10
- 20
1
vote
2 answers
Setting up individual developer accounts in AWS Landing zone seup
At the bottom left corner, it says Developer accounts which is in addition to the Product accounts that we have i.e Sandbox/dev/test/prod/tools
Is it recommended to have individual developer accounts?
How to set up individual developer accounts…
systemdebt
- 4,589
- 10
- 55
- 116
0
votes
0 answers
AWS Control Tower error create account using AWS Control Tower
I had an AWS account named "Developer-Test" that was enrolled with AWS Control Tower. I wanted to rename it to "Developer-Test-version-1" and create a new account using the same name, "Developer-Test."
Therefore, I renamed the existing account to…
0
votes
1 answer
AWS SCP to mandate rds encryption with cmk
I'm trying to write a scp to mandate rds encryption with specific kms cmk. I came up with following policy but the below policy is accepting default encryption as well. I'm trying to mandate encryption with specific cmk.
{
"Version":…
Beginner
- 1
- 3
0
votes
0 answers
AWS Control Tower and KMS Keys
AWS Control Tower successfully created Security-OU and a management account. I specified KMS key while creating the landing zone.
Where is this AWS key used by control tower? I don't see it being used in Security-OU (audit and log-archive)…
dossani
- 1,892
- 3
- 14
- 23
0
votes
1 answer
Control Tower Failing to Re-Register OU and even Account Enrollment
I'm trying to add a new account (created using account factory) in existing OU but the enrollment is failling repeatedly. we're getting this error:
"AWS Control Tower could not enroll your account for the following reason: AWS Control Tower setup…
Jaskaran Singh Puri
- 729
- 2
- 11
- 37
0
votes
0 answers
Implement AWS Cost allocation tags via Account factory for terraform(AFT) or Landing zone accelerator(LZA)
I manage AWS account with AWS Control Tower, Account Factory for terraform and Landing zone accelerator. my question is are there any way to implement cost allocation tags with AFT or LZA? I didn't find any document or resources in AWS…
Stanley
- 3
- 2
0
votes
1 answer
Baseline Config not deployed in Control Tower regions
I have a Control Tower setup that includes eu-west-1 as the default region and a couple of other regions as governed regions (us-east-1, us-east-2, us-west-2, ap-southeast-2 and af-south-1).
I have noticed that the only region that has the baseline…
Tegue Morrison
- 21
- 4
0
votes
1 answer
Aws config vs detective guardrails
Can anyone help me in sorting out my queries on aws config.
Firstly, when I am launching control tower, I see 2 config aggregators, one in management account and other in archive account. What is the difference between these two? If there is no…
nischeruku
- 1
- 2
0
votes
0 answers
Prevent creation of ALB with TLS lower then 1.2 using SCP or any other way organization wide
Is there a way to prevent/deny creation of ALB with TLS lower then 1.2?
I've tried a few policies in SCP but I can't seem to find the right condition for a deny.
When I'm looking at a specific event in the cloudtrail I can see a specific sslPolicy…
GTXBxaKgCANmT9D9
- 276
- 4
- 12
0
votes
0 answers
setting up the alert/notification to receive an AWS account related email to other email address instead of root email
I use AWS Control Tower for the platform and have separate AWS accounts for each product. I want to create a Distribution list email for each product and link it to each respective account. I am looking to direct AWS notification emails to a…
Stanley
- 3
- 2
0
votes
1 answer
How to use CloudWatch after Control Tower version 3.0 update
We have a multi-account setup where we deployed an organizational-level CloudTrail in our root account's Control Tower.
For the newest version of the Control Tower (3.0), AWS introduced Organizational-level CloudTrail, this service deploys a…
Tegue Morrison
- 21
- 4
0
votes
1 answer
How do I edit a bucket policy deployed by organizational-level CloudTrail
we have a multi-account setup where we deployed an organizational-level CloudTrail in our root account's Control Tower.
Organizational-level CloudTrail allows us to deploy CloudTrail in each of our respective accounts and provides them the ability…
Tegue Morrison
- 21
- 4
0
votes
0 answers
AWS - Customizations for AWS Control Tower (CfCT) for Existing Control Tower
We have configured an AWS Control Tower manually (last year) and now we want to have customization using CfCT. I am just wondering if there will be any impact on my current AWS accounts if I run the CfCT(default stack) considering I have production…
Noobguy1110
- 1
- 2
0
votes
1 answer
AWS Organizations CreateAccount automation with nodeJs Lambdas not creating Account. No error messages, no error logs in CloudWatch. How to solve?
I am using AWS Nodejs Lambda to automate the Create Account process inside AWS Organizations and using Serverless framework to deploy the lambda.
Following is the Serverless.yml:
functions:
fnPostOrganizations:
name: fnPostOrganizations
…
IgorAlves
- 5,086
- 10
- 52
- 83