Stack Overflow
Stack Overflow

Questions tagged [aws-control-tower]

44 questions
0
votes
3 answers

Can you create AWS accounts from member accounts?

I am creating an AWS organization and some member accounts within their own OUs (organizational Unit). Is there a way to create new accounts in the OUs from the member accounts or is the only way to create new accounts from within the Management…
Pullover
  • 1
  • 1
0
votes
0 answers

Cannot provision Control Tower Account Factory SC Product via Terraform

We want to use Terraform to provision the Control Tower Account Factory Service Catalog product using the TF resource aws_servicecatalog_provisioned_product via its name, however because Control Tower controls this products and creates two…
Anthony Esper
  • 1
  • 1
0
votes
1 answer

How to configure automate_aws_accounts_creation_sso_users_assignment.yaml to run in a region of my choice?

I'm following https://aws.amazon.com/de/blogs/security/how-to-automate-aws-account-creation-with-sso-user-assignment/ to automate sso account creation. It says: This solution is configured to be deployed in the North Virginia Region (us-east-1).…
peer
  • 4,171
  • 8
  • 42
  • 73
0
votes
1 answer

Functional Test Tools for AWS IAM Policy Simulator

This is my first post here, I am working on a AWS CodePipeline which creates new AWS Accounts and assign users through AWS SSO, which has Permissions Set with specific managed IAM policies and inline policy as permission boundary set for the user…
Arun Janarthanan
  • 1
  • 1
0
votes
1 answer

How can I change default parameter values for lambda?

I'm playing with AWS lambda and I am unable to change the default parameters that are used in the lambda. Is there a workaround for this? Setup: Lambda "iAmInvoked" is created by a stack in cloudformation which has default parameter values set (I…
PraveenBuilds
  • 21
  • 6
0
votes
1 answer

How do I migrate existing AWS IAM users to AWS SSO cross-account?

Currently, I have a bunch of IAM users in another account (not tied to AWS SSO). I've recently started using AWS-SSO to manage multiple accounts and users. I found it very effective and easy to manage. Question: How can I move/migrate users from…
PiaklA
  • 495
  • 2
  • 7
  • 21
0
votes
1 answer

AWS Control Tower Guardrail - Prevents S3 Bucket being created with encryption

We have applied the guardrails mentioned in this posting, AWS Preventive S3 Guardrails. 1. Unfortunately, we are not getting the anticipated outcome. We applied the Disallow Changes to Encryption Configuration for Amazon S3 Buckets 2. The SCP has…
Jay Bonk
  • 37
  • 4
0
votes
1 answer

How to enroll aws accounts under AWS Organizations into a Control Tower created OU

I want to enroll 2 aws accounts which are created in an aws organization under lets say Root Account 1 into the Organization Units created by Control Tower in Root Account 2. The main problem here is that the two root accounts are totally different…
SUBHAS PATIL
  • 176
  • 1
  • 13
0
votes
0 answers

Suppress or delete findings & violations (security hub/config) for default created resources by control tower?

I deployed control tower in the ca-central-1 region and enabled security hub and aws config through a dedicated admin account (audit account provided by default via control tower). I then enabled the following security standards: PCI DSS v3.2.1 CIS…
kryogenic1
  • 166
  • 1
  • 2
  • 15
0
votes
1 answer

AWS control tower moving account to new OU Fails

I used to have an OU lets call x with accounts prod and ss, then I created a new OU lets y call it y. Now I am trying to move prod and ss from OU x to OU y. However this keeps failing. When I try to reregister OU y to be sure if this would fix it, I…
user11036847
  • 455
  • 1
  • 4
  • 12
0
votes
2 answers

AWS Control Tower setup failed

I'm working on setting up Multi-Account AWS Landscape using AWS Control Tower - primarily Root --> Core-->Audit, Archive Root --> Custom --> Network, Security, QA and Prod Management Account. I was able to successfully set up the Audit, Archive,…
siv
  • 91
  • 1
  • 5
  • 14
0
votes
1 answer

AWS Control Tower failed to set up your landing zone completely: ... because the log group already exists

I am trying to setup a new landing zone with the AWS Control Tower but I get stuck at the same step even after multiple attempts. AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot create log…
Fredrik Johansson
  • 35
  • 6
0
votes
1 answer

How do I use AWS Control Tower but ignore the AWS SSO feature in favor of a custom ADFS approach?

Goal: To use all of AWS Control Tower's features except AWS SSO, because the organization I'm working with doesn't want to change any aspect of identity management and single-sign-on at this time. Currently, this organization uses ADFS in their…
Yann Stoneman
  • 953
  • 11
  • 35
0
votes
1 answer

Control Tower Life Cycle Events

Can Control Tower life cycle events be used to trigger terraform script? For example, after successful creation of an account, trigger a terraform script to create a VPC.
sowmya raghu
  • 41
  • 1
1 2
3