- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
This control restricts permissions to manage CloudFormation resources like IAM roles. When this control is enabled:
It prevents principals in child accounts from modifying or deleting IAM roles, including the AWSControlTowerAdmin role required by Control Tower.
This role is needed by Control Tower to deploy and manage resources across accounts using CloudFormation stack sets.
Without this role, Control Tower cannot perform its management functions and you will see access denied errors.
A few things you can try:
Check if the AWSControlTowerAdmin role exists and has the correct trust policy in the affected accounts Temporarily disable the "[CT.CLOUDFORMATION.PR.1]" control and see if the issues clear up Refer to the AWS documentation on updating mandatory controls for the recommended process Open a support case with AWS if disabling the control does not resolve the problems
This question's been out there a while but for the next person: The error message is telling you that you've enabled some other elective controls on this OU, and if you remove this control then it will put you in an undesirable state (i.e. where a user could go in and screw up some of the resources managed by Control Tower via CloudFormation and confuse the heck out of it). So to resolve this, in the OU where you're trying to disable this control, search for other controls with "Guidance = Elective" and disable them first.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor einem Jahr
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
Thank you for your response. I believe you meant AWSControlTowerExecution . yes this role exists in child account. I also get error as "Following Hook(s) failed [ControlTower::Guard::Hook] " when I try to deploy a cloudformation template to provision resources.
Control Tower doesn't allow me to simply disable the control [CT.CLOUDFORMATION.PR.1] as it is connected to all other proactive controls. so in order to disable this, i will have to disable all other proactive control then [CT.CLOUDFORMATION.PR.1], which is quite a hectic task specially when I am not sure if this Control is the culprit.