AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Landing zone drift detected

0

I am getting "Landing zone drift detected" while accessing control tower and cause of this issue is listed as: ""A managed SCP was deleted, detached, or modified on the core OU Security (****), so shared accounts and their functionality are compromised. For example, the log archive and audit accounts may no longer be working because their permissions have changed. Until you fix this problem, you cannot view or manage your AWS Control Tower landing zone. Provisioning new accounts is not recommended, because logging and auditing may not be functioning.""

Please support me when making repairs that do not affect the system that is currently running. Will the following options cause a system reset?

  • Region deny setting : Should choose Enable or Not Enable. Has it changed with the running configurations ?
  • AWS account access configuration: Have the account and IAM settings changed?
  • AWS CloudTrail configuration : Enable or Not Enable should be selected. Has it changed with the running configurations ?
  • Log configuration for Amazon S3 : I already have a full Log configuration, has it changed ?
  • pasusu
    10ヶ月前

    Pls support me !

トピック
セキュリティ、アイデンティティ、コンプライアンス管理とガバナンス
タグ
セキュリティ、アイデンティティ、コンプライアンスAWS Control TowerAWS Organizations
言語
English
pasusu
質問済み 10ヶ月前449ビュー
1回答
0
承認された回答

Hi,

the error states that a managed Service Control Policy was either deleted, detached or modified on a specific OU, in this case the "Security OU". In order to understand what happened, you can check events in CloudTrail which SCP was affected. With that information you should be able to recreate the previous configuration.

Please also note that it's not clear to me what you mean by "Will the following options cause a system reset?"

What you choose for these options depends on your requirements and use-case. For example, it might make sense to you to only allow access to a specific set of regions but you might also have a use-case that requires unrestricted access.

profile pictureAWS
エキスパート
ben-from-aws
回答済み 10ヶ月前
profile picture
エキスパート
Gary Mclean
レビュー済み 2ヶ月前
  • pasusu
    10ヶ月前

    Hi Ben, Thank for your support . I have reattached SCP to the OU Security , but the drift still occurs, this error requires us to repair. https://docs.aws.amazon.com/controltower/latest/userguide/drift.html. My concern here is when we make a repair, how does the process affect the running system? I am especially confused with the options in the AWS account access configuration section.

    • Option 1: AWS Control Tower sets up AWS account access with IAM Identity Center.
    • Option 2: Self-managed AWS account access with IAM Identity Center or another method.

    I have synchronously configured with AD in on prem (user/group). Do options change the permission sets created and assigned to users and groups?

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ