AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Landing zone drift detected

0

I am getting "Landing zone drift detected" while accessing control tower and cause of this issue is listed as: ""A managed SCP was deleted, detached, or modified on the core OU Security (****), so shared accounts and their functionality are compromised. For example, the log archive and audit accounts may no longer be working because their permissions have changed. Until you fix this problem, you cannot view or manage your AWS Control Tower landing zone. Provisioning new accounts is not recommended, because logging and auditing may not be functioning.""

Please support me when making repairs that do not affect the system that is currently running. Will the following options cause a system reset?

  • Region deny setting : Should choose Enable or Not Enable. Has it changed with the running configurations ?
  • AWS account access configuration: Have the account and IAM settings changed?
  • AWS CloudTrail configuration : Enable or Not Enable should be selected. Has it changed with the running configurations ?
  • Log configuration for Amazon S3 : I already have a full Log configuration, has it changed ?
  • pasusu
    10달 전

    Pls support me !

주제
보안, 신원 및 규정 준수관리 및 거버넌스
태그
보안, 신원 및 규정 준수AWS 컨트롤 타워AWS 조직
언어
English
pasusu
질문됨 10달 전449회 조회
1개 답변
0
수락된 답변

Hi,

the error states that a managed Service Control Policy was either deleted, detached or modified on a specific OU, in this case the "Security OU". In order to understand what happened, you can check events in CloudTrail which SCP was affected. With that information you should be able to recreate the previous configuration.

Please also note that it's not clear to me what you mean by "Will the following options cause a system reset?"

What you choose for these options depends on your requirements and use-case. For example, it might make sense to you to only allow access to a specific set of regions but you might also have a use-case that requires unrestricted access.

profile pictureAWS
전문가
ben-from-aws
답변함 10달 전
profile picture
전문가
Gary Mclean
검토됨 2달 전
  • pasusu
    10달 전

    Hi Ben, Thank for your support . I have reattached SCP to the OU Security , but the drift still occurs, this error requires us to repair. https://docs.aws.amazon.com/controltower/latest/userguide/drift.html. My concern here is when we make a repair, how does the process affect the running system? I am especially confused with the options in the AWS account access configuration section.

    • Option 1: AWS Control Tower sets up AWS account access with IAM Identity Center.
    • Option 2: Self-managed AWS account access with IAM Identity Center or another method.

    I have synchronously configured with AD in on prem (user/group). Do options change the permission sets created and assigned to users and groups?

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠