Control Tower Audit account


Hello, Is it possible to have 2 audit accounts in the same Control Tower. The idea behind this is one audit account to be responsible for some OUs and the "second" audit account to be responsible only for 1 OU.

2 Answers

The audit account is an account that is automatically added when ControlTower is activated.
I thought it would be difficult to create this for each OU.

The audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts, by means of a role that is granted to Lambda functions only. The audit account does not allow you to log in to other accounts manually. For more information about Lambda functions and roles, see Configure a Lambda function to assume a role from another AWS account.

profile picture
answered a year ago
profile picture
reviewed a year ago
  • I know how audit account works. The question was if is it possible to have 2 audit accounts beneath the same Control Tower setup. Since the "first" and default audit account is responsible for all accounts in your landing zone. I mean - if I setup and deploy all Cloudformation stack pointing to a different audit and a different log-archive account wouldn't that be a duplicate kind of a setup? Or is it possible anyway?

  • You probably won't be able to do what you want to do. I think you will get duplicate errors as you perceive them.


yes but it becomes a bit of a manual process. As the audit account is a restricted account that's designed to give your security and compliance teams read and write access to all accounts in your landing zone. . You would also need to ensure that you create the resources required in the new audit account that are specific for accounts in the new OU. Additionally, you will need to use a solution like CfCT to apply changes to the OU and the accounts within it that are specific to the 2nd audit account. You can also create new trails if. The issue is that there would be duplication. Another option would be to simply have an OU created in organizations and not managed by CT... you can apply the same principles manually and not have duplication.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions