AWS Control Tower - controls

Hi,

The account in question is the Log archive account. When you set up your landing zone, one of the shared accounts created is the log archive account, dedicated to collecting all logs centrally, including logs for all of your other accounts. These log files allow administrators and auditors to review actions and events that have occurred. You can query the CloudTrail logs in the Log Archive from the Audit account using the role aws-controltower-AuditReadOnlyRole with Lambda to gain access to the logs in the Log Archive. The role assumes aws-controltower-ReadOnlyExecutionRole in the Log Archive account granting read only access. Notifications are usually for non-compliance through detective controls with AWS Config.

If you want to view activities in your Control Tower management account, you can navigate to the Activities Page. The Activities page shows all AWS Control Tower actions initiated from the management account. It includes actions that are logged automatically when you navigate through the AWS Control Tower console. See (https://docs.aws.amazon.com/controltower/latest/userguide/logging-and-monitoring.html).

As for SNS notifications, to receive compliance change notifications in email sent to your audit account, subscribe to this Amazon SNS topic: arn:aws:sns:AWSRegion:AuditAccount:aws-controltower-AggregateSecurityNotifications. See: https://docs.aws.amazon.com/controltower/latest/userguide/receive-notifications.html for more information on what SNS topics and notifications you can receive and other considerations.