By using AWS re:Post, you agree to the Terms of Use
/AWS Control Tower/

Questions tagged with AWS Control Tower

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Control Tower - Disable Compliance Change Notifications

Hello, we are using Control Tower and we have subscribed email (Slack) notifications to `aws-controltower-AggregateSecurityNotifications` SNS Topics. We are receiving Control Tower drift notifications and AWS Config compliance change notifications as described in https://docs.aws.amazon.com/controltower/latest/userguide/compliance.html We are interested especially in Control Tower drift notifications. Unfortunately AWS Config compliance change notifications are too noisy, it notifies on all compliance, noncompliance, and not_applicable events. The noise is caused by rule `AWSControlTower_AWS-GR_ENCRYPTED_VOLUMES` which triggers COMPLIANT notification each time new EC2 node with EBS is provisioned and NOT_APPLICABLE when the node is shut down. We are interested only in non-compliant notifications, is it possible to change the behaviour? Or alternatively is it possible to disable at all sending AWS Config compliance change notifications to aws-con`troltower-AggregateSecurityNotifications` topic? So only Control Tower drift notifications would be send to this topic. I've noticed that Event Rules which are forwarding compliance notifications changes are deployed by stackset `AWSControlTowerBP-BASELINE-CLOUDWATCH` from management account to all accounts and there is possibility to disable these notifications by parameter `EnableConfigRuleChangeNotification`. Since the stackset is managed by ControlTower I am not sure if we can change these settings? Could you please guide us what is the recommended approach? thanks Martin
1
answers
0
votes
44
views
asked 2 months ago

Unable to purchase prepaid Hits

Hi, I am new to Mturk and very confused about the process for purchasing prepaid Hits. I was following the process described in the FAQ of the Amazon Mturk page (https://www.mturk.com/help#enable_aws_billing): ========================================= How do I purchase prepaid HITs on Amazon Mechanical Turk? Follow these steps to purchase prepaid HITs: 1. From your Amazon Mechanical Turk account, go to My Account -> Purchase Prepaid HITs. 2. Enter in the amount you would like to purchase. 3. Select the credit or debit card on file or enter in new credit or debit card information. 4. Confirm your purchase. Note: As a US Requester, you may be prompted to establish a verified Amazon Payments account if you plan to make a purchase above certain amounts. You can create a verified Amazon Payments account at any time here. ========================================= First of all, I am NOT ABLE TO find "Purchase Prepaid HITs" on "My Account" page. So, I tried to establish "a verified Amazon Payments account" as it directs, and I am in the stage when I encounter "We’re verifying your identity now, and we’ll send you an email when the verification is complete. This can take up to 24 hours. You can’t use your account until we’ve verified your identity." But it has been more than two weeks since I saw that message. What is wrong with my whole process? I really do want to purchase prepaid HITs but I am not able to...
0
answers
0
votes
13
views
asked 3 months ago

Enrolling existing AWS accounts in new OU

Hi , I have created new AWS account and set up Control tower, a landing zone, account factory and a new OU, with the intention of enrolling a number of our existing AWS accounts into a the new OU. (these accounts had previously been enrolled in another OU in a different AWS account but they were removed from that account prior to begining this process). In my new account, the accounts are added to the relevant OU, but when I try to enroll them in control tower by re-registering the OU I get the following error : *AWS Control Tower is unable to assume the AWSControlTowerExecution role in the account. Be sure the role is present in the account, or add it.* I had to log onto each account and update the AWSControlTowerExecution to allow access from the new Management account ( the role was there,but it was only allowing access to the previous management account). Once that was done, I removed the constraints, products, users and deleted the portfolio for the landing zone provisioned product in the service catalouge. As recommened in this article : https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html I then tried to re enroll these accounts again , but I am still having issues. I got the error *AWS Control Tower can't create your account due to potential drift in your landing zone. Check your landing zone and try using the advanced account provisioning method to create your account* so I tried repairing the landing zone - this didn't work. I have also tried to remove the account and re add it to the OU & re - register the OU, but I am getting the following error : Pre-check location OU or account ID OU or account name Pre-check type Landing Zone "xxxxx" Landing zone Add the IAM user to the AWS Service Catalog portfolio before registering your OU. But I don't know what IAM user to add to the service catalog profolio. I would be greatfull for any advice / guidence, thanks
2
answers
0
votes
165
views
asked 3 months ago

Enforce Tags SCP for DynamoDB is not working

Hi, I followed this official guide from aws in order to implement a tagging strategy for resources in my AWS Organization https://aws.amazon.com/de/blogs/mt/implement-aws-resource-tagging-strategy-using-aws-tag-policies-and-service-control-policies-scps/ The example is for EC2 instances, I followed all steps and this worked, however when I wanted to replicate the steps for S3, RDS and DynamoDB it did not work. The following is the SCP I want to use in order to enforce the tag *test* to be on every created dynamodb table. This is exactly how it is done in the Guide for EC2. ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "Statement1", "Effect": "Deny", "Action": [ "dynamodb:CreateTable" ], "Resource": [ "arn:aws:dynamodb:*:*:table/*" ], "Condition": { "Null": { "aws:RequestTag/test": "true" } } } ] } ``` However when I try to create a DynamoDB Table with the tag *test* I get the following error message. I am passing the tag test, however I still get a deny. ``` User: arn:aws:sts::<account>:assumed-role/<role>/<email> is not authorized to perform: dynamodb:CreateTable on resource: arn:aws:dynamodb:eu-central-1:<table>:<table> with an explicit deny. ``` I tried creating this SCP for the Services RDS, S3 and DynamoDB, only EC2 seems to work. Do you have an idea what the error could be or is anyone using this tagging strategy in their AWS Organization/AWS Control Tower. Would be interested to hear what your experience is as this seems really complicated to me to implement and does not work so far. Looking forward to hear form you people :)
0
answers
0
votes
12
views
asked 3 months ago

How do I resolve unexpected CodeBuild AccountLimitExceededException error?

I have a CodeBuild project that was created by AWS Control Tower Account Factory for Terraform. Every time I tried to "Start build" in the console, it spits out following error: Build failed to Start. The following error occurred: Cannot have more than 0 builds in queue for the account Log events from CloudWatch: [ERROR] 2022-02-27T01:01:56.498Z 5aaae098-f77f-457d-8ff8-ee202b27c308 {'FILE': 'codebuild_invoker.py', 'METHOD': 'lambda_handler', 'EXCEPTION': 'An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account'} Traceback (most recent call last): File "/var/task/codebuild_invoker.py", line 30, in lambda_handler job_id = client.start_build(projectName=codebuild_project_name)["build"]["id"] File "/var/runtime/botocore/client.py", line 386, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 705, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.AccountLimitExceededException: An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account [ERROR] 2022-02-27T01:01:56.498Z 5aaae098-f77f-457d-8ff8-ee202b27c308 {'FILE': 'codebuild_invoker.py', 'METHOD': 'lambda_handler', 'EXCEPTION': 'An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account'} Traceback (most recent call last): File "/var/task/codebuild_invoker.py", line 30, in lambda_handler job_id = client.start_build(projectName=codebuild_project_name)["build"]["id"] File "/var/runtime/botocore/client.py", line 386, in _api_call return self._make_api_call(operation_name, kwargs) File "/var/runtime/botocore/client.py", line 705, in _make_api_call raise error_class(parsed_response, operation_name) botocore.errorfactory.AccountLimitExceededException: An error occurred (AccountLimitExceededException) when calling the StartBuild operation: Cannot have more than 0 builds in queue for the account Any pointer to solve the error?
2
answers
0
votes
56
views
asked 4 months ago

Cloudtrail event notifications

Hello, we have configured configured Control Tower landing zone and enrolled tens of accounts in our organization. We would like to monitor some of the actions (ConsoleLogin, SwitchRole, CreateUser, CreatePolicy, CreateRole, PutGroupPolicy, ...) across all accounts in organization and be notified when the action occurs via Slack or Pagerduty. Is there any out of box solution or recommended approach? I am considering two approaches: 1. Listen Cloudtrail S3 logs bucket Create an account which will have read only access to cloudtrail logs S3 bucket in Log Archive account. Lambda function will be triggered on new records in bucket. It will download the files from S3 and parse the events. Huge disadvantage is that it'll have to parse all cloudtrail entries which could be expensive and in inefficient. 2. Aggregate events using EventBridge buses Create dedicated account "Audit Notifications" where will be EventBridge event bus aggregating matched events from all other accounts. There will be configured event rule with Lambda target forwarding matched events from all accounts to Slack/Pagerduty/... in "Audit Notifications" account. Event rule forwarding matched events to Event Bus target in "Audit Notifications" will be deployed into each governed region in each member account. Similar as described in https://aws.amazon.com/premiumsupport/knowledge-center/root-user-account-eventbridge-rule/ I favor second approach, but maybe there are some other options. thanks
1
answers
0
votes
56
views
asked 5 months ago

Member account root user best practices

Hello, we are using AWS Control Tower and Account Factory for account provisioning. We have protected management account root email following [recomended best practices](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_best-practices_mgmt-acct.html), but we are not sure about member accounts. Provisioned member accounts are created with random pregenerated password, if we wan't to secure new account root user we have to reset its password manually using Forgotten password and then configure its MFA. What we'd like to do is - Enable `Disallow actions as a root user` Guardrail for all OUs, which blocks all actions for root user including its MFA setup. - Don't enable a password for root user after the account is enrolled as mentioned in https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_complex-password In this case root email won't be able to do any actions. But the MFA won't be enabled so [MFA for root user](https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html#best-practices_mbr-acct_mfa) best practise and guardrail won't be satisfied. Also IAM dashboard will scream to all users that MFA is not enabled for root user (But we can explain our users that root email is "disabled" by SCPs). What is the best practise here for protecting member account root user? It looks like best practices [Disallow Actions as a Root User](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#disallow-root-auser-actions) and [Detect Whether MFA for the Root User is Enabled](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html#enable-root-mfa) are mutually exclusive. thanks Martin
1
answers
0
votes
53
views
asked 5 months ago

Provisioning new AWS Accounts via CloudFormation

Hi, There are boatloads of articles on the internet about automating the provisioning of AWS Accounts, however, these mostly seem to end up using the AWS API to provision the accounts, e.g one of them I saw just uses the `CreateAccount` action of the Organisations API. What I'd like to do (or at least, what I _think_ I want), is to use Control Tower Account Factory to provision the accounts, but invoked via CloudFormation. Essentially, it would be the same as clicking the "Enroll Account" button in the AWS Control Tower console. Since Account Factory is just a Service Catalog Product, I figured you could put together a CloudFormation template that looks something like this: ```yaml AWSTemplateFormatVersion: "2010-09-09" Description: Provision a new AWS Account. Resources: Account: Type: AWS::ServiceCatalog::CloudFormationProvisionedProduct Properties: ProductId: prod-xxxxxxxxxxxx ProvisionedProductName: my-new-account ProvisioningArtifactId: pa-xxxxxxxxxxx ProvisioningParameters: - Key: AccountEmail Value: mynewaccountemail@domain.tld - Key: AccountName Value: my-new-account - Key: ManagedOrganisationalUnit Value: ou-xxxx-xxxxxxxx - Key: SSOUserEmail Value: myssouser@domain.tld - Key: SSOUserFirstName Value: ssouserfirstname - Key: SSOUserLastName Value: ssouserlastname ``` Ideally, you would be able to grab the ID of the new Account out of this as well --- by inspection of some accounts we created manually and reviewing the docs for AWS::ServiceCatalog::CloudFormationProvisionedProduct, it seems you should be able to pull out the account ID from the Resource like so: `!Sub ${Account.Outputs.AccountId}`. Now that we have the ID, you could provide it as a DeploymentTarget for a StackSet to perform the rest of the setup in the new account. However, when I tried this, Stack creation failed, simply saying "Internal Error". Anyone has managed to get this to work before? Or someone at AWS can tell me I dunno what I'm doing xD Cheers, Edited by: quantiful-antony-2 on Feb 2, 2021 9:47 PM Unfortunately, the formatting of the YAML seems to be lost? Hopefully the gist of it still comes through, but let me know if not.
1
answers
0
votes
5
views
asked a year ago

enroll_account.py - mistyped target registered OU

So I was testing out the enroll_account.py script outlined here <https://aws.amazon.com/blogs/field-notes/enroll-existing-aws-accounts-into-aws-control-tower/>, in order to enroll an existing unregistered account (that was already in the organization) into control tower. This was a single account, currently sitting in an unregistered OU. Unfortunately, I got the capitalization wrong on one of the letters for the target registered OU where the new account was to be put and it errored (I put WorkLoads instead of Workloads), and now the account enrollment errors out. See below: \[ec2-user@ip-10-0-101-238 ~]$ python3 enroll_account.py -o WorkLoads -i <account number redacted> Executing on AWS Account: <redacted>, assumed-role/AWSReservedSSO_AWSAdministratorAccess_bf1c0c3371d5ee07/<redacted>@<redacted>.edu PRECHECK SUCCEEDED. Proceeding Launching Enroll-Account-BusinessDivision01 Status: UNDER_CHANGE. Waiting for 6.0 min to recheck ERROR: 165929507703 \[ec2-user@ip-10-0-101-238 ~]$ python3 enroll_account.py -o Workloads -i <account number redacted> Executing on AWS Account: <redacted>, assumed-role/AWSReservedSSO_AWSAdministratorAccess_bf1c0c3371d5ee07/<redacted>@<redacted>.edu PRECHECK SUCCEEDED. Proceeding Launching Enroll-Account-BusinessDivision01 SC product provisioning failed: An error occurred (InvalidParametersException) when calling the ProvisionProduct operation: A stack named Enroll-Account-BusinessDivision01 already exists. ERROR: 165929507703 \[ec2-user@ip-10-0-101-238 ~]$ Anyone have a hint as to where to go from here or theories on how I could get myself out of this? This was just a test account in my dev environment so if need be, blowing away the target account is fine, however, i'd like to use this as a learning experience in case it ever goes this way with a production account in the future. Edited by: jgilfoil on Oct 31, 2020 3:51 PM
3
answers
0
votes
9
views
asked 2 years ago
  • 1
  • 90 / page