I'm gearing up for a security compliance test that requires enabled AWS Control Tower in every account and region within our AWS Organization. However, I'm running into a snag while setting up AWS Config, which is essential for Control Tower. I'm encountering an error that seems to stem from a Service Control Policy (SCP) blocking the `config:PutConfigurationRecorder` action. This might be inherited from a higher organizational unit or the root of our organization. Has anyone tackled this issue before? Any guidance would be appreciated!
3 Answers
I didn't see the specific error message in your post, but just to clarify, you likely don't need to deploy Config manually. Control Tower should handle that for all regions it governs. Still, you need to sort out that policy preventing the action. Resolving that SCP would be your first step.
Quick question: Is your organization management account set up to be isolated? If it's being used for workloads, it could be a potential security risk with Control Tower. Just something to think about!
Amazon provides a CloudFormation template that you can use to set this up easily. Check their resources, it might help streamline the process for you!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures