Comments (10)
mikkelramlov
commented on July 16, 2024
3
Hi Lalit
Thank you for your answer! I understand SCP's wouldn't make sense.
Just to give you an idea of what we try to accomplish. We are using Control Tower and CT customized to adhere to all recommendations of the CIS benchmark for AWS (see page 152-154 for summary), and to do that we for example need to apply Config in all used regions on all accounts which include root account. Since we use CT customized to apply Config + rules to all OU's in CT (managed) unsupported regions, it would just be a nice feature for us if we could just add Root to the list of OU's and accounts and provision Config from one location.
I understand if you don't want to include that in your design. I just thought you should know that there are some great use cases for it.
from aws-control-tower-customizations.
groverlalit
commented on July 16, 2024
Hello Mikkel (@miqueloi) Thanks for reaching out.
Many of the preventative controls wouldn't apply to the Org master account since Service Control Policies (SCPs) are not applicable to this account. Hence, we try to use that account as little as possible.
Hope this helps.
from aws-control-tower-customizations.
Wenzil
commented on July 16, 2024
+1
We have a business need requiring us to deploy a stack in the master account and we are encountering the same issue.
from aws-control-tower-customizations.
groverlalit
commented on July 16, 2024
@miqueloi @Wenzil Thanks for sharing your use case.
from aws-control-tower-customizations.
osiro
commented on July 16, 2024
Hi @groverlalit, thanks for your help.
I got a scenario in which I want to deploy an Identity Provider to all accounts, including the Master account.
But this doesn't seem to be feasible with this solution, my suggestions are:
- Raise an error if master account name/number is listed in the manifest file
...or...
- Allow Cloudformation Resources to be deployed to the master account if listed in the
deploy_to_account.
Thoughts?
from aws-control-tower-customizations.
jefp
commented on July 16, 2024
Hi @groverlalit, thanks for your help.
I got a scenario in which I want to deploy an Identity Provider to all accounts, including the Master account.
But this doesn't seem to be feasible with this solution, my suggestions are:
1. Raise an error if master account name/number is listed in the manifest file...or...
1. Allow Cloudformation Resources to be deployed to the master account if listed in the `deploy_to_account`.Thoughs?
+1 I have a customer with the same requirement. It seems that the problem is in the manifest parser. When you try to deploy an stackset using deploy_to_account: the master account is not listed as an active account:
Raising the exception:
raise ValueError("Unsupported deploy_method: {} found for "
"resource {} and Account: {} in Manifest"
.format(resource.deploy_method,
resource.name,
sanitized_account_list))
The real issue is that the method
def get_final_account_list(self, account_list, accounts_in_all_ous,
accounts_in_ou, name_to_account_map):
It does not return the accounts of the Root OU:
Best regards,
Jesus Federico
from aws-control-tower-customizations.
k4n30
commented on July 16, 2024
Hi Lalit
Thank you for your answer! I understand SCP's wouldn't make sense.
Just to give you an idea of what we try to accomplish. We are using Control Tower and CT customized to adhere to all recommendations of the CIS benchmark for AWS (see page 152-154 for summary), and to do that we for example need to apply Config in all used regions on all accounts which include root account. Since we use CT customized to apply Config + rules to all OU's in CT (managed) unsupported regions, it would just be a nice feature for us if we could just add Root to the list of OU's and accounts and provision Config from one location.
I understand if you don't want to include that in your design. I just thought you should know that there are some great use cases for it.
@miqueloi just in case you haven't seen it - https://aws.amazon.com/solutions/implementations/aws-security-hub-automated-response-and-remediation/
I know it doesn't solve the complete issue you're having, or cover the full CIS benchmarks, but it's better than nothing
from aws-control-tower-customizations.
hunttom
commented on July 16, 2024
I'm running into the same issue. Being unable to deploy IaC in the root account doesn't make sense, especially if I need to add the root account to my monitoring solutions (GuardDuty, etc.) Please add!
from aws-control-tower-customizations.
hanswesterbeek
commented on July 16, 2024
We're running into this as well.
from aws-control-tower-customizations.
Dlozitskiy
commented on July 16, 2024
In order for a pipeline to create a stack set instance in the master account, AWSControlTowerExecution role needs to be created manually in the master account.
Here are more details around requirements for the role: https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html#enrollment-prerequisitesa
from aws-control-tower-customizations.
Related Issues (20)
- CAPABILITY_NAMED_IAM Error
- It is desirable that not only createManagedAccount, but also the CFCT pipeline starts even when a moveAccount action occurs HOT 4
- Slowness in deploying stacksets for organization with 800+ accounts HOT 2
- Frequent ConcurrentModificationException on running SCP updates HOT 7
- Service Catalog portolfios/products management
- Stacksets concurrency
- Remove stacksets from an account in reverse order HOT 2
- Support for Israel(Tel Aviv) Region "il-central-1" HOT 1
- Update CHANGELOG HOT 1
- build-s3-dist.sh fails with pip error HOT 3
- Solution fails [StepFunctions.1] Security Hub control HOT 3
- control-tower-customizations relies on outdated libraries & runtimes and looks abandoned HOT 4
- Running test or build fails HOT 1
- CloudFormation Lambda S3 Error HOT 1
- FeatureRequest: Add External SourceControls - e.g. Github, Gitlab, bitbucket.... HOT 1
- Would like logging added to the stepfunction HOT 1
- IndexError: list index out of range in CustomControlTowerStateMachineLambda lambda function HOT 1
- Python 3.8 End-Of-Life HOT 4
- Enable "Server Access Logging" on the CloudTrail S3 bucket or have an option to enable it
- Inspector high severity findings on this solution's Lambdas
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-control-tower-customizations.