DEV Community

Daniel Rankov
Daniel Rankov

Posted on

AWS Control Tower Landing Zone upgrade to 3.2 - fix account Enrollment

AWS Control Tower allows us to set up and govern a secure, multi-account AWS environment. AWS Control Tower simplifies AWS experiences by orchestrating multiple AWS services on your behalf while maintaining your organization's security and compliance needs.
https://aws.amazon.com/controltower/

AWS Control Tower also establishes a Landing Zone based on best-practices blueprints.

AWS Control Tower evolves and provides new releases of the Landing Zone and internal, incorporated into the service updates. Release notes: https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html

AWS Control Tower landing zone version 3.2 was released on June 16, 2023. With this update, there are multiple improvements - https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#lz-3-2

Here is the process to update https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html:

  1. Navigate to AWS Control Tower in the web console -> Landing zone settings
  2. Select the version number and choose Update
  3. The update process takes about 30 minutes
  4. The update changes the AWS Control Tower core accounts only - the Organization itself, Audit, and Log Archive accounts.
  5. To upgrade the accounts in the rest of the Organization, choose OU (OUs with fewer than 300 AWS accounts) and then Actions -> Re-register organization unit. This will update all the accounts in the current OU.
  6. Repeat for all the OUs

If you update a single account and then try to Re-register the OU which holds the account, an error might arise "Enrollment failed"
The error is related to AWS resources that are already existing - like IAM Roles.

To clean the account and have a clean Enrollment, these resources need to be deleted:

  1. AWS IAM Roles aws-controltower-*
  2. SNS topic aws-controltower-SecurityNotifications
  3. Lambda Function aws-controltower-NotificationForwarder
  4. CloudWatch Loggroup /aws/lambda/aws-controltower-NotificationForwarder
  5. EventBridge Rule aws-controltower-ConfigComplianceChangeEventRule
  6. Config configuration-recorder aws-controltower-BaselineConfigRecorder aws configservice delete-configuration-recorder --configuration-recorder-name aws-controltower-BaselineConfigRecorder
  7. Config delivery-channel aws-controltower-BaselineConfigDeliveryChannel aws configservice delete-delivery-channel --delivery-channel-name aws-controltower-BaselineConfigDeliveryChannel
  8. Config aggregation-authorization for the region - details can be obtained with this CLI aws configservice describe-aggregation-authorizations aws configservice delete-aggregation-authorization --authorized-account-id ACCOUNT_ID --authorized-aws-region REGION

All of these resources are protected by SCP, and you would need to "jump" to the particular AWS account from your Organizational using the AWSControlTowerExecution Role.

Have fun.
Thank you!

Top comments (0)