The latest articles on DEV Community by Daniel Rankov (@danielrankov). https://dev.to/danielrankov https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1115124%2F27172b3b-0855-4612-8aa7-2159a01ee681.jpeg https://dev.to/danielrankov en Daniel Rankov Wed, 19 Jul 2023 09:15:46 +0000 https://dev.to/danielrankov/aws-control-tower-landing-zone-upgrade-to-32-fix-account-enrollment-28ip https://dev.to/danielrankov/aws-control-tower-landing-zone-upgrade-to-32-fix-account-enrollment-28ip <p>AWS Control Tower allows us to set up and govern a secure, multi-account AWS environment. AWS Control Tower simplifies AWS experiences by orchestrating multiple AWS services on your behalf while maintaining your organization's security and compliance needs.<br> <a href="https://aws.amazon.com/controltower/">https://aws.amazon.com/controltower/</a></p> <p>AWS Control Tower also establishes a Landing Zone based on best-practices blueprints. </p> <p>AWS Control Tower evolves and provides new releases of the Landing Zone and internal, incorporated into the service updates. Release notes: <a href="https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html">https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.html</a></p> <p>AWS Control Tower landing zone version 3.2 was released on June 16, 2023. With this update, there are multiple improvements - <a href="https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#lz-3-2">https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.html#lz-3-2</a></p> <p>Here is the process to update <a href="https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html:">https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.html:</a></p> <ol> <li>Navigate to AWS Control Tower in the web console -&gt; Landing zone settings</li> <li>Select the version number and choose Update</li> <li>The update process takes about 30 minutes</li> <li>The update changes the AWS Control Tower core accounts only - the Organization itself, Audit, and Log Archive accounts.</li> <li>To upgrade the accounts in the rest of the Organization, choose OU (OUs with fewer than 300 AWS accounts) and then Actions -&gt; Re-register organization unit. This will update all the accounts in the current OU.</li> <li>Repeat for all the OUs</li> </ol> <p>If you update a single account and then try to Re-register the OU which holds the account, an error might arise "Enrollment failed"<br> The error is related to AWS resources that are already existing - like IAM Roles.</p> <p>To clean the account and have a clean Enrollment, these resources need to be deleted:</p> <ol> <li>AWS IAM Roles aws-controltower-*</li> <li>SNS topic aws-controltower-SecurityNotifications</li> <li>Lambda Function aws-controltower-NotificationForwarder</li> <li>CloudWatch Loggroup /aws/lambda/aws-controltower-NotificationForwarder</li> <li>EventBridge Rule aws-controltower-ConfigComplianceChangeEventRule</li> <li>Config configuration-recorder aws-controltower-BaselineConfigRecorder <code>aws configservice delete-configuration-recorder --configuration-recorder-name aws-controltower-BaselineConfigRecorder</code> </li> <li>Config delivery-channel aws-controltower-BaselineConfigDeliveryChannel <code>aws configservice delete-delivery-channel --delivery-channel-name aws-controltower-BaselineConfigDeliveryChannel</code> </li> <li>Config aggregation-authorization for the region - details can be obtained with this CLI <code>aws configservice describe-aggregation-authorizations</code> <code>aws configservice delete-aggregation-authorization --authorized-account-id ACCOUNT_ID --authorized-aws-region REGION</code> </li> </ol> <p>All of these resources are protected by SCP, and you would need to "jump" to the particular AWS account from your Organizational using the AWSControlTowerExecution Role.</p> <p>Have fun.<br> Thank you!</p>