Reputation: 41
Can we Delete or Disable the AWS SSO admins created by AWS Control Tower Account Factory?
We are using Federation & Role-switching and have no current need to use the SSO admin users which are necessarily created via Account Factory. Ideally, we'd like to delete them, but I worry about Control Tower drift. I would also consider disabling them and/or putting a highly restrictive SCP on them (which I'm thinking is our most likely scenario).
We'd like an option wherein we do not need to have the same kind of routines that we use for admin users which are actually used or have the potential to have a valid use case.
Upvotes: 4
Views: 485
Answers (1)
Reputation: 1626
You've definitely sorted that out ages ago but, for anyone else interested, the answer is yes, you can delete those groups but first you need to disable that feature from your landing zone. In short, go to Control Tower, click on "Landing zone settings" on the left and then, on the right side, "Modify settings". That will start the same wizard you get to upgrade the Control Tower version.
Click next until the page where you find "AWS account access configuration Info" (Select how to manage access to your AWS accounts registered with AWS Control Tower. You can change this later). Select the option "Self-managed AWS account access with IAM Identity Center or another method" and then apply your changes. From now on, when you'll create a new account with Account Factory for example, Control Tower will not attach any account.
Once you're sure you have created your own set of users, groups and permission sets you can delete the ones you don't want.
Take into account that any policy you've created that use the AWSReservedSSO_* will need to be updated if you changed the role you're using, also if you're using those roles on EKS, you'll need to update the aws_auth config map accordingly.
Finally, for Account Factory, make sure your user or the role you're using as part of CT admins is set inside the "Access" pane in Service Catalog > Portfolios > AWS Control Tower Account Factory Portfolio. Your user or role must be there to allow Account Factory to deploy new accounts (and add the AWSControlTowerExecution role), any other (previous) role can be removed, if you've already deleted them all then you'll find a list of Access keys.
Upvotes: 1
Related Questions
- How to remove a permission set for a User in IAM Identity Center
- Why do Control Tower Accounts also need an SSO User
- Removing Azure SQL Managed Instance admin user
- How do I migrate existing AWS IAM users to AWS SSO cross-account?
- Disable programatic access for AWS SSO user
- How to restrict AWS CLI Access for SSO User
- Remove enrolled account from AWS Control Tower
- AWS SSO not managed by Control Tower
- Can we remove Server Admin when we define Active Directory Admin for Azure SQL Server?
- azure devops server : revoke access from Domain Admin User