Reputation: 310
aws-controltower-GuardrailsComplianceAggregator does not have access to config data from enrolled accounts
AWS Control Tower installs aws-controltower-GuardrailsComplianceAggregator as an AWS Config Aggregator in the Audit account, referencing all accounts (except Master) as source accounts. However, the config aggregator does not have access to the data in these accounts (except itself), and the status is listed as "Failed" with the error message "AWS Config does not have permission from the source account to replicate data into an aggregator account. Authorize aggregator account to replicate data from source accounts and region."
It was my belief that Control Tower would configure the required roles and resources for this to work seamlessly. There are instructions on how to fix this in AWS Config (https://aws.amazon.com/premiumsupport/knowledge-center/config-aggregator-accounts/), but I thought Control Tower would do this for me. Also, those instruction seem to require manual setup in each source region, while the Control Tower aggregator automatically includes future AWS regions -- another hint that there is something missing here.
I guess the questions are these:
- Is this expected behavior in Control Tower?
- What do I need to do to fix this using Control Tower?
The screenshot below is from a brand new Control Tower setup, with a new master account, new audit and logarchive accounts, and one new normal account from the control tower account factory. The logarchive and normal accounts have status "Failed", while the audit account has status "OK". It's using Control Tower version 3.0.
Upvotes: 2
Views: 1159
Answers (2)
Reputation: 1
In my setup, Config is enabled in all member accounts across all US regions. When viewing the aggregators from the Audit account page, ensure you select the specific account you want to examine and then check the corresponding region from the config page.
Upvotes: 0
Reputation: 21
RESOLVED from my side
I had the same issue.
If one of the regions is not SUCCESSFUL, it will show a FAILED status.
But Navigate through tabs in the desired account aggregated in the aws-controltower-GuardrailsComplianceAggregator aggregator, you will see OK for the region where you have authorizations. For me, I was expecting to see OK in the eu-west-1 region.
This command will also give you the status
aws configservice describe-configuration-aggregator-sources-status --configuration-aggregator-name aws-controltower-GuardrailsComplianceAggregator --region eu-west-1 --query 'AggregatedSourceStatusList[?AwsRegion==`eu-west-1` || AwsRegion==`eu-west-1`].{SID:SourceId,Region:AwsRegion,Status:LastUpdateStatus,MSG:LastErrorMessage}' --output table --profile security
Upvotes: 2
Related Questions
- Unable to load AWS credentials from ~/.aws/config and ~/.aws/credentials file
- GetSecretValue operation is not authorized error with AWS Secrets Manager
- AWS ECS: ResourceInitializationError: unable to pull secrets or registry auth
- AWS credentials work when in config file but not as env vars?
- How to enroll aws accounts under AWS Organizations into a Control Tower created OU
- The provided role does not have sufficient permissions. (Service: AmazonAppConfig)
- AWS SSO not managed by Control Tower
- Error: FATAL NoCredentialProviders: no valid providers in chain caused by: EnvAccessKeyNotFound:
- AWS Cognito: Missing credentials in config
- Receiving "Missing credentials in config" when using AWS.CognitoIdentityCredentials