March 21, 2021
How to deploy Control Tower Config in Management Account
Have you deployed Control Tower and then deployed Security Hub and expected that AWS Config would be enabled in the Management account, but find that it isn’t?
It’s a relatively simple fix that involves adding your account id to several StackSets and configuring a missing role:
StackSets:
AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-CONFIG Roles:
AWSControlTowerExecution I’m generally deploying to the Sydney (ap-southeast-2) region, so my procedure will use this region. If you are deploying Security Hub and Control Tower in other regions substitute as appropriate.
Read more