Integrated services
Last updated
Was this helpful?
Last updated
Was this helpful?
Note In AWS Control Tower releases before landing zone version 3.0, AWS Control Tower created a member account trail in each account. When you update to release 3.0, your CloudTrail trail becomes an organization trail. For best practices when moving between trails, see in the CloudTrail User Guide.
Note When you update to landing zone version 3.0, AWS Control Tower deletes the account-level trails of your enrolled accounts on your behalf. Your existing, account-level log files are preserved in their Amazon S3 bucket.
Note You can add additional OUs in your landing zone through the AWS Control Tower console on the Organizational units page.
Note You can delegate administration of AWS IAM Identity Center (successor to AWS Single Sign-On) in your organization to an account other than the management account. For more information, see this blog post, entitled,
Tip
One of the best ways to receive AWS Control Tower control compliance notifications (in your audit account) is to subscribe to AggregateConfigurationNotifications
. It is a service that helps you inspect compliance. It gives you real data about AWS Config rules going out of compliance. AWS Config automatically maintains the list of accounts in your OU.
You must subscribe manually, using email or any type of subscription that SNS allows. The statement arn:aws:sns:homeregion:account:aws-controltower-AggregateSecurityNotifications
leads to your audit account.