Satheesh Kakarla:
Hi Team, I’m trying to stop or delete the config service in control tower account but it not getting stopped. I am trying to disable this service from last 1 week and i have admin privileges can someone help me here, t costing more then anything.
Trung Tran:
Does it your own AWS account?
Satheesh Kakarla:
Not mine, It’s organization account
Satheesh Kakarla:
@Trung Tran can you please look into it and help me here
Trung Tran:
Does it KodeKloud Playground AWS account or your own org account?
Trung Tran:
If it is personal account then I can’t do any things!
Satheesh Kakarla:
Its a personal account @Trung Tran any suggestion or solutions
Trung Tran:
If it personal account, then consult with the administrator, as you don’t have enough permission, take a screenshot and send to the admin, who gave you this AWS account. They will help you to stop it or grant sufficient permission to perform this action.
It just about the roles!
Satheesh Kakarla:
I have all the permissions I’m super user in that account, Even the person who created the control tower and he has the all the permissions he also not able to stop the aws config servics @Trung Tran
Satheesh Kakarla:
Can you please suggest the process to solve this issue
Michael Forrester:
Satheesh, you need to remove the SCP preventing you from stopping AWS Config…You first need to go to AWS org and verify which SCP has the account that you want to remove Config from… most of the times these SCPs start with the name aws-guardrails-???-???. These contain the Deny actions that are preventing anyone from stopping AWS config because they explicit which cannot be overridden in AWS, they must be removed. This will apply to root and admin users (especially for accounts created past 2018(?). Once you identify the SCP that contains the Deny statement for AWS config then detach it from your OU or account and stop AWS config… I would then reattached the SCP. That should be it.
Michael Forrester:
and example, but i would not delete… https://docs.aws.amazon.com/controltower/latest/userguide/controltower-walkthrough-delete-scps.html