User Tools

Site Tools


bloglike:2021-03

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
bloglike:2021-03 [2021/03/24 07:50] – AWS Control Tower modifications - part2 styblabloglike:2021-03 [2021/03/28 04:33] (current) – Throw in links to documentation and rephrase here and there stybla
Line 12: Line 12:
   * replace domain name in SSO logins   * replace domain name in SSO logins
  
-Change of tax(VAT) settings and payment method is a no-brainer. Login into Root account which was used to setup AWS Control Tower and you will find both in Billing console. Thanks to consolidated billing and ''Enable Tax Settings Inheritance'' tax settings will be updated in all AWS accounts(which is great). On the other hand, payment method is set only in Root account.+Change of tax(VAT) settings and payment method is a no-brainer. Log into AWS account which was used to setup AWS Control Tower as a Root and you will find both knobs in Billing console. Thanks to consolidated billing and ''Enable Tax Settings Inheritance'' tax settings will be updated in all AWS accounts(which is great). On the other hand, payment method is set only in Root account.
  
 Name and email of Organization propagate from Root account. Therefore, all you have to do is to change ''Account Name'' and email address in the Root account. Both can be found in ''Account Settings''. Name and email of Organization propagate from Root account. Therefore, all you have to do is to change ''Account Name'' and email address in the Root account. Both can be found in ''Account Settings''.
  
-At fist, I was in denial that email of AWS account can be changed. However, as it turned out [[https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/|it's possible to change it]] through billing console and my information was either old or incorrect. Sadly, you have to log into each and every AWS account. Directly, not trough SSO. You can change ''Contact Information'' through SSO, but not email address. I haven't found any API or any other way. If there is one, I'd love to hear about it!+At fist, I was in denial that email of AWS account can be changed. However, as it turned out [[https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/|it's possible to change email]] through billing console and my information was either old or incorrect. Sadly, you have to log into each and every AWS account. Directly, not trough SSO. You can change ''Contact Information'' through SSO, but not email address. I haven't found any API or any other way. If there is one, I'd love to hear about it! If more detail is needed or something is unclear, check [[https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/manage-account-payment.html|Managing an AWS account]].
  
-This presents problem for user'AWS accounts unless you the password, which you don't. You cannot get password reset link either, unless you have access to user's mailbox in question. I guess one way to work around this problem is to set AWS account email address to something you control and SSO user email to (the real) user's email.+Need to log in as a Root presents problem in case of AWS accounts owned by/dedicated to users unless you the password, which you don't. You cannot get password reset link either, unless you have access to user's mailbox in question, which you usually don't have. I guess one way to work around this problem is to set AWS account email address to something you control and SSO user email to (the real) user's email.
  
 It's possible to update ''Contact Information''(company name, address and website) either through SSO or by logging directly into AWS account. Nothing to it. It's possible to update ''Contact Information''(company name, address and website) either through SSO or by logging directly into AWS account. Nothing to it.
  
-Second biggest worry was how to replace domain name in SSO logins. It's possible to change user's email address, but not login name. In the end, it was fairly easy. First of all, I recommend you to change email addresses in AWS accounts and whatever is needed to be done there while you're at it. Then we can change SSO in this particular case. I believe there are at least two ways how to do it and the end result should be the same. Both of these require at least ''AWSAdministratorAccess''.+Second biggest worry was how to replace domain name in SSO logins. It's possible to change SSO user's email address, but not the login name. In the end, it was fairly easy. First of all, I recommend you to change email addresses in all AWS accounts and whatever is needed to be done there while you're at it. Then we can change SSO in this particular case. I believe there are at least two ways how to do it and the end result should be the same. Either way requires at least ''AWSAdministratorAccess''.
  
-**NOTE** that I didn't take and test this way and I have discovered it only due to the fact I didn't know how else to change ''AWS Control Tower Admin'' SSO account. First way should be just to run AWS Control Tower repair. Yes, it's that simple, because repair will create new SSO accounts if needed.+**NOTE** that I didn't take and test this way as I have discovered it only due to the fact I didn't know how else to change ''AWS Control Tower Admin'' SSO account which isn't provisioned through Service CatalogOnce email addresses in AWS accounts are changed, run AWS Control Tower repair and that should be it. Yes, it's that simple, because repair will create new SSO accounts if needed.
  
-Second way is to do it through ''Service Catalog'' -> ''Provisioned products'' and in a drop-down menu ''Access Filter'' pick ''User''. This will list all provisioned accounts except Root account. Pick user, ''Actions'' -> ''Update'' and provide values(check SSO and previous runs to get idea what's required here).+Second way to do it is through ''Service Catalog'' -> ''Provisioned products'' and in a drop-down menu ''Access Filter'' pick ''User''. This will list all provisioned accounts except Root account. Pick user, ''Actions'' -> ''Update'' and provide values. In order to get the idea which values need to be provided and where, check SSO and previous runs. This approach is somewhat discussed in [[https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.html#updating-account-factory-accounts|Updating and Moving Account Factory Accounts with AWS Service Catalog]]. Also, if you want to take scripted approach, then you can use [[https://docs.aws.amazon.com/servicecatalog/latest/dg/API_UpdateProvisionedProduct.html|UpdateProvisionedProduct]] API call
  
-It shouldn't matter which way you choose and the end result should be new SSO account(s). Note, however, these are new accounts. Nothing is copied, eg. groups from the old one(I've learnt this one hard way). I strongly suggest to use groups, because they're easier to fixrather than granting access on case-by-case basis.+It shouldn't matter which way you choose since the end result should be same - new SSO account(s). Note, however, these are new accounts and nothing is carried over, eg. groups from the old SSO account(I've learnt this one hard way). I strongly suggest to use groups, because they're easier to fix rather than granting access on case-by-case basis.
  
-Also, you will have to, or at least I suggest you to do so, run AWS Control Tower repair in case you've changed email address of ''Audit'' user in order to change this information in other AWS accounts. It took two runs, I think, until everything looked as it should. Even if you haven't changed anything like that, it seems like a good idea to run repair just in case.+Also, you will have to, or at least I suggest you to do so, run AWS Control Tower repair in case you've changed email address of ''Audit'' user in order to update this information in other AWS accounts. It took two repair runs, I think, until everything looked as it should. Even if you haven't changed anything like that, it seems like a good idea to run repair just in case.
  
 And that should be all. I'm a bit unhappy that AWS account information cannot be changed through API or CloudFormation and the only way is to do it manually. On the other hand, I guess it sort of makes sense. And that should be all. I'm a bit unhappy that AWS account information cannot be changed through API or CloudFormation and the only way is to do it manually. On the other hand, I guess it sort of makes sense.
bloglike/2021-03.txt · Last modified: 2021/03/28 04:33 by stybla