wiki.zeratul.org

User Tools

Site Tools

You are here: start » bloglike » 2021-03
Trace:
bloglike:2021-03

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Last revisionBoth sides next revision
bloglike:2021-03 [2021/03/24 04:18] – AWS Control Tower modifications - part1 styblabloglike:2021-03 [2021/03/24 07:50] – AWS Control Tower modifications - part2 stybla
Line 14: Line 14:
 Change of tax(VAT) settings and payment method is a no-brainer. Login into Root account which was used to setup AWS Control Tower and you will find both in Billing console. Thanks to consolidated billing and ''Enable Tax Settings Inheritance'' tax settings will be updated in all AWS accounts(which is great). On the other hand, payment method is set only in Root account. Change of tax(VAT) settings and payment method is a no-brainer. Login into Root account which was used to setup AWS Control Tower and you will find both in Billing console. Thanks to consolidated billing and ''Enable Tax Settings Inheritance'' tax settings will be updated in all AWS accounts(which is great). On the other hand, payment method is set only in Root account.
  
-Name and email of Organization propagate from Root account. Therefore, all you have to do is to change Account Name and email address in the Root account. Both can be found in Account Settings.+Name and email of Organization propagate from Root account. Therefore, all you have to do is to change ''Account Name'' and email address in the Root account. Both can be found in ''Account Settings''.
  
-At fist, I was in denial that email of AWS account can be changed. However, as it turned out [[https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/|it's possible to change it]] through billing console and my information was either old or incorrect. Sadly, you have to log into each and every AWS account. Directly, not trough SSO. You can change Contact Information through SSO, but not email address. I haven't found any API or any other way. If there is one, I'd love to hear about it!+At fist, I was in denial that email of AWS account can be changed. However, as it turned out [[https://aws.amazon.com/premiumsupport/knowledge-center/change-email-address/|it's possible to change it]] through billing console and my information was either old or incorrect. Sadly, you have to log into each and every AWS account. Directly, not trough SSO. You can change ''Contact Information'' through SSO, but not email address. I haven't found any API or any other way. If there is one, I'd love to hear about it!
  
 This presents problem for user's AWS accounts unless you the password, which you don't. You cannot get password reset link either, unless you have access to user's mailbox in question. I guess one way to work around this problem is to set AWS account email address to something you control and SSO user email to (the real) user's email. This presents problem for user's AWS accounts unless you the password, which you don't. You cannot get password reset link either, unless you have access to user's mailbox in question. I guess one way to work around this problem is to set AWS account email address to something you control and SSO user email to (the real) user's email.
  
-It's possible to update Contact Information(company name, address and website) either through SSO or by logging directly into AWS account.+It's possible to update ''Contact Information''(company name, address and website) either through SSO or by logging directly into AWS account. Nothing to it.
  
 +Second biggest worry was how to replace domain name in SSO logins. It's possible to change user's email address, but not login name. In the end, it was fairly easy. First of all, I recommend you to change email addresses in AWS accounts and whatever is needed to be done there while you're at it. Then we can change SSO in this particular case. I believe there are at least two ways how to do it and the end result should be the same. Both of these require at least ''AWSAdministratorAccess''.
  
-FIXME replace domain name in SSO logins+**NOTE** that I didn't take and test this way and I have discovered it only due to the fact I didn't know how else to change ''AWS Control Tower Admin'' SSO account. First way should be just to run AWS Control Tower repair. Yes, it's that simple, because repair will create new SSO accounts if needed.
  
 +Second way is to do it through ''Service Catalog'' -> ''Provisioned products'' and in a drop-down menu ''Access Filter'' pick ''User''. This will list all provisioned accounts except Root account. Pick user, ''Actions'' -> ''Update'' and provide values(check SSO and previous runs to get idea what's required here).
  
- --- //[[stybla@turnovfree.net|Zdenek Styblik]] 2021/03/24 09:00//+It shouldn't matter which way you choose and the end result should be new SSO account(s). Note, however, these are new accounts. Nothing is copied, eg. groups from the old one(I've learnt this one hard way). I strongly suggest to use groups, because they're easier to fix, rather than granting access on case-by-case basis. 
 + 
 +Also, you will have to, or at least I suggest you to do so, run AWS Control Tower repair in case you've changed email address of ''Audit'' user in order to change this information in other AWS accounts. It took two runs, I think, until everything looked as it should. Even if you haven't changed anything like that, it seems like a good idea to run repair just in case. 
 + 
 +And that should be all. I'm a bit unhappy that AWS account information cannot be changed through API or CloudFormation and the only way is to do it manually. On the other hand, I guess it sort of makes sense. 
 + 
 + 
 + --- //[[stybla@turnovfree.net|Zdenek Styblik]] 2021/03/24 14:00//
  
  
  
bloglike/2021-03.txt · Last modified: 2021/03/28 04:33 by stybla