# Logging and monitoring in AWS Control Tower
Monitoring allows you to plan for and respond to potential incidents. The results of monitoring activities are stored in log files. Therefore, logging and monitoring are closely related concepts, and they are an important part of the well-architected nature of AWS Control Tower.
When you set up your landing zone, one of the shared accounts created is the *log archive* account. It is dedicated to collecting all logs centrally, including logs for all of your shared and member accounts. Log files are stored in an Amazon S3 bucket. These log files allow administrators and auditors to review actions and events that have occurred.
As a best practice, you should collect monitoring data from all of the parts of your AWS setup into your logs, so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for monitoring your resources and activity in your landing zone.
For example, the status of your controls is monitored constantly. You can see their status at a glance in the AWS Control Tower console, or programmatically by means of [the AWS Control Tower APIs](https://docs.aws.amazon.com//controltower/latest/APIReference/API_Operations.html). The health and status of the accounts you provisioned in Account Factory also is monitored constantly.
**View logged actions from the Activities page**
In the AWS Control Tower console, the **Activities** page provides an overview of AWS Control Tower management account actions. To navigate to the AWS Control Tower **Activities** page, select **Activities** from the left navigation.
The activities shown in the **Activities** page are the same ones reported in the AWS CloudTrail events log for AWS Control Tower, but they're shown in a table format. To learn more about a specific activity, select the activity from the table and then choose **View details**.
You can view member account actions and events in the log archive files.
The following sections describe monitoring and logging in AWS Control Tower with more detail:
**Topics**
+ [Integrated tools for monitoring](monitoring-overview.md)
+ [Logging AWS Control Tower Actions with AWS CloudTrail](logging-using-cloudtrail.md)
+ [Lifecycle Events in AWS Control Tower](lifecycle-events.md)
+ [Using AWS User Notifications with AWS Control Tower](using-user-notifications.md)
# About logging in AWS Control Tower
AWS Control Tower accomplishes logging of actions and events automatically, through its integration with AWS CloudTrail and AWS Config, and it records them in CloudWatch. All actions are logged, including actions from the AWS Control Tower management account and from your organization's member accounts. Management account actions and events are viewable on the **Activities** page in the console. You can view member account actions and events in the log archive files.
**Organization-level trails**
AWS Control Tower sets up a new CloudTrail trail when you set up a landing zone. It is an *organization-level trail*, which means that it logs all events for the management account and all member accounts in the organization. This feature relies on *trusted access* to give the management account permissions to create a trail on every member account.
For more information about AWS Control Tower and CloudTrail organization trails, see [Creating a trail for an organization](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/creating-trail-organization.html).
**Note**
In AWS Control Tower releases before landing zone version 3.0, AWS Control Tower created a member account trail in each account. When you update to release 3.0, your CloudTrail trail becomes an organization trail. For best practices when moving between trails, see [Best practices for changing trails](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/creating-trail-organization.html#creating-an-organizational-trail-best-practice) in the *CloudTrail User Guide*.
When you enroll an account into AWS Control Tower, your account is governed by the AWS CloudTrail trail for the AWS Control Tower organization. If you have an existing deployment of a CloudTrail trail in that account, you may see duplicate charges unless you delete the existing trail for the account before you enroll it in AWS Control Tower.
**Note**
When you update to landing zone version 3.0, AWS Control Tower deletes the account-level trails (that AWS Control Tower has created) in your enrolled accounts on your behalf. Your existing, account-level log files are preserved in their Amazon S3 bucket.
# Amazon S3 bucket policy in the audit account
In AWS Control Tower, AWS services have access to your resources only when the request originates from your organization or organizational unit (OU). An `aws:SourceOrgID` condition must be met for any write permissions.
You can use the `aws:SourceOrgID` condition key and set the value to your **organization ID** in the condition element of your Amazon S3 bucket policy. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket.
This policy does not affect the functionality of your existing workloads. The policy is shown in the example that follows.
```
S3AuditBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref S3AuditBucket
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowSSLRequestsOnly
Effect: Deny
Principal: '*'
Action: s3:*
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}"
- !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/*"
Condition:
Bool:
aws:SecureTransport: false
- Sid: AWSBucketPermissionsCheck
Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Action: s3:GetBucketAcl
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}"
- Sid: AWSConfigBucketExistenceCheck
Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
- config.amazonaws.com
Action: s3:ListBucket
Resource:
- !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}"
- Sid: AWSBucketDeliveryForConfig
Effect: Allow
Principal:
Service:
- config.amazonaws.com
Action: s3:PutObject
Resource:
- Fn::Join:
- ""
-
- !Sub "arn:${AWS::Partition}:s3:::"
- !Ref "S3AuditBucket"
- !Sub "/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"
Condition:
StringEquals:
aws:SourceOrgID: !Ref OrganizationId
- Sid: AWSBucketDeliveryForOrganizationTrail
Effect: Allow
Principal:
Service:
- cloudtrail.amazonaws.com
Action: s3:PutObject
Resource: !If [IsAccountLevelBucketPermissionRequiredForCloudTrail,
[!Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${Namespace}/*", !Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/${OrganizationId}/*"],
!Sub "arn:${AWS::Partition}:s3:::${S3AuditBucket}/${AWSLogsS3KeyPrefix}/AWSLogs/*/*"]
Condition:
StringEquals:
aws:SourceOrgID: !Ref OrganizationId
```
For more information about this condition key, see the IAM documentation and the IAM blog post entitled "*Use scalable controls for AWS services accessing your resources*."
# Integrated tools for monitoring
Monitoring is an important part of maintaining the reliability, availability, and performance of AWS Control Tower and your other AWS solutions. AWS provides the following monitoring tools to watch AWS Control Tower, report when something is wrong, and take automatic actions when appropriate:
+ *Amazon CloudWatch* monitors your AWS resources and the applications you run on AWS in real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ *Amazon CloudWatch Events* delivers a near real-time stream of system events that describe changes in AWS resources. CloudWatch Events enables automated event-driven computing, as you can write rules that watch for certain events and trigger automated actions in other AWS services when these events happen. For more information, see the [Amazon CloudWatch Events User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/).
+ *Amazon CloudWatch Logs* enables you to monitor, store, and access your log files from Amazon EC2 instances, CloudTrail, and other sources. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/).
+ *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred.
**Tip: **You can view and query CloudTrail activity on an account through CloudWatch Logs and CloudWatch Logs Insights. This activity includes AWS Control Tower lifecycle events. CloudWatch Logs’ capabilities allow you to perform more granular and precise queries than you would normally be able to make using CloudTrail.
For more information, see [Logging AWS Control Tower Actions with AWS CloudTrail](logging-using-cloudtrail.md).
# Logging AWS Control Tower Actions with AWS CloudTrail
AWS Control Tower is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in AWS Control Tower. CloudTrail captures actions for AWS Control Tower as events. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for AWS Control Tower.
If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine the request that was made to AWS Control Tower, the IP address from which the request was made, who made the request, when it was made, and additional details.
To learn more about CloudTrail, including how to configure and enable it, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
## AWS Control Tower Information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When supported event activity occurs in AWS Control Tower, that activity is recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing Events with CloudTrail Event History](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
**Note**
In AWS Control Tower releases before landing zone version 3.0, AWS Control Tower created a member account trail. When you update to release 3.0, your CloudTrail trail is updated to become an organization trail. For best practices when moving between trails, see [Creating an organizational trail](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/creating-trail-organization.html#creating-an-organizational-trail-best-practice) in the CloudTrail User Guide.
**Recommended: Create a trail**
For an ongoing record of events in your AWS account, including events for AWS Control Tower, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for Creating a Trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [Prepare for creating a trail](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/creating-an-organizational-trail-prepare.html)
+ [Managing CloudTrail costs](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/cloudtrail-trail-manage-costs.html)
+ [CloudTrail Supported Services and Integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS Notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail Log Files from Multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail Log Files from Multiple Accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
AWS Control Tower logs the following actions as events in CloudTrail log files:
**Public APIs**
+ For a full list of the AWS Control Tower public APIs and details about each one, see [The AWS Control Tower API Reference](https://docs.aws.amazon.com//controltower/latest/APIReference/Welcome.html). Calls to these public APIs are logged by AWS CloudTrail.
**Other APIs**
+ `SetupLandingZone`
+ `UpdateAccountFactoryConfig`
+ `ManageOrganizationalUnit`
+ `CreateManagedAccount`
+ `GetLandingZoneStatus`
+ `GetHomeRegion`
+ `ListManagedAccounts`
+ `DescribeManagedAccount`
+ `DescribeAccountFactoryConfig`
+ `DescribeGuardrailForTarget`
+ `DescribeManagedOrganizationalUnit`
+ `ListEnabledGuardrails`
+ `ListGuardrailViolations`
+ `ListGuardrails`
+ `ListGuardrailsForTarget`
+ `ListManagedAccountsForGuardrail`
+ `ListManagedAccountsForParent`
+ `ListManagedOrganizationalUnits`
+ `ListManagedOrganizationalUnitsForGuardrail`
+ `GetGuardrailComplianceStatus`
+ `DescribeGuardrail`
+ `ListDirectoryGroups`
+ `DescribeSingleSignOn`
+ `DescribeCoreService`
+ `GetAvailableUpdates`
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
+ Whether the request was rejected as access denied or processed successfully.
For more information, see the [CloudTrail userIdentity Element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## Example: AWS Control Tower Log File Entries
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail events don't appear in any specific order in the log files.
The following example shows a CloudTrail log entry that shows the structure of a typical log file entry for a `SetupLandingZone` AWS Control Tower event, including a record of the identity of the user who initiated the action.
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AIDACKCEVSQ6C2EXAMPLE:backend-test-assume-role-session",
"arn": "arn:aws:sts::76543EXAMPLE;:assumed-role/AWSControlTowerTestAdmin/backend-test-assume-role-session",
"accountId": "76543EXAMPLE",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2018-11-20T19:36:11Z"
},
"sessionIssuer": {
"type": "Role",
"principalId": "AIDACKCEVSQ6C2EXAMPLE",
"arn": "arn:aws:iam::AKIAIOSFODNN7EXAMPLE:role/AWSControlTowerTestAdmin",
"accountId": "AIDACKCEVSQ6C2EXAMPLE",
"userName": "AWSControlTowerTestAdmin"
}
}
},
"eventTime": "2018-11-20T19:36:15Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "SetupLandingZone",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "Coral/Netty4",
"errorCode": "InvalidParametersException",
"errorMessage": "Home region EU_CENTRAL_1 is unsupported",
"requestParameters": {
"homeRegion": "EU_CENTRAL_1",
"logAccountEmail": "HIDDEN_DUE_TO_SECURITY_REASONS",
"sharedServiceAccountEmail": "HIDDEN_DUE_TO_SECURITY_REASONS",
"securityAccountEmail": "HIDDEN_DUE_TO_SECURITY_REASONS",
"securityNotificationEmail": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"responseElements": null,
"requestID": "96f47b68-ed5f-4268-931c-807cd1f89a96",
"eventID": "4ef5cf08-39e5-4fdf-9ea2-b07ced506851",
"eventType": "AwsApiCall",
"recipientAccountId": "76543EXAMPLE"
}
```
# Monitor resource changes with AWS Config
AWS Control Tower enables AWS Config on all enrolled accounts, so that it can monitor compliance through detective controls, record resource changes, and deliver resource change logs to the log archive account.
**If your landing zone version is earlier than 3.0**: For your enrolled accounts, AWS Config logs all changes to resources, for all Regions in which the account operates. Each change is modeled as a configuration item (CI), which contains information such as the resource identifier, the Region, the date that each change was recorded, and whether the change relates to a known resource or a newly discovered one.
**If your landing zone version is 3.0 or later**: AWS Control Tower limits recording for global resources, such as IAM users, groups, roles, and customer managed polices, to your home Region only. Copies of global resource changes are not stored in every Region. This limitation of resource recording conforms with AWS Config [best practices](https://aws.amazon.com//blogs/mt/aws-config-best-practices/). A [full list of global resources](https://docs.aws.amazon.com//config/latest/developerguide/select-resources.html) is available in AWS Config documentation.
+ To learn more about AWS Config, see [ How AWS Config works](https://docs.aws.amazon.com//config/latest/developerguide/how-does-config-work.html).
+ For a list of resources that AWS Config can support, see [Supported resource types](https://docs.aws.amazon.com//config/latest/developerguide/resource-config-reference.html).
+ To learn about how to customize resource tracking in the AWS Control Tower environment, see the blog post entitled [Customize AWS Config resource tracking in AWS Control Tower](https://aws.amazon.com/blogs//mt/customize-aws-config-resource-tracking-in-aws-control-tower-environment).
AWS Control Tower sets up an AWS Config delivery channel in all enrolled accounts. Through this delivery channel, it logs all changes recorded by AWS Config in the log archive account, where they are stored to a folder in an Amazon Simple Storage Service bucket.
# Manage AWS Config costs in AWS Control Tower
This section describes how AWS Config records and bills you for changes to resources in your AWS Control Tower accounts. This information may help you understand how to manage the costs associated with AWS Config, when you're utilizing AWS Control Tower. AWS Control Tower adds no additional cost.
**Note**
**If your landing zone version is 3.0 or later**: AWS Control Tower limits AWS Config recording for global resources, such as IAM users, groups, roles, and customer-managed polices, to your home Region only. Therefore, some of the information in this section may not apply to your landing zone.
AWS Config is designed to record each change to each resource, in each Region where an account operates, as a configuration item (CI). AWS Config bills you for each configuration item that it generates.
**How AWS Config operates**
AWS Config records resources in each Region, separately. Some global resources, such as IAM roles, are recorded once per Region. For example, if you create a new IAM role in an enrolled account that is operating in five Regions, AWS Config generates five CIs, one for each Region. Other global resources, such as Route 53 hosted zones, are recorded only once across all Regions. For example, if you create a new Route 53 hosted zone in an enrolled account, AWS Config generates one CI, regardless of how many Regions are selected for that account. For a list that helps you distinguish these types of resources, see [The same resource is recorded multiple times](monitoring-with-config.md#duplicate-configuration-items).
**Note**
When AWS Control Tower works with AWS Config, a Region may be governed by AWS Control Tower, or ungoverned, and AWS Config still records the changes if the account operates in that Region.
**AWS Config detects two types of relationships in resources**
AWS Config makes a distinction between *direct* and *indirect* relationships among resources. If a resource is returned in another resource's **Describe** API call, those resources are recorded as a direct relationship. When you change a resource in a direct relationship with another resource, AWS Config does not make a CI for both resources.
For example, if you create an Amazon EC2 instance, and the API requires you to create a network interface, AWS Config considers the Amazon EC2 instance to have a direct relationship with the network interface. As a result, AWS Config generates only one CI.
AWS Config records separate changes for resource relationships that are *indirect* relationships. For example, AWS Config generates two CIs if you create a security group and add an associated Amazon EC2 instance that's part of the security group.
For more information about direct and indirect relationships, see [What is a direct and an indirect relationship with respect to a resource?](https://docs.aws.amazon.com//config/latest/developerguide/faq.html#faq-0)
You can find [a list of resource relationships](https://docs.aws.amazon.com//config/latest/developerguide/resource-config-reference.html) in the AWS Config documentation.
## View the AWS Config recorder data on enrolled accounts
AWS Config is integrated with CloudWatch so that you can view AWS Config CIs in a dashboard. For more information, see the blog post entitled [AWS Config supports Amazon CloudWatch metrics](https://aws.amazon.com/about-aws/whats-new/2022/05/aws-config-supports-amazon-cloudwatch-metrics).
Programmatically, to view AWS Config data, you can work with the AWS CLI, or you can utilize other AWS tools.
### Query the AWS Config recorder data on a specific resource
You can use the AWS CLI to retrieve a list of the most recent changes for a resource.
**Resource history command:**
+ `aws configservice get-resource-config-history --resource-type RESOURCE-TYPE --resource-id RESOURCE-ID --region REGION`
To learn more, see [the API documentation for `get-config-history`](https://docs.aws.amazon.com//cli/latest/reference/configservice/get-resource-config-history.html).
### Visualize AWS Config data with Quick
You can visualize and query resources recorded by AWS Config across your entire organization. For more information, see the [Config Resource Compliance Dashboard](https://catalog.workshops.aws/awscid/en-US/dashboards/additional/config-resource-compliance-dashboard) and [Visualizing AWS Config data using Amazon Athena and Quick](https://aws.amazon.com/blogs/mt/visualizing-aws-config-data-using-amazon-athena-and-amazon-quicksight/).
## Troubleshooting AWS Config in AWS Control Tower
This section gives information about some problems you may encounter when using AWS Config with AWS Control Tower.
### High AWS Config costs
If your workflow includes processes that create, update, or delete resources frequently, or if it handles resources in large numbers, that workflow may generate large numbers of CIs. If you run these processes in a non-production account, consider unenrolling the account. You may need to de-activate the AWS Config recorder for that account manually.
**Note**
After you unenroll the account, AWS Control Tower cannot enforce detective controls or log account events, such as AWS Config activities, for resources in that account.
For more information, see [Unmanage an enrolled account](https://docs.aws.amazon.com//controltower/latest/userguide/unmanage-account.html). To learn how to deactivate the AWS Config recorder, see [Managing the configuration recorder](https://docs.aws.amazon.com//config/latest/developerguide/stop-start-recorder.html).
### The same resource is recorded multiple times
Check whether the resource is a [global resource](https://docs.aws.amazon.com//config/latest/developerguide/select-resources.html). For AWS Control Tower landing zones prior to version 3.0, AWS Config may record certain global resources once for each Region in which AWS Config is operating. For example, if AWS Config is enabled on eight Regions, each role is recorded eight times.
**The following resources are recorded once for each Region in which AWS Config is operating:**
+ `AWS::IAM::Group`
+ `AWS::IAM::Policy`
+ `AWS::IAM::Role`
+ `AWS::IAM::User`
**Other global resources are recorded only once. Here are some examples of resources that are recorded once:**
+ `AWS::Route53::HostedZone`
+ `AWS::Route53::HealthCheck`
+ `AWS::ECR::PublicRepository`
+ `AWS::GlobalAccelerator::Listener`
+ `AWS::GlobalAccelerator::EndpointGroup`
+ `AWS::GlobalAccelerator::Accelerator`
### AWS Config did not record a resource
Certain resources have dependency relationships with other resources. These relationships may be *direct* or *indirect*. You can find a list of deprecated indirect relationships in [the AWS Config FAQ](https://docs.aws.amazon.com//config/latest/developerguide/faq.html#faq-2).
# Lifecycle Events in AWS Control Tower
Some events logged by AWS Control Tower are *lifecycle events*. A lifecycle event's purpose is to mark the *completion* of certain AWS Control Tower actions that change the state of resources. Lifecycle events apply to resources that AWS Control Tower creates or manages, such as a landing zone, baseline, or control, related to an organizational unit (OU) or account.
**Characteristics of AWS Control Tower lifecycle events**
+ For each lifecycle event, the event log shows whether the originating Control Tower action completed successfully, or failed.
+ AWS CloudTrail automatically records each lifecycle event as a *non-API AWS service event*. For more information, see [ the AWS CloudTrail User Guide.](https://docs.aws.amazon.com//awscloudtrail/latest/userguide/non-api-aws-service-events.html)
+ Each lifecycle event also is delivered to the Amazon EventBridge and Amazon CloudWatch Events services. **Note:** To receive lifecycle events in EventBridge, you must have an active AWS CloudTrail trail with logging enabled. For more information about AWS service events delivered via AWS CloudTrail, see [AWS service events delivered via AWS CloudTrail](https://docs.aws.amazon.com//eventbridge/latest/userguide/eb-service-event-cloudtrail.html) in the Amazon EventBridge User Guide.
**Lifecycle events in AWS Control Tower offer two primary benefits:**
+ Because a lifecycle event registers the completion of an AWS Control Tower action, you can create an Amazon EventBridge rule or Amazon CloudWatch Events rule that can trigger the next steps in your automation workflow, based on the state of the lifecycle event.
+ The logs provide additional detail to assist administrators and auditors in reviewing certain types of activity in your organizations.
**How lifecycle events work**
AWS Control Tower relies upon multiple services to implement its actions. Therefore, each lifecycle event is recorded only after a series of actions is complete. For example, when you enable a control on an OU, AWS Control Tower launches a series of sub-steps that implement the request. The final result of the entire series of sub-steps is recorded in the log as the state of the lifecycle event.
+ If every underlying sub-step has completed successfully, the lifecycle event state is recorded as **Succeeded**.
+ If any of the underlying sub-steps did not complete successfully, the lifecycle event state is recorded as **Failed**.
Each lifecycle event includes a logged timestamp that shows when the AWS Control Tower action was initiated, and another timestamp showing when the lifecycle event is completed, marking success or failure.
**Viewing lifecycle events in Control Tower**
You can view lifecycle events from the **Activities** page in your AWS Control Tower dashboard.
+ To navigate to the **Activities** page, choose **Activities** from the left navigation pane.
+ To get more details about a specific event, select the event and then choose the **View details** button at the upper right.
For more information about how to integrate AWS Control Tower lifecycle events into your workflows, see this blog post, [Using lifecycle events to track AWS Control Tower actions and trigger automated workflows](https://aws.amazon.com//blogs/mt/using-lifecycle-events-to-track-aws-control-tower-actions-and-trigger-automated-workflows/).
**Expected behavior of CreateManagedAccount and UpdateManagedAccount lifecycle events**
When you create an account or enroll an account in AWS Control Tower, those two actions call the same internal API. If there's an error during the process, it usually occurs after the account has been created but is not fully provisioned. When you retry to create the account after the error, or when you try to update the provisioned product, AWS Control Tower sees that the account already exists.
Because the account exists, AWS Control Tower records the `UpdateManagedAccount` lifecycle event instead of the `CreateManagedAccount` lifecycle event at the end of the retry request. You may have expected to see another `CreateManagedAccount` event because of the error. However, the `UpdateManagedAccount` lifecycle event is the expected and desired behavior.
If you plan to create or enroll accounts into AWS Control Tower using automated methods, program the Lambda function to look for **UpdateManagedAccount** lifecycle events as well as **CreateManagedAccount** lifecycle events.
**Lifecycle event names**
Each lifecycle event is named so that it corresponds to the originating AWS Control Tower action, which also is recorded by AWS CloudTrail. Thus, for example, a lifecycle event originated by the AWS Control Tower `CreateManagedAccount` CloudTrail event is named `CreateManagedAccount`.
Each name in the list that follows is a link to an example of the logged detail in `JSON` format. The additional detail shown in these examples is taken from the Amazon CloudWatch event logs.
Although `JSON` does not support comments, some comments have been added in the examples for explanatory purposes. Comments are preceded by "//" and they appear in the right side of the examples.
In these examples, some account names and organization names are obscured. An `accountId` is always a 12-number sequence, which has been replaced with "xxxxxxxxxxxx" in the examples. An `organizationalUnitID` is a unique string of letters and numbers. Its form is preserved in the examples.
+ [`CreateManagedAccount`](#create-managed-account): The log records whether AWS Control Tower successfully completed every action to create and provision a new account using account factory.
+ [`UpdateManagedAccount`](#update-managed-account): The log records whether AWS Control Tower successfully completed every action to update a provisioned product that's associated with an account you had previously created by using account factory.
+ [`EnableGuardrail`](#enable-control): The log records whether AWS Control Tower successfully completed every action to enable a control on an OU.
+ [`DisableGuardrail`](#disable-control): The log records whether AWS Control Tower successfully completed every action to disable a control on an OU.
+ [`SetupLandingZone`](#setup-landing-zone): The log records whether AWS Control Tower successfully completed every action to set up a landing zone.
+ [`UpdateLandingZone`](#update-landing-zone): The log records whether AWS Control Tower successfully completed every action to update your existing landing zone.
+ [`RegisterOrganizationalUnit`](#register-organizational-unit): The log records whether AWS Control Tower successfully completed every action to enable its governance features on an OU.
+ [`DeregisterOrganizationalUnit`](#deregister-organizational-unit): The log records whether AWS Control Tower successfully completed every action to disable its governance features on an OU.
+ [`PrecheckOrganizationalUnit`](#precheck-organizational-unit): The log records whether AWS Control Tower detected any resource that would would prevent the **Extend governance** operation from completing successfully.
+ [`EnableBaseline`](#enable-baseline-lfc): The log records whether AWS Control Tower successfully completed every action to enable a new baseline on a target member account under an OU. The enable operation can be initiated using the `EnableBaseline` API or the console.
+ [`ResetEnabledBaseline`](#reset-enabled-baseline-lfc): The log records whether AWS Control Tower successfully completed every action to reset an existing enabled baseline on a target member account under an OU. The reset operation can be initiated using the `ResetEnabledBaseline` API or the console.
+ [`UpdateEnabledBaseline`](#update-enabled-baseline-lfc): The log records whether AWS Control Tower successfully completed every action to update an existing enabled baseline on a target member account under an OU. The update operation can be initiated using the `UpdateEnabledBaseline` API or the console.
+ [`DisableBaseline`](#disable-baseline-lfc): The log records whether AWS Control Tower successfully completed every action to disable an existing enabled baseline on a target member account under an OU. The disable operation can be initiated using the `DisableBaseline` API or the console.
The following sections provide a list of AWS Control Tower lifecycle events, with examples of the details logged for each type of lifecycle event.
## `CreateManagedAccount`
This lifecycle event records whether AWS Control Tower successfully created and provisioned a new account using account factory. This event corresponds to the AWS Control Tower `CreateManagedAccount` CloudTrail event. The lifecycle event log includes the `accountName` and `accountId` of the newly-created account, and the `organizationalUnitName` and `organizationalUnitId` of the OU in which the account has been placed.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "CreateManagedAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"createManagedAccountStatus": {
"organizationalUnit":{
"organizationalUnitName":"Custom",
"organizationalUnitId":"ou-XXXX-l3zc8b3h"
},
"account":{
"accountName":"LifeCycle1",
"accountId":"XXXXXXXXXXXX"
},
"state":"SUCCEEDED",
"message":"AWS Control Tower successfully created a managed account.",
"requestedTimestamp":"2019-11-15T11:45:18+0000",
"completedTimestamp":"2019-11-16T12:09:32+0000"}
}
}
}
```
## `UpdateManagedAccount`
This lifecycle event records whether AWS Control Tower successfully updated the provisioned product associated with an account that was created previously by using account factory. This event corresponds to the AWS Control Tower `UpdateManagedAccount` CloudTrail event. The lifecycle event log includes the `accountName` and `accountId` of the associated account, and the `organizationalUnitName` and `organizationalUnitId` of the OU in which the updated account is placed.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // AWS Control Tower organization management account.
"time": "2018-08-30T21:42:18Z", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateManagedAccount",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"updateManagedAccountStatus": {
"organizationalUnit":{
"organizationalUnitName":"Custom",
"organizationalUnitId":"ou-XXXX-l3zc8b3h"
},
"account":{
"accountName":"LifeCycle1",
"accountId":"XXXXXXXXXXXX"
},
"state":"SUCCEEDED",
"message":"AWS Control Tower successfully updated a managed account.",
"requestedTimestamp":"2019-11-15T11:45:18+0000",
"completedTimestamp":"2019-11-16T12:09:32+0000"}
}
}
}
```
## `EnableGuardrail`
This lifecycle event records whether AWS Control Tower successfully enabled a control on an OU that is being managed by AWS Control Tower. This event corresponds to the AWS Control Tower `EnableGuardrail` CloudTrail event. The lifecycle event log includes the `guardrailId` and `guardrailBehavior` of the control, and the `organizationalUnitName` and `organizationalUnitId` of the OU on which the control is enabled.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z", // End-time of action. Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "us-east-1", // AWS Control Tower home region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "EnableGuardrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"enableGuardrailStatus": {
"organizationalUnits": [
{
"organizationalUnitName": "Custom",
"organizationalUnitId": "ou-vwxy-18vy4yro"
}
],
"guardrails": [
{
"guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
"guardrailBehavior": "DETECTIVE"
}
],
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully enabled a guardrail on an organizational unit.",
"requestTimestamp": "2019-11-12T09:01:07+0000",
"completedTimestamp": "2019-11-12T09:01:54+0000"
}
}
}
}
```
## `DisableGuardrail`
This lifecycle event records whether AWS Control Tower successfully disabled a control on an OU that is being managed by AWS Control Tower. This event corresponds to the AWS Control Tower `DisableGuardrail` CloudTrail event. The lifecycle event log includes the `guardrailId` and `guardrailBehavior` of the control, and the `organizationalUnitName` and `organizationalUnitId` of the OU on which the control is disabled.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DisableGuardrail",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"disableGuardrailStatus": {
"organizationalUnits": [
{
"organizationalUnitName": "Custom",
"organizationalUnitId": "ou-vwxy-18vy4yro"
}
],
"guardrails": [
{
"guardrailId": "AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK",
"guardrailBehavior": "DETECTIVE"
}
],
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully disabled a guardrail on an organizational unit.",
"requestTimestamp": "2019-11-12T09:01:07+0000",
"completedTimestamp": "2019-11-12T09:01:54+0000"
}
}
}
}
```
## `SetupLandingZone`
This lifecycle event records whether AWS Control Tower successfully set up a landing zone. This event corresponds to the AWS Control Tower `SetupLandingZone` CloudTrail event. The lifecycle event log includes the `rootOrganizationalId`, which is ID of the organization that AWS Control Tower creates from the management account. The log entry also includes the `organizationalUnitName` and `organizationalUnitId` for each of of the OUs, and the `accountName` and `accountId` for each account, that are created when AWS Control Tower sets up the landing zone.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID.
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Event time from CloudTrail.
"region": "us-east-1", // Management account CloudTrail region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX", // Management-account ID.
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "SetupLandingZone",
"awsRegion": "us-east-1", // AWS Control Tower home region.
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail.
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"setupLandingZoneStatus": {
"state": "SUCCEEDED", // Status of entire lifecycle operation.
"message": "AWS Control Tower successfully set up a new landing zone.",
"rootOrganizationalId" : "r-1234",
"organizationalUnits" : [ // Use a list.
{
"organizationalUnitName": "Security", // Security OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Security OU ID.
},
{
"organizationalUnitName": "Custom", // Custom OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID.
},
],
"accounts": [ // All created accounts are here. Use a list of "account" objects.
{
"accountName": "Audit",
"accountId": "XXXXXXXXXXXX"
},
{
"accountName": "Log archive",
"accountId": "XXXXXXXXXXXX"
}
],
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `UpdateLandingZone`
This lifecycle event records whether AWS Control Tower successfully updated your existing landing zone. This event corresponds to the AWS Control Tower `UpdateLandingZone` CloudTrail event. The lifecycle event log includes the `rootOrganizationalId`, which is ID of the (updated) organization governed by AWS Control Tower. The log entry also includes the `organizationalUnitName` and `organizationalUnitId` for each of of the OUs, and the `accountName` and `accountId` for each account, that was created previously, when AWS Control Tower originally set up the landing zone.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012", // Request ID.
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX", // Management account ID.
"time": "2018-08-30T21:42:18Z", // Event time from CloudTrail.
"region": "us-east-1", // Management account CloudTrail region.
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX", // Management account ID.
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateLandingZone",
"awsRegion": "us-east-1", // AWS Control Tower home region.
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "CloudTrail_event_ID", // This value is generated by CloudTrail.
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"updateLandingZoneStatus": {
"state": "SUCCEEDED", // Status of entire operation.
"message": "AWS Control Tower successfully updated a landing zone.",
"rootOrganizationalId" : "r-1234",
"organizationalUnits" : [ // Use a list.
{
"organizationalUnitName": "Security", // Security OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Security OU ID.
},
{
"organizationalUnitName": "Custom", // Custom OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Custom OU ID.
},
],
"accounts": [ // All created accounts are here. Use a list of "account" objects.
{
"accountName": "Audit",
"accountId": "XXXXXXXXXXXX"
},
{
"accountName": "Log archive",
"accountId": "XXXXXXXXXX"
}
],
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `RegisterOrganizationalUnit`
This lifecycle event records whether AWS Control Tower successfully enabled its governance features on an OU. This event corresponds to the AWS Control Tower `RegisterOrganizationalUnit` CloudTrail event. The lifecycle event log includes the `organizationalUnitName` and `organizationalUnitId` of the OU that AWS Control Tower has brought under its governance.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "123456789012",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "RegisterOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"registerOrganizationalUnitStatus": {
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully registered an organizational unit.",
"organizationalUnit" :
{
"organizationalUnitName": "Test",
"organizationalUnitId": "ou-adpf-302pk332"
}
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `DeregisterOrganizationalUnit`
This lifecycle event records whether AWS Control Tower successfully disabled its governance features on an OU. This event corresponds to the AWS Control Tower `DeregisterOrganizationalUnit` CloudTrail event. The lifecycle event log includes the `organizationalUnitName` and `organizationalUnitId` of the OU on which AWS Control Tower has disabled its governance features.
```
{
"version": "0",
"id": "999cccaa-eaaa-0000-1111-123456789012",
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "XXXXXXXXXXXX",
"time": "2018-08-30T21:42:18Z",
"region": "us-east-1",
"resources": [ ],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DeregisterOrganizationalUnit",
"awsRegion": "us-east-1",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "0000000-0000-0000-1111-123456789012",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
"deregisterOrganizationalUnitStatus": {
"state": "SUCCEEDED",
"message": "AWS Control Tower successfully deregistered an organizational unit, and enabled mandatory guardrails on the new organizational unit.",
"organizationalUnit" :
{
"organizationalUnitName": "Test", // Foundational OU name.
"organizationalUnitId": "ou-adpf-302pk332" // Foundational OU ID.
},
"requestedTimestamp": "2018-08-30T21:42:18Z",
"completedTimestamp": "2018-08-30T21:42:18Z"
}
}
}
}
```
## `PrecheckOrganizationalUnit`
This lifecycle event records whether AWS Control Tower successfully performed prechecks on an OU. This event corresponds to the AWS Control Tower `PrecheckOrganizationalUnit` CloudTrail event. The lifecycle event log contains a field for the `Id`, `Name`, and `failedPrechecks` values, for each resource on which AWS Control Tower has performed prechecks during the OU registration process.
The event log also contains information about the nested accounts on which the prechecks were performed, including the `accountName`, `accountId`, and `failedPrechecks` fields.
If the `failedPrechecks` value is empty, it means that all prechecks for that resource passed successfully.
+ This event is emitted only if there is a precheck failure.
+ This event is not emitted if you are registering an empty OU.
Example of event:
```
{
"eventVersion": "1.08",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2021-09-20T22:45:43Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "PrecheckOrganizationalUnit",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "b41a9d67-0da4-4dc5-a87a-25fa19dc5305",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"precheckOrganizationalUnitStatus": {
"organizationalUnit": {
"organizationalUnitName": "Ou-123",
"organizationalUnitId": "ou-abcd-123456",
"failedPrechecks": [
"SCP_CONFLICT"
]
},
"accounts": [
{
"accountName": "Child Account 1",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"FAILED_TO_ASSUME_ROLE"
]
},
{
"accountName": "Child Account 2",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"FAILED_TO_ASSUME_ROLE"
]
},
{
"accountName": "Management Account",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": [
"MISSING_PERMISSIONS_AF_PRODUCT"
]
},
{
"accountName": "Child Account 3",
"accountId": "XXXXXXXXXXXX",
"failedPrechecks": []
},
...
],
"state": "FAILED",
"message": "AWS Control Tower failed to register an organizational unit due to pre-check failures. Go to the OU details page to download a list of failed pre-checks for the OU and accounts within.",
"requestedTimestamp": "2021-09-20T22:44:02+0000",
"completedTimestamp": "2021-09-20T22:45:43+0000"
}
},
"eventCategory": "Management"
}
```
## `EnableBaseline`
This lifecycle event records whether AWS Control Tower successfully enabled a baseline on a target member account under an OU. This event corresponds to the AWS Control Tower `RegisterOrganizationalUnit` or `EnableBaseline` CloudTrail events. The lifecycle event log includes the baseline that was enabled and its version, the `targetIdentifier` on which the baseline was enabled, the `parentIdentifier` of the baseline enabled on the parent OU, and the `statusSummary` showing the SUCCEEDED or FAILED status, along with the additional parameters and timestamp of the operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T17:14:57Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "EnableBaseline",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "366911a2-4fa6-4e4a-ac2b-280f627e0027",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"enableBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-ern76xmzvf/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-east-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "4.0",
"statusSummary": {
"lastOperationIdentifier": "37f5eb68-e5b9-4c70-ae76-4ca15f6b16de",
"status": "SUCCEEDED"
},
"parameters": [
{
"key": "IdentityCenterEnabledBaselineArn",
"value": {
"untyped": {
"object": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX" }
}
}
]
},
"requestedTimestamp": "2025-02-10T17:07:09+0000",
"completedTimestamp": "2025-02-10T17:14:57+0000"
}
},
"eventCategory": "Management"
}
```
## `ResetEnabledBaseline`
This lifecycle event records whether AWS Control Tower successfully reset the existing enabled baseline on a target member account under an OU. This event corresponds to the AWS Control Tower `RegisterOrganizationalUnit` or `ResetEnabledBaseline` CloudTrail events. The lifecycle event log includes the baseline that was enabled and its version, the `targetIdentifier` on which the baseline was enabled, the `parentIdentifier` of the baseline enabled on the parent OU, and the `statusSummary` showing the SUCCEEDED or FAILED status, along with the additional parameters and timestamp of the operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T21:17:55Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "ResetEnabledBaseline",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "c01a32e1-13ab-4b46-8f1b-00699ef6f989",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"resetEnabledBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "3e364c89-89fa-42b8-9776-9f7cc47ba1fa",
"status": "SUCCEEDED"
},
"parameters": []
},
"requestedTimestamp": "2025-02-10T21:14:24Z",
"completedTimestamp": "2025-02-10T21:17:54+0000"
}
},
"eventCategory": "Management"
}
```
## `UpdateEnabledBaseline`
This lifecycle event records whether AWS Control Tower successfully updated the existing enabled baseline on a target member account under an OU. This event corresponds to the AWS Control Tower `RegisterOrganizationalUnit` or `UpdateEnabledBaseline` CloudTrail events. The lifecycle event log includes the baseline that was enabled and its version, the `targetIdentifier` on which the baseline was enabled, the `parentIdentifier` of the baseline enabled on the parent OU, and the `statusSummary` showing the SUCCEEDED or FAILED status, along with the additional parameters and timestamp of the operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-02-10T19:45:28Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "UpdateEnabledBaseline",
"awsRegion": "us-east-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "514f2aff-1a99-4912-bda1-0d4d6662c96e",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"updateEnabledBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-ern76xmzvf/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-east-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "4.0",
"statusSummary": {
"lastOperationIdentifier": "ba3de28f-83fb-4c9a-8a8c-a4e15fac2c41",
"status": "SUCCEEDED"
},
"parameters": [
{
"key": "IdentityCenterEnabledBaselineArn",
"value": {
"untyped": {
"object": "arn:aws:controltower:us-east-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX" }
}
}
]
},
"requestedTimestamp": "2025-02-10T19:39:35+0000",
"completedTimestamp": "2025-02-10T19:45:28+0000"
}
},
"eventCategory": "Management"
}
```
## `DisableBaseline`
This lifecycle event records whether AWS Control Tower successfully disabled the existing enabled baseline on a target member account under an OU. This event corresponds to the AWS Control Tower `DisableBaseline` CloudTrail event. The lifecycle event log includes the baseline that was enabled and its version, the `targetIdentifier` on which the baseline was enabled, the `parentIdentifier` of the baseline enabled on the parent OU, and the `statusSummary` showing the SUCCEEDED or FAILED status, along with the additional parameters and timestamp of the operation.
```
{
"eventVersion": "1.11",
"userIdentity": {
"accountId": "XXXXXXXXXXXX",
"invokedBy": "AWS Internal"
},
"eventTime": "2025-03-14T00:50:58Z",
"eventSource": "controltower.amazonaws.com",
"eventName": "DisableBaseline",
"awsRegion": "us-west-2",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"requestParameters": null,
"responseElements": null,
"eventID": "704794c4-a32e-4960-8386-c7efaa5a22a1",
"readOnly": false,
"eventType": "AwsServiceEvent",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"serviceEventDetails": {
"disableBaselineStatus": {
"enabledBaselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "7b895594-0edb-48bc-9f3d-d88c2ad618df",
"status": "SUCCEEDED"
},
"parameters": []
},
"baselineDetails": {
"arn": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"parentIdentifier": "arn:aws:controltower:us-west-2:XXXXXXXXXXXX:enabledbaseline/XXXXXXXXXXXXXXXX",
"targetIdentifier": "arn:aws:organizations::XXXXXXXXXXXX:account/o-0uh2kplf6d/XXXXXXXXXXXX",
"baselineIdentifier": "arn:aws:controltower:us-west-2::baseline/XXXXXXXXXXXXXXX",
"baselineVersion": "1.0",
"statusSummary": {
"lastOperationIdentifier": "7b895594-0edb-48bc-9f3d-d88c2ad618df",
"status": "SUCCEEDED"
},
"parameters": []
},
"requestedTimestamp": "2025-03-14T00:49:13Z",
"completedTimestamp": "2025-03-14T00:50:58+0000"
}
},
"eventCategory": "Management"
}
```
# Using AWS User Notifications with AWS Control Tower
You can use [AWS User Notifications](https://docs.aws.amazon.com/notifications/latest/userguide/what-is.html) to set up delivery channels to be notified about AWS Control Tower events. You receive a notification when an event matches a rule that you specify. You can receive notifications for events through multiple channels, including email, [Amazon Q Developer in chat applications](https://docs.aws.amazon.com/chatbot/latest/adminguide/what-is.html) chat notifications, or [AWS Console Mobile App](https://docs.aws.amazon.com/consolemobileapp/latest/userguide/what-is-consolemobileapp.html) push notifications. You can also see notifications in the Console Notifications Center.
AWS User Notifications supports aggregation, which can reduce the number of notifications you receive during specific events. Notifications also are visible in the Console Notifications Center.
The advantages of subscribing to notifications through AWS User Notifications instead of EventBridge include:
+ A friendlier user interface (UI).
+ Integration with the AWS console, in the bell/notifications area on the global navigation bar.
+ Native support for email notifications, there's no need to set up Amazon SNS.
+ Most notably, support for mobile push notifications, exclusive to AWS User Notifications.
For example, one type of notification you may wish to receive is in case of Security Hub CSPM critical and high severity findings. A code snippet in JSON to set up that notification subscription may look something like this:
```
{
"detail": {
"findings": {
"Compliance": {
"Status": ["FAILED", "WARNING", "NOT_AVAILABLE"]
},
"RecordState": ["ACTIVE"],
"Severity": {
"Label": ["CRITICAL", "HIGH"]
},
"Workflow": {
"Status": ["NEW", "NOTIFIED"]
}
}
}
}
```
**Event filtering**
+ You can filter events by service and name using the filters available on the AWS User Notifications console.
+ You can filter events by specific properties if you create your own EventBridge filter from JSON code.
**Example AWS Control Tower event**
Here is a generalized example event for AWS Control Tower.
+ It an EventBridge event.
+ You can subscribe to EventBridge events (such as this one) using AWS User Notifications.
```
{
"version": "0",
"id": "", // alphanumeric string
"detail-type": "AWS Service Event via CloudTrail",
"source": "aws.controltower",
"account": "", // Management account ID.
"time": "", // Format: yyyy-MM-dd'T'hh:mm:ssZ
"region": "", // AWS Control Tower home region.
"resources": [],
"detail": {
"eventVersion": "1.05",
"userIdentity": {
"accountId": "121212121212",
"invokedBy": "AWS Internal"
},
"eventTime": "2018-08-30T21:42:18Z", // Timestamp when call was made. Format: yyyy-MM-dd'T'hh:mm:ssZ.
"eventSource": "controltower.amazonaws.com",
"eventName": "", // one of the 9 event names in https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html
"awsRegion": "",
"sourceIPAddress": "AWS Internal",
"userAgent": "AWS Internal",
"eventID": "",
"readOnly": false,
"eventType": "AwsServiceEvent",
"serviceEventDetails": {
// the contents of this object vary depending on the event subtype and event state
}
}
}
```