AWS Control Tower introduces lifecycle event notifications
AWS Control Tower announces the availability of lifecycle event notifications. A lifecycle event marks the completion of a Control Tower action that can change the state of resources such as organizational units (OUs), accounts and guardrails that are created and managed by Control Tower. Lifecycle events are recorded as AWS CloudTrail events and delivered to Amazon EventBridge as events, and the event log states if the Control Tower action completed successfully or not.
Control Tower uses multiple AWS services to build and govern a best-practices multi-account AWS environment, and it can take several minutes for a Control Tower action to complete. You can track lifecycle events in the CloudTrail logs to verify if the originating Control Tower action completed successfully, or you can create an EventBridge rule to notify you when CloudTrail records a lifecycle event. You can also create an Eventbridge rule to automatically trigger the next step in your automation workflow, such as an AWS Step Function or AWS CodePipeline project or an Event Bus in a different account for cross-account workflows, if the lifecycle event reports that the originating Control Tower action completed successfully, or to initiate a remediation workflow if the lifecycle event reports that the originating action failed to complete.
Control Tower records lifecycle events at the completion of the following actions that can be performed using the service: (i) creating or updating a landing zone, (ii) creating or deleting an OU, (iii) enabling or disabling a guardrail on an OU, and (iv) using account factory to create a new account or to move an account to another OU.
Lifecycle event notifications are available for all Control Tower customers in the following AWS Regions: US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland). To learn more, see the Control Tower User Guide.