Please note that this text is machine-translated from Japanese, so there may be some awkward phrasing.
The issue has already been resolved in collaboration with AWS Support, but I wanted to inform you that this problem occurred when using this template.
I was using EXCLUSION Mode and included accounts other than the ones I wanted to modify in ExcludedAccounts to make changes.
When I increased the CloudFormationVersion of the previously configured CloudFormation stack to suppress the recording of new resources,
the config recorder settings for member accounts included in ExcludedAccounts were reset.
As a result, resource items that had been suppressed and configured in those member accounts started being recorded, leading to unexpected and unnecessary costs.
(It also took several days to notice this.)
Looking at the CloudWatch Logs for the Lambda function: ConsumerLambda, I found the following messages:
[INFO] 2025-12-10T08:21:00.133Z ef3eebcf-50f9-5d7d-86ba-8a7c7f53c388 Using existing recorder name: aws-controltower-BaselineConfigRecorder
[WARNING] 2025-12-10T08:21:00.356Z ef3eebcf-50f9-5d7d-86ba-8a7c7f53c388 Configuration Recorder reset to default. Response:
I believe this is where the config recorder settings for accounts other than the target were reset.
But is it really necessary to reset the config recorder for member accounts included in ExcludedAccounts?
Also, if you do perform a config recorder reset, I think there should be a clearer warning (including in blog articles).
Additionally, in the Lambda function: ProducerLambda, at line 139, there is:
elif ('LogicalResourceId' in event) and (event['RequestType'] == 'Delete'):
logging.info('DELETE DELETE')
logging.warning(
'Initiating config recorder cleanup for ALL accounts due to CloudFormation stack deletion')
Deleting the stack and cleaning up the config recorder settings for ALL accounts is problematic because it also removes config recorder settings that were already configured in other member accounts. I believe this is not a good approach.
Please note that this text is machine-translated from Japanese, so there may be some awkward phrasing.
The issue has already been resolved in collaboration with AWS Support, but I wanted to inform you that this problem occurred when using this template.
I was using EXCLUSION Mode and included accounts other than the ones I wanted to modify in ExcludedAccounts to make changes.
When I increased the CloudFormationVersion of the previously configured CloudFormation stack to suppress the recording of new resources,
the config recorder settings for member accounts included in ExcludedAccounts were reset.
As a result, resource items that had been suppressed and configured in those member accounts started being recorded, leading to unexpected and unnecessary costs.
(It also took several days to notice this.)
Looking at the CloudWatch Logs for the Lambda function: ConsumerLambda, I found the following messages:
I believe this is where the config recorder settings for accounts other than the target were reset.
But is it really necessary to reset the config recorder for member accounts included in ExcludedAccounts?
Also, if you do perform a config recorder reset, I think there should be a clearer warning (including in blog articles).
Additionally, in the Lambda function: ProducerLambda, at line 139, there is:
Deleting the stack and cleaning up the config recorder settings for ALL accounts is problematic because it also removes config recorder settings that were already configured in other member accounts. I believe this is not a good approach.