AWS Control Tower setup stuck


What can I do if I tried to redo the Control Tower setup but didn't remove the old audit and log-archive accounts? The setup is locked and can't change the names of the log-archive and audit accounts. Can't even access those accounts to remove the S3 buckets.

已提問 8 個月前檢視次數 236 次
2 個答案

Try this. If drift repair does not fix your landing zone please post the error messages to provide additional context. Also, if you are redoing everything from scratch. You can go to the CloudFormation console, and delete all stack sets related to your Control Tower installation. You may have to go into multiple accounts to delete everything.

已回答 8 個月前
  • Can't repair the drift because the setup is locked and the landing zone wan't set. I tried to suspend the audit and log-archive accounts without knowing that you can't revert that. And now the setup is locked. Don't understand why you can't change the setting of the control tower setup if it fails. Tried to remove the CloudFormation stack sets but I guess it doesn't do anything because the accounts are suspended. I think my only solution would be to unsuspend the accounts somehow.

  • What is the specific error you get when you retry creating the landing zone? I recently ran into a similar issue, and I had to delete AWSControlTowerBP-BASELINE-CONFIG stack set. You will need the account numbers of your Log and Audit accounts. You can retrieve those from the organization console. Got to your CloudFormation console, and click on "Stacksets" in the side navigation. You will have to "Delete the stacks from Stackset" and then delete the Stackset itself. Give that a try, and then retry creating your landing zone. If that fails, please post the specific error here so we can provide more guidance.


i think you need to unmanage old account first and then rebuild the control tower. then Deploy Control Tower with existing accounts.

已回答 8 個月前

您尚未登入。 登入 去張貼答案。

