Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

AWS Control Tower failed to set up your landing zone completely: You don't have permissions to access this resource

0

I have already decommissioned AWS tower from ap-northeast-1 and want to reconfigure AWS tower again on the same region ap-northeast-1 But when I setup landing zone again. I received this error message

"AWS Control Tower failed to set up your landing zone completely: You don't have permissions to access this resource"

Can someone help me on this issue ? really appreciate as its high priority.

-->> Already performed manual decommission process <<--

Temas
Seguridad, identidad y cumplimientoGestión y gobierno
Etiquetas
Seguridad, identidad y cumplimientoAWS Management ConsoleAWS Control TowerAWS OrganizationsAWS Account Management
Idioma
English
rePost-User-7266675
preguntada hace un año424 visualizaciones
2 Respuestas
0

Looks like it is not possible to re-create the landing zone. Please refer to the Control Tower documentation at: https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html

Suggest you log a support request to confirm the above.

==== Extracted from the documentation ====

! Important

We strongly recommend that you perform this decommissioning process only if you intend to stop using your landing zone. It is not possible to re-create your existing landing zone after you've decommissioned it.it https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html

AWS
ronald_l
respondido hace un año
0

You can recreate the landing zone, but it needs a couple of manual operations after decommisioning. You can find a great Walkthrough in this link

In this case in particular: I've seen twice that exactly error message and in both of it the issue was that CT's roles or policies or both were still there. You can delete them with the following commands:

# Detach roles
aws iam detach-role-policy --role-name AWSControlTowerAdmin --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerAdminPolicy
aws iam detach-role-policy --role-name AWSControlTowerCloudTrailRole --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerCloudTrailRolePolicy
aws iam detach-role-policy --role-name AWSControlTowerStackSetRole --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerStackSetRolePolicy

# Delete policies
aws iam delete-policy --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerAdminPolicy
aws iam delete-policy --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerCloudTrailRolePolicy
aws iam delete-policy --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerStackSetRolePolicy

# Delete roles
aws iam delete-role --role-name AWSControlTowerAdmin
aws iam delete-role --role-name AWSControlTowerCloudTrailRole
aws iam delete-role --role-name AWSControlTowerStackSetRole

Hope it helps

profile pictureAWS
mtind
respondido hace un año

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante