How do I resolve "Not authorized to baseline the VPC in the enrolled account" errors in AWS Control Tower?

Short description

You receive the following error when you try to set up or update a landing zone:

"AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is not authorized to baseline the VPC in the enrolled account."

You receive the following error when you use AWS Control Tower Account Factory to create an AWS account or update an enrolled account:

"AWS Control Tower could not enroll your account for the following reason: AWS Control Tower is not authorized to baseline the VPC in the enrolled account."

You might receive the preceding errors for the following reasons:

• AWS Control Tower has insufficient permissions to perform required Amazon Virtual Private Cloud (Amazon VPC) actions. For example, this happens when the AWS Identity and Access Management (IAM) role AWSControlTowerExecution has its actions restricted. The role's actions can be restricted by service control policies (SCPs) or policies associated with the role.
• AWS Control Tower can't delete the existing default VPC in your governed AWS Regions because of its resource dependencies.

Note: If you use Account Factory to create an account, then AWS Control Tower automatically deletes the default Amazon VPC and configures a new Amazon VPC in your governed Regions. If you enroll an existing account, then AWS Control Tower doesn't remove the default Amazon VPC or create a new Amazon VPC for that account.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Important: A member account refers to different accounts depending on your failure type. For landing zone failures, complete the steps in Log archive and Audit accounts. For account enrollment failures, complete the steps in the member account that failed to enroll.

Review the CloudTrail events in the member account

To identify the failed action, complete the following steps in all your AWS Control Tower Regions:

1. Open the AWS CloudTrail console in the member account that failed to enroll, and then choose Event history.
2. Choose the filter icon, and then select Event source.
3. In the search box, enter ec2.amazonaws.com as the event source.
4. Select the Filter by date and time box, and then choose Absolute range.
5. Enter the start date, end date, and time of the operation failure period, and then choose Apply.
6. Choose the settings icon, activate Error Code, and then choose Confirm.
7. To identify failed events, look for UnauthorizedOperation, AccessDenied, DependencyViolation, or CannotDelete error codes in the Error code column.
8. Select the event for a detailed error message.
9. Review the error message from the failed CloudTrail event to identify the probable cause. If the error message shows an unauthorized or insufficient permission error, then complete the steps in the Verify SCPs and AWSControlTowerExecution role permissions section. If the error is related to a resource dependency, then complete the steps in the Identify and delete default VPCs in AWS Control Tower Regions section.

Verify SCPs and AWSControlTowerExecution role permissions

The AWSControlTowerExecution IAM role must have administrator permissions with a trust relationship to the management account of AWS Organizations. Make sure that the SCPs of organizations or policies associated with the role don't restrict the role's actions.

Complete the following steps:

1. Open the Organizations console in your AWS Control Tower management account.
2. From the navigation pane, choose AWS accounts.
3. In the search box, search for and then select the account ID that failed to enroll.
4. Choose the Policies tab and make sure that the FullAWSAccess SCP is attached to all entities of organizations, including the root, organizational unit (OU), and account.
5. Review all the attached SCPs to identify any restriction for ec2 actions.
6. Detach custom SCPs from the entity temporarily. Or, modify the SCPs to use a Condition block to exempt the AWSControlTowerExecution IAM role.

The following example SCP denies all EC2 actions except when performed by the AWSControlTowerExecution role:

{
    "Version":"2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Deny",
            "Action": "ec2:*",
            "Resource": "*",
            "Condition": {
                "ArnNotLike": {
                    "aws:PrincipalARN": [
                        "arn:aws:iam::*:role/AWSControlTowerExecution"
                    ]
                }
            }
        }
    ]
}

Identify and delete default VPCs in AWS Control Tower Regions

AWS Control Tower can't delete the existing default VPC in your governed Regions because of its resource dependencies. To find and manually delete the default VPC in your AWS Control Tower Regions, take the following actions.

Find default VPCs

You can use the console or AWS CLI to find default VPCs in the AWS Control Tower Regions of the member accounts.

Note: Make sure that you complete the following steps in each AWS Control Tower Region.

To use the console, complete the following steps:

1. Sign in to your member account, and then open the Amazon VPC console.
2. From the navigation pane, choose Your VPCs.
3. Identify the VPCs where Default VPC is set to Yes.

To use the AWS CLI, run the following bash script in your member account:

for region in YOUR_REGION_1 YOUR_REGION_2;
do
echo "Running in $region"
aws ec2 describe-vpcs --filters Name=isDefault,Values=true --region $region;
done

Note: Replace YOUR_REGION_1 and YOUR_REGION_2 with AWS Control Tower Regions.

Delete default VPCs

Important: Before you delete a VPC, you must remove all the resources associated with the VPC. Deleting default VPCs can affect existing resources or applications that depend on them. It's a best practice to review the contents of a VPC before you delete it.

You can use the console or AWS CLI to delete default VPCs in your AWS Control Tower Regions.

To use the console, complete the following steps:

1. Sign in to your member account and open the Amazon VPC console.
2. Select your default VPC.
3. Choose Actions, and then choose Delete VPC.
4. In the Delete VPC dialog box, select the I acknowledge that I want to delete my Default VPC checkbox.
   Note: When you select this option, you delete all elements associated with your VPC, including subnets and security groups.
5. In the confirmation box, enter delete default vpc, and then choose Delete.

To use the AWS CLI, run the following delete-vpc command:

aws ec2 delete-vpc --vpc-id vpc-xxxxxxx --region YOUR_REGION

Note: Replace vpc-xxxxxxx with your VPC ID and YOUR_REGION with your Region.

Finally, retry the landing zone setup or account enrollment operation in AWS Control Tower.

Unenroll and then reenroll the account

Important: Complete the following steps only if your member account enrollment fails. If you have landing zone failures, then skip this section.

To prevent AWS Control Tower from removing default VPCs that have important dependencies in your member account, unenroll the account from AWS Control Tower. Then, manually enroll the account with its prerequisites.