Control Tower Setup Errors
IHAC that attempted to decommission a Landing Zone using the prescriptive guidance in the documentation. They were unable to delete the AWSServiceRoleforAWSControlTower role because it stated it cannot delete the Service Linked Role because it is part of a managed account. It was linked to EventBridge and Security Hub (disabled in the account).
They attempted to setup the LZ again and ran into the following error. They cannot decommission again through the dashboard. Retry fail. Any guidance would be greatly appreciated.
ERROR: "Service role name AWSServiceRoleforAWSControlTower has been taken in this account, please try a different suffix."
- Newest
- Most votes
- Most comments
Hi @rePost-User-2950933!
This appears to be an error that occurs when there’s already a service-linked role for controltower.amazonaws.com. Because IAM roles cannot be created with the same name, the error suggests that you add a different suffix to the name, for that you can just try adding a custom prefix using the "--custom-suffix" command option [1]. If you are looking for a way to analyze if there’s any other services using this role or even make sure that EventBridge and Security Hub are not using the role anymore, you can perform an access analysis using IAM [2].
References:
Relevant content
- Accepted Answerasked 5 months ago
- Accepted Answerasked 6 months ago
AWS OFFICIALUpdated 7 months ago- AWS OFFICIALUpdated a month ago
Have they tried deleting the IAM Role?