- Newest
- Most votes
- Most comments
CloudWatch Logs log group, aws-controltower/CloudTrailLogs, is created as part of the blueprint named AWSControlTowerBP-BASELINE-CLOUDTRAIL-MANAGEMENT. This log group is not removed. Instead, the blueprint is deleted and the resources are retained.This log group must be deleted manually before you set up another landing zone.
Customers on landing zone 3.0 and later do not need to delete their individual enrolled account’s CloudTrail logs and CloudTrail logs roles, because these are created in the management account only, for the organization-level trail.
Beginning with landing zone version 3.2, AWS Control Tower creates an EventBridge rule, called AWSControlTowerManagedRule. This rule is created in each member account, for all governed Regions. The rule is not deleted automatically during decommissioning, so you must delete it manually from the shared and member accounts for all governed Regions before you can set up a landing zone in a new Region.
You can look to below link for more details.
https://docs.aws.amazon.com/controltower/latest/userguide/resources-not-removed.html
Success! I not only manually deleted the CloudTrailLogs group but then I removed the IAM Identity Center. After that I re-ran the Control Tower Landing Zone setup and it completed successfully. :-)
I had a similar problem. While looking for answers, I ended up visiting this post, but above solutions did not work for me, so in case other people face the same issue, here is what I experienced/found out:
In the failed CloudFormation stack, there is a tab "Events" where you can find more information regarding why the create failed. This can actually be a good start to finding the cause of the problem. The information there was, in my case, more detailed than the error message on the Control Tower page.
In my case the cause was "insufficient permissions for the S3 logging bucket or the KMS key". Apparently when providing a KMS key while setting up Control Tower, you have to manually set a number of permissions on the KMS key before launching the landing zone setup, which i didn't know.
This sounds logical, but I'm kind of new to AWS, so I'm still learning.
A procedure can be found in the acticle below:
https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.html
I hope this may helps others :-)
Relevant content
asked 10 months ago- asked 3 months ago
- asked a year ago
AWS OFFICIALUpdated 8 months ago- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
Thank you Sachin for your fast and detailed reply! I was referring to the link that you posted when I mentioned that I manually deleted the CloudTrailLogs group - what I'm not sure of is whether there is anything that I can do to address the error that I posted and then retry the Control Tower setup? Or do I need to follow the full decommission process and manual removal of the resources in that link before trying again?