AWS Control Tower setup failed on "Configure AWS CloudTrail", ROLL_BACK Failed.

0

I'm trying to run a Control Tower setup in an account that I've had for years but has little content in it.

The Error I receive is:
AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:us-west-2:801752849026:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/906fce90-7121-11ee-bd89-0a5d339bd103.

When I look at the stack, I see that it is failing on "Configure AWS CloudTrail" and the Status is "ROLL_BACK Failed" and the Reason is: The following resource(s) failed to delete: [TrailLogGroup]. NOTE: I've tried re-running this several times.

Based on this excerpt from the decommissioning walk through:

CloudWatch Logs Log Group A CloudWatch Logs log group, aws-controltower/CloudTrailLogs, is created as part of the blueprint named AWSControlTowerBP-BASELINE-CLOUDTRAIL-MANAGEMENT. This log group is not removed. Instead, the blueprint is deleted and the resources are retained.

I manually removed that Log Group and re-ran the Control Tower setup but got the same error.

If I need to completely destroy everything in my existing account and start over, that it fine with me. Just hoping to figure out how to fix this before resorting to that.

Lisa
asked 9 months ago590 views
3 Answers
0
Accepted Answer

CloudWatch Logs log group, aws-controltower/CloudTrailLogs, is created as part of the blueprint named AWSControlTowerBP-BASELINE-CLOUDTRAIL-MANAGEMENT. This log group is not removed. Instead, the blueprint is deleted and the resources are retained.This log group must be deleted manually before you set up another landing zone.

Customers on landing zone 3.0 and later do not need to delete their individual enrolled account’s CloudTrail logs and CloudTrail logs roles, because these are created in the management account only, for the organization-level trail.

Beginning with landing zone version 3.2, AWS Control Tower creates an EventBridge rule, called AWSControlTowerManagedRule. This rule is created in each member account, for all governed Regions. The rule is not deleted automatically during decommissioning, so you must delete it manually from the shared and member accounts for all governed Regions before you can set up a landing zone in a new Region.

You can look to below link for more details.

https://docs.aws.amazon.com/controltower/latest/userguide/resources-not-removed.html

Sachin
answered 9 months ago
  • Thank you Sachin for your fast and detailed reply! I was referring to the link that you posted when I mentioned that I manually deleted the CloudTrailLogs group - what I'm not sure of is whether there is anything that I can do to address the error that I posted and then retry the Control Tower setup? Or do I need to follow the full decommission process and manual removal of the resources in that link before trying again?

0

Success! I not only manually deleted the CloudTrailLogs group but then I removed the IAM Identity Center. After that I re-ran the Control Tower Landing Zone setup and it completed successfully. :-)

Lisa
answered 9 months ago
0

I had a similar problem. While looking for answers, I ended up visiting this post, but above solutions did not work for me, so in case other people face the same issue, here is what I experienced/found out:

In the failed CloudFormation stack, there is a tab "Events" where you can find more information regarding why the create failed. This can actually be a good start to finding the cause of the problem. The information there was, in my case, more detailed than the error message on the Control Tower page.

In my case the cause was "insufficient permissions for the S3 logging bucket or the KMS key". Apparently when providing a KMS key while setting up Control Tower, you have to manually set a number of permissions on the KMS key before launching the landing zone setup, which i didn't know.

This sounds logical, but I'm kind of new to AWS, so I'm still learning.

A procedure can be found in the acticle below:

https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.html

I hope this may helps others :-)

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions