An error occurred while setting up your landing zone

0

Hello!

We are evaluating AWS Control Tower and trying to set up a landing zone. It looks like it has set up the log archive and audit accounts when I look under AWS Organizations, and also set up AWS SSO, but errored out with "AWS Control Tower failed to set up your landing zone completely: An error occurred while setting up your landing zone. Try again later. If this persists, contact AWS Support." When I click "Retry", I see the following error appear: "AWS Control Tower was unable to find your previous shared accounts, so we will need to create new shared accounts. You will need to enter new email addresses for those accounts." Filling in the emails and clicking "Set up landing zone" results in the first error again, after about 2 minutes.

I also looked in the browser console when I hit "Retry" and this 400 error shows up on the endpoint "https://console.aws.amazon.com/controltower/api/controltower":

{"__type":"ResourceNotFoundException","Message":"No core service resource of type LOGGING found."}

This is a brand new AWS account just created a few hours ago, with no resources in it, and no organization associated at first. It seems now that I have attempted to provision a Landing Zone, my account is a member of an organization, and Control Tower is stuck in this retry loop. Any thoughts? Thank you!

asked 5 years ago1089 views
6 Answers
0

I have very similar error. A brand new account and I tired to use ControlTower after few hours of account creation. I can see it created the two OUs and new AWS accounts for Log and Audits as well as SSO but now ControlTower screen is complaining that it cannot use an account which is already member of AWS Org or have SSO Setup which is pretty annoying.

answered 5 years ago
0

Few things to check:

  • Check https://console.aws.amazon.com/servicequotas/ to ensure you have not exceeded any quotas
  • Check CloudWatch for errors
  • Check CloudFormation StackSets to see errors if it got that far
  • Ensure the email addresses you are using for the Logging & Audit accounts use the same domain as your master accoun, are less than 65 characters long, and are not associated with any other AWS accounts
  • Ensure your payment method is valid and you do not have a past due invoice
  • Follow this guide to make sure you have your account cleaned up and retry the creation: https://docs.aws.amazon.com/controltower/latest/userguide/walkthrough-delete.html
answered 5 years ago
0

Looks like the error persisted, as the message warned it might. Did you contact AWS Support? I'd recommend doing so if you continue to encounter this issue.

answered 5 years ago
0

Hi @Dan@AWS, I did not contact AWS support. We do not have a support subscription on this account, since it is for evaluation purposes. Our primary account, which is separate, has Business support. I think I'm going to end up paying for Developer support on this account to open the ticket.

It has persisted even after cleaning everything it created up and deleting the sub-accounts.

answered 5 years ago
0

After deleting all resources, waiting a day, and trying again, it seems to be working now. There must've been some kind of delay in resource/account/organization deletion that required the wait. Thanks!

answered 5 years ago
0

Glad to hear your issue cleared up!

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions