- Newest
- Most votes
- Most comments
It seems like there's an issue with AWS Control Tower recognizing the Organizational Unit (OU) for the deployment of the control. This could be due to a few reasons.
-
The OU ID is not registered with Control Tower: Control Tower maintains its own management of OUs separate from AWS Organizations. Even if the OU exists and is recognized by AWS Organizations, if it hasn't been registered with Control Tower, you'll face this issue. Make sure to register the OU with Control Tower. You can verify it by logging into your AWS Management Console, navigating to Control Tower, and checking the Organizational Units under the "Organizational units" section. You can read more in the following documentation article: Register an existing organizational unit with AWS Control Tower
-
The OU was not created through Control Tower: If the OU was created directly in AWS Organizations and not through the Control Tower console or the Control Tower account factory, this could be the cause of the issue. AWS Control Tower applies a set of guardrails and settings to the OUs and accounts it manages. If an OU is created directly through AWS Organizations, Control Tower might not recognize it. Read the following article if you are failing to register the OU: Common causes of failure during registration or re-registration
-
There could be a delay in the Control Tower recognizing the OU: If you just created or registered the OU, there might be a delay in Control Tower recognizing it. You can wait for a while and try again.
If you have already verified the above and are still encountering issues, you might want to reach out to AWS Support for a more in-depth analysis. It's hard to pinpoint without a more detailed understanding of your environment.
If the answer is helpful, please click "Accept Answer" and upvote it.
It seems that the current deployment method "stack_set" does not take into consideration the enabling of recommended controls listed in the Control Tower console page. The CfCT solution deploys only CloudFormation stacks in the child accounts, but the AWS::ControlTower::EnabledControl needs to be made in the management account. The error showed comes in fact from the child accounts.
Relevant content
- asked a year ago
- asked 2 years ago
- asked 8 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
Thank you for the proposed solutions! Yes, I've already checked all the above. The OU was created and registered with CT more than a week ago. Also the 2 AWS accounts where provisioned at the same moment. I'll reach out to AWS support.