By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Control Tower creation issue

0

Hi, I created a new account and then immediately went to creating control tower. Everything seemed to work except I have this error: Error "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot deploy the required stack set because the bucket policy for the logging bucket, aws-controltower-logs-642978469219-us-east-1, is incorrect."

I'm not seeing this bucket anywhere, what should I do? And whatever it is do I do it in control tower? Thanks.

Topics
Management & Governance
Tags
AWS Control Tower
Language
English
rePost-User-7903133
asked a year ago2074 views
2 Answers
3

Hi @rePost-User-7903133:

I got the same error. I forgot to set permissions in KMS using the following instructions https://docs.aws.amazon.com/en_us/controltower/latest/userguide//kms-guidance.html. After that, I needed to remove two cloudformations AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER and restart the process.

I hope this can help someone.

etoledo
answered 8 months ago
0

Hi User,

very strange behaviour. Normally there should not be a problem when setting up control tower. The logging bucket should be located in the "log archive" account wich was created with control tower. Check out the Cloudformation-Stack-Events for more details.

Also check out the documentation, it explains that there could be problems if you immediatly create a landing zone with control tower in a freshly created account: https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html

Landing Zone Launch Failed

Common causes of landing zone launch failure:

    Lack of response to a confirmation email message.

    AWS CloudFormation StackSet failure.

Confirmation email messages: If your management account is less than an hour old, you may encounter issues when the additional accounts are created.
Action to take

If you encounter this issue, check your email. You might have been sent confirmation email that is awaiting response. Alternatively, we recommend that you wait an hour, and then try again. If the issue persists, contact AWS Support

.

Failed StackSets: Another possible cause of landing zone launch failure is AWS CloudFormation StackSet failure. AWS Security Token Service (STS) regions must be enabled in the management account for all AWS Regions that AWS Control Tower is governing, so that the provisioning can be successful; otherwise, stack sets will fail to launch.
Action to take

Be sure to enable all of your required AWS Security Token Service (STS) endpoint regions

before you launch AWS Control Tower.

Currently, AWS Control Tower is supported in the following AWS Regions:

    US East (N. Virginia)

    US East (Ohio)

    US West (Oregon)

    Canada (Central) Region

    Asia Pacific (Sydney)

    Asia Pacific (Singapore) Region

    Europe (Frankfurt) Region

    Europe (Ireland)

    Europe (London) Region

    Europe (Stockholm) Region

    Asia Pacific (Mumbai) Region

    Asia Pacific (Seoul) Region

    Asia Pacific (Tokyo) Region

    Europe (Paris) Region

    South America (São Paulo) Region

AWS Support is probably your best bet in the end.

Sincerely Heiko

profile picture
HeikoMR
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content