Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Control Tower setup - Insufficient privileges to create a backup vault. Creating a backup vault requires backup-storage and KMS permissions.

0

I have an existing Organisation and I am trying to set up Control Tower.

I am getting following error in my dashboard:

Error
AWS Control Tower failed to deploy one or more stack set instances: StackSet Id: AWSControlTowerCentralBackup:xyz, Stack instance Id: arn:aws:cloudformation:eu-central-1:xyz:stack/StackSet-AWSControlTowerCentralBackup-xyz/xyz, Status: OUTDATED, Status Reason: ResourceLogicalId:CentralBackupVault, ResourceType:AWS::Backup::BackupVault, ResourceStatusReason:Resource handler returned message: "Insufficient privileges to create a backup vault. Creating a backup vault requires backup-storage and KMS permissions. (Service: Backup, Status Code: 403, Request ID: xyz) (SDK Attempt Count: 1)" (RequestToken: xyz, HandlerErrorCode: AccessDenied).

I understand I need more permissions but I am not sure where to set those up. I am logged in to AWS Console as administrator. Which user supposed to have the permissions and what permissions exactly?

Thank you for any help

EDIT:

The problem was with the Backup so I have been able to deploy the Control Tower by disabling the Backup features altogether. Once the Control Tower has been successfully deployed I've decided to go back to Landing Zone settings and enable the Backup features like suggested by @SHAJAM.

  1. AWS Backup not enabled Landing zone settings

  2. Modify the settings 3. step setting of the backup

  3. wait 35 minutes and then the same error is shown error

Can anyone help me with this?

Topics
Management & GovernanceStorage
Tags
AWS BackupAWS Control Tower
Language
English
asked a month ago95 views
4 Answers
3

I think the error occurs because the AWSControlTowerExecution role in the target account (e.g., Audit or Log Archive) lacks the necessary permissions to create the Backup Vault and interact with KMS. Since this is a StackSet deployment, it is restricted by Service Control Policies (SCPs) or Permissions Boundaries, regardless of your personal Administrator status.

I would check the following:

1. Check Service Control Policies (SCPs):

In the Management Account, go to AWS Organizations > Policies. Ensure no SCP is explicitly denying backup:* or kms:* actions. Look specifically for "Deny-All-Except-Listed-Regions" policies that might be blocking the region eu-central-1.

2. Verify KMS Key Policy:

If you enabled encryption for Control Tower, the KMS Key Policy must allow the cloudformation.amazonaws.com service principal and the AWSControlTowerExecution role to perform kms:CreateGrant and kms:GenerateDataKey.

3. Permissions Boundaries:

Check if the AWSControlTowerExecution role in the target account has a Permissions Boundary attached that excludes the AWS Backup service.

After „relaxing“ the SCP or updating the Key Policy, go to the Control Tower Dashboard and select Landing Zone Settings > Repair to re-run the deployment.

EXPERT
answered a month ago
EXPERT
reviewed a month ago
  • Ivan Barlog
    a month ago

    Hi @Florian, thank you for quick response.

    I don't have any SCP related to backup nor Permission boundaries in place.

    I wanted to add the permissions to KMS key but I am not sure which account the AWSControlTowerExecution role will be created in. It is not currently present in the account where my Tower Control is being created.

  • Ivan Barlog
    25 days ago

    I noticed that the Control Tower will add various SCP policies to the Security OU whilst initializing.

    I sat 30 minutes refreshing the SCP screen and any time new policy popped up I just detached it from Security OU.

    There were 3 policies but this still didn't help and I ended up with the exactly same error.

    I don't know what else to do here. This is not user friendly at all.

1

Check for your AWSControlTowerExecution role and confirm it has backup:* and kms:* permissions in the eu-central-1 account. If not, it has be to added to Control Tower's role. Note, backup:* and kms:* are too broad, so, you might create granular permissions as needed.

EXPERT
answered a month ago
EXPERT
reviewed a month ago
  • Ivan Barlog
    a month ago

    Hi @SHAJAM, where I can find AWSControlTowerExecution? There is no such role in the account I am trying to set up Control Tower from.

1

Checking my own settings again, I think you will need to enable Backup from Landing Zone settings. I have added a screen shot below.Enter image description here

EXPERT
answered a month ago
EXPERT
reviewed a month ago
  • Ivan Barlog
    21 days ago

    I was able to get through Control Tower initialization by disabling anything related to backup (eg. Central Backup and Backup Administrator accounts).

    After that I wanted to enable the backup as per your screenshot in the landing zone but it ended up with exactly the same error.

    Any advice here?

0

Hello.

The "AWSControlTowerExecution" role is automatically created for AWS accounts created in Account Factory, but you need to create it yourself if you add an existing account to Control Tower.
Please try adding it using the following documentation as a reference.
https://docs.aws.amazon.com/controltower/latest/userguide/awscontroltowerexecution.html

For accounts in the Security OU (sometimes called core accounts), AWS Control Tower creates the role at the time of initial AWS Control Tower setup.
For an Account Factory account created through the AWS Control Tower console, AWS Control Tower creates this role at the time of account creation.
For a single account enrollment, we ask customers to manually create the role and then enroll the account in AWS Control Tower.
When extending governance to an OU, AWS Control Tower uses the StackSet-AWSControlTowerExecutionRole to create the role in all accounts in that OU.

You need to create an IAM role for each AWS account managed by Control Tower.
The Control Tower management account will then use that IAM role to perform operations.
https://docs.aws.amazon.com/controltower/latest/userguide/conditions-for-role-trust.html

{
  "Version":"2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "controltower.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "ArnEquals": {
          "aws:SourceArn": "arn:aws:controltower:us-west-2:012345678901:*"
        }
      }
    }
  ]
}
EXPERT
answered a month ago
EXPERT
reviewed a month ago
  • Ivan Barlog
    a month ago

    Thanks Riku,

    I have trying to set up Control Tower for existing Organisation. The set up created Security OU and 4 accounts inside the OU:

    • Aggregator account
    • Backup administrator
    • Central backup
    • CloudTrail administrator

    All of the accounts already contain AWSControlTowerExecution which has correct trust relation with the main management account and all have AdministratorAccess permissions.

    Do I need to create such roles in all of my accounts manually? I mean in other OUs then Security OU?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content