By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Control Tower Update Failure - Delete delivery Channels - Still fails

0

Hello,

We are trying to add a region to our landing zone settings. We wanted to add California as one of our governed zones.

We modified the landing zone set leaving everything the same except adding California under region configuration. We hit update and got an error.

We got the error "AWS Control Tower failed to completely set up your landing zone: AWS Control Tower cannot create an AWS Config delivery channel because one already exists. To continue, delete the existing delivery channel and try again."

We proceeded by stopping the configuration recorder and deleting all delivery channel and configuration records using CLI in all accounts in all regions.

aws configservice stop-configuration-recorder --configuration-recorder-name [RECORD NAME]
aws configservice delete-delivery-channel --delivery-channel-name [DELIVER CHANNEL NAME]
aws configservice delete-configuration-recorder --configuration-recorder-name [RECORD NAME]

I retried updating the landing zone, which failed again with the same error message.

We set up our Control tower is 03/2023. We have enabled other dependent resources like Security Hub, Macie, Guard duty, and other resource-dependent solutions. If we cannot add the California region, how can we revert to our original landing zone setting?

Any advice?

Thanks,

Topics
Management & Governance
Tags
AWS ConfigAWS CloudFormationAWS Control TowerManagement & Governance
Language
English
dmutuku
asked a year ago622 views
1 Answer
1

Hello dmutuku, I think that you might need to check the configurations in California region and make sure to delete aggregator authorization as well. This error generally appears when you enroll a new account to your CT, which has an existing Config recorder. To fix this issue, you need to 1/ delete an existing delivery channel, 2/ delete an existing configuration recorder, 3/ lastly, delete Authorizations in AWS Config console > Aggregators > Authorizations. This documentation would be helpful for you to understand details. https://docs.aws.amazon.com/config/latest/developerguide/authorize-aggregator-account-console.html I hope it works. :)

profile pictureAWS
AWS-User-4272739
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content