- Newest
- Most votes
- Most comments
This is a common issue with new AWS accounts trying to set up Control Tower. Even though your Service Quotas show a limit of 10 accounts, there can be hidden limitations on brand new AWS accounts that aren't immediately reflected in the Service Quotas console.
There are a few approaches to resolve this issue:
-
Launch a free tier EC2 instance (such as an Amazon Linux AMI on a t2.micro) in your management account, wait about 15-20 minutes, and then retry the Control Tower setup. This often helps establish account credibility with AWS systems.
-
If the first approach doesn't work, you can open a free support case by choosing "Account and Billing" in the AWS Support Center Console. Even without a paid support plan, AWS can assist with account-related issues like this.
-
Check if there are any failed provisioned products in Service Catalog that might be blocking the process. If found, you may need to terminate these failed provisioning attempts.
-
If Control Tower is partially set up, you might need to decommission the landing zone using the AWS CLI (via CloudShell) before retrying:
- Use
aws controltower list-landing-zonesto identify existing landing zones - Then
aws controltower delete-landing-zone --landing-zone-id <identifier> - Verify with
aws controltower get-landing-zone-operation --operation-identifier <identifier>
After resolving the issue, retry the Control Tower setup with valid email addresses that aren't already associated with AWS accounts.
Sources
Cannot create accounts in my organization | AWS re:Post
ControlTower - Your existing service limits for this AWS account are not sufficient for AWS Control Tower to launch. | AWS re:Post
Unable to Create Account in Control Tower – Email Conflict + Cannot Reset/Delete Control Tower Setup | AWS re:Post
Hey, we hit something similar while setting up Control Tower, even though the account quota wasn’t technically exceeded.
Here’s what we found (and what to check):
- Pending/Failed Account Creations Count Against the Quota Even if you only see two active accounts (Mgmt + Audit), a failed account creation attempt (like Log Archive) still consumes a quota slot temporarily. It won’t show up in the Organizations console right away but internally it’s held for retry or cleanup.
Check AWS CloudTrail for CreateAccount API events; look for FAILED, IN_PROGRESS, or SUCCEEDED statuses.
In Control Tower → Account Factory, or via Service Catalog, check if the Log Archive account request is stuck in progress or failed.
-
Service Quota Sync Delays Sometimes Control Tower doesn’t instantly sync with the updated Organization quota limits, especially right after increasing them or creating accounts. A retry might work after ~30 min.
-
Possible Soft Quota at Region or Setup Level Even though the Organization quota is 10, some setups enforce soft limits per Control Tower deployment or region. Especially if you’ve tried setting up and deleting Landing Zones multiple times, there might be residual artifacts.
Additional STeps: Go to AWS Organizations → Accounts tab and filter for “suspended” or “pending” accounts.
Go to CloudTrail → Lookup events → Event Name: CreateAccount and inspect any failures.
Try removing failed resources manually before re-running setup.
If the slot is still blocked: open an AWS Support ticket and provide the landing zone setup ID and region (eu-south-2). They can release stuck provisioning attempts or increase the limit if needed.
Hello.
I've seen similar errors in the past.
As stated in the documentation below, service quotas may be set lower than the actual numbers in rare cases.
Therefore, I recommend that you increase your quotas from the Service Quotas screen or contact AWS Support by opening a case under "Account and billing."
https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html
Your account's actual quota value may be less than the AWS default quota value if the account was recently created or if you use the account minimally.
