Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Control Tower Fails by S3 access
Hi community!
I'm trying to deploy Control Tower in my organization. I got the next error message: AWS Control Tower failed to set up your landing zone completely: AWS Control Tower could not complete the request because the user or role lacks permission to access the S3 resource.AWS S3 has denied access. Contact your administrator or AWS Support.
The settings used are in the next json:
{ "governedRegions": ["us-east-1","us-west-1"], "organizationStructure": { "security": { "name": "security" } }, "centralizedLogging": { "accountId": "XXXXXXXXXXXXXX", "configurations": { "loggingBucket": { "retentionDays": 60 }, "accessLoggingBucket": { "retentionDays": 60 }, "kmsKeyArn": "arn:aws:kms:us-west-1:123456789123:key/e84XXXXX-6bXX-49XX-9eXX-ecfXXXXXXXXX" }, "enabled": true }, "securityRoles": { "accountId": "XXXXXXXXXXXXXX" }, "accessManagement": { "enabled": true } }
Also, I checked the execution role in the accounts for the FullAccessAdminRole, and it is there.
The log and the archive accounts does not have any S3. But the steps Configuring the audit account and Configuring the log archive account fails with this error.
- Newest
- Most votes
- Most comments
Hello.
S3 may not be created properly with the log archive account.
When you configure the Control Tower landing zone, S3 buckets such as "aws-controltower-logs-" and "aws-controltower-s3-access-logs-" are created in the log archive account.
Please also check whether the creation of a bucket is being denied by SCP, etc.
https://docs.aws.amazon.com/controltower/latest/userguide/accounts.html#log-archive-account
https://docs.aws.amazon.com/controltower/latest/userguide/shared-account-resources.html#log-archive-resources
Thank you Riku_Kobayashi! The problem was a SCP policy that was restricting the possibility to update the bucket policy!