Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Control Tower False Account Limit Error - Confirmed Backend Issue

0

After investigated the problem with Amazon Q for 2 days, Amazon Q concluded that it is 100% AWS backend problem and ask me to log the support as below:

DIAGNOSTIC EVIDENCE: ✅ Only 2 accounts in organization (Test01, Audit) ✅ No pending invitations (Handshakes: []) ✅ No stuck account creation processes (all SUCCEEDED) ✅ Organization properly configured (FeatureSet: ALL) ✅ Generated account activity, waited 45+ minutes

ERROR: "AWS Control Tower cannot create an account because you have reached the limit"

CONCLUSION: This is clearly a backend issue. The error message is false.

REQUEST: Immediate escalation to Control Tower engineering team for backend investigation.

Region: eu-west-2 (London) Management Account: [194208742810]

Topics
Management & Governance
Tags
AWS Control Tower
Language
English
asked a year ago127 views
1 Answer
0

This is indeed a known issue that can occur when setting up AWS Control Tower, even when you haven't actually reached your account limit. Despite Service Quotas showing a limit of 10 accounts and you only having 2 accounts (management account and audit account), there are several possible causes for this false error message:

  1. Hidden limitations on new AWS accounts: Brand new AWS accounts can have hidden limitations that aren't immediately reflected in the Service Quotas console. These soft limits can affect Control Tower's ability to create additional accounts.

  2. Failed account creation attempts still count against quota: Even though the Log Archive account creation failed, it might still be consuming a quota slot temporarily. These failed attempts can remain in the system for some time before being fully cleared.

  3. Service Quota sync delays: Control Tower might not instantly sync with updated Organization quota limits, especially right after creating accounts.

Since you've already tried generating account activity and waited, your next steps should be:

  1. Open a free support case by choosing "Account and Billing" in the AWS Support Center Console. Even without a paid support plan, AWS can assist with account-related issues like this.

  2. You can also try using AWS CLI to identify and delete any existing landing zone attempts:

  • Use aws controltower list-landing-zones to identify existing landing zones
  • Then aws controltower delete-landing-zone --landing-zone-id <identifier>
  • Verify with aws controltower get-landing-zone-operation --operation-identifier <identifier>
  1. After resolving the issue, retry the Control Tower setup with valid email addresses that aren't already associated with AWS accounts.

This is a backend issue that AWS Support should be able to help resolve, as you've correctly identified.
Sources
AWS Control Tower cannot create an account because you have reached the limit on the number of accounts in your organization. | AWS re:Post
ControlTower - Your existing service limits for this AWS account are not sufficient for AWS Control Tower to launch. | AWS re:Post
Unable to Create Account in Control Tower – Email Conflict + Cannot Reset/Delete Control Tower Setup | AWS re:Post

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content