AWS Control Tower failed to set up your landing zone completely: You don't have permissions to access this resource

0

I have already decommissioned AWS tower from ap-northeast-1 and want to reconfigure AWS tower again on the same region ap-northeast-1 But when I setup landing zone again. I received this error message

"AWS Control Tower failed to set up your landing zone completely: You don't have permissions to access this resource"

Can someone help me on this issue ? really appreciate as its high priority.

-->> Already performed manual decommission process <<--

2 Answers
0

Looks like it is not possible to re-create the landing zone. Please refer to the Control Tower documentation at: https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html

Suggest you log a support request to confirm the above.

==== Extracted from the documentation ====

! Important

We strongly recommend that you perform this decommissioning process only if you intend to stop using your landing zone. It is not possible to re-create your existing landing zone after you've decommissioned it.it https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html

AWS
answered a year ago
0

You can recreate the landing zone, but it needs a couple of manual operations after decommisioning. You can find a great Walkthrough in this link

In this case in particular: I've seen twice that exactly error message and in both of it the issue was that CT's roles or policies or both were still there. You can delete them with the following commands:

# Detach roles
aws iam detach-role-policy --role-name AWSControlTowerAdmin --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerAdminPolicy
aws iam detach-role-policy --role-name AWSControlTowerCloudTrailRole --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerCloudTrailRolePolicy
aws iam detach-role-policy --role-name AWSControlTowerStackSetRole --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerStackSetRolePolicy

# Delete policies
aws iam delete-policy --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerAdminPolicy
aws iam delete-policy --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerCloudTrailRolePolicy
aws iam delete-policy --policy-arn arn:aws:iam::$AWS_ACCOUNT:policy/service-role/AWSControlTowerStackSetRolePolicy

# Delete roles
aws iam delete-role --role-name AWSControlTowerAdmin
aws iam delete-role --role-name AWSControlTowerCloudTrailRole
aws iam delete-role --role-name AWSControlTowerStackSetRole

Hope it helps

profile pictureAWS
mtind
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions