By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to diagnose Control Tower Landing Zone setup failure due to incorrect bucket policy for logging bucket?

1

I tried to perform a basic setup using Control Tower and got the error below. I encountered this error the first time I ran it, and then again after retrying to setup the landing zone.

AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot deploy the required stack set because the bucket policy for the logging bucket, aws-controltower-logs-1111111111111-us-west-2, is incorrect.

How can I diagnose this problem? If I'm relying on Control Tower to create the buckets and policies for me, then shouldn't this be something I don't need to worry about? Is it a bug in Control Tower?

Should I change the bucket policy somehow, and if so, is there guidance on how to change it so Control Tower can finish setting up the landing zone?

Any insight is greatly appreciated. Thanks.

Topics
Management & Governance
Tags
AWS Control TowerStackSets
Language
English
Multiverse
asked a year ago830 views
5 Answers
1

We had the same issue when setting up control tower with KMS encryption enabled. We found the issue to be that AWS Config could not use the KMS key due to the KMS key resource policy being set up wrong by us when creating the key. When using the policy documented for AWS Config our issue was that we did not use the correct account as the sourceAccountID. We typed in the controltower account id, but what fixed it for us was changing that to the Log Archive account id.

KMS key policy granting config access to the key (cloudtrail also needs access as described in the control tower doc)

{
    "Id": "Policy_ID",
    "Statement": [
        {
            "Sid": "AWSConfigKMSPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": "config.amazonaws.com"
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<myKMSKeyARN>",
            "Condition": { 
                "StringEquals": {
                    "AWS:SourceAccount": "<myLogArchiveAccountID>"
                }
            }
        }
    ]
}
Thomas Finstad
answered a year ago
  • Christson Johnny S
    a year ago

    If the error persists, you'll also need to to add permission for AWS Config with sourceAccount as Audit account. Check my answer

0

It sounds like you have encountered an issue with the bucket policy for the logging bucket during the setup of your Control Tower Landing Zone. Here are a few things you can try to diagnose and resolve the issue:

Review the bucket policy: Check the bucket policy for the logging bucket, "aws-controltower-logs-1111111111111-us-west-2", to see if it is incorrect or if there are any issues with the permissions. Verify that the policy allows the necessary permissions for Control Tower to write logs to the bucket.

Check the IAM roles: Verify that the IAM roles used by Control Tower have the necessary permissions to access the logging bucket.

Check the stack set: Review the CloudFormation stack set used by Control Tower to see if there are any issues with the parameters or settings. This can be done in the AWS Systems Manager, under the “StackSets” page.

Check the CloudTrail: Check if there are any CloudTrail logs that might provide more information on the failure, specifically the Control Tower Management Events.

Contact AWS Support: If you are unable to diagnose and resolve the issue, you may want to contact AWS Support for further assistance.

It's important to note that Control Tower is designed to create the necessary resources and policies automatically during the setup process, but in some cases, issues may occur that prevent the setup from completing successfully. If you find out that it's a bug in the Control Tower, please contact AWS Support with the details of the issue, so they can investigate and fix the problem.

profile picture
jayamaheizenberg
answered a year ago
  • Multiverse
    a year ago

    Thank you for these recommendations, @jayamaheizengerg, especially about the specific types of events to focus on. In this case Control Tower is responsible for creating all artifacts, including all policies, roles, and resources to which those apply, so I was expecting it all to be created self-consistently. The only artifact I created myself was an encryption key during the Control Tower wizard, and then told it to use that. I'm surprised CT is working for anyone right now for creating the initial "well-architected" org structure. I didn't expect to be debugging CT stacksets as my initiation to AWS.

  • Multiverse
    a year ago

    How does one search CloudTrail for events of type "Control Tower Management"? There are only a few attributes I can search for in CloudTrail / Event History. For example, there are attributes Event name, Event Source, and Resource Type, but none of these have any entries that resemble "Control Tower" or even "Control...".

  • Multiverse
    a year ago

    In the following section: CloudFormation / StackSets / AWSControlTowerBP-BASELINE-CONFIG: StackSet details there is an instance listed with Detailed Status: FAILED The Status Reason is given as:

    ResourceLogicalId:ConfigDeliveryChannel, ResourceType:AWS::Config::DeliveryChannel, ResourceStatusReason:Insufficient delivery policy to s3 bucket: aws-controltower-logs-..., unable to write to bucket, ... (Service: AmazonConfig; Status Code: 400; Error Code: InsufficientDeliveryPolicyException; Request ID: ...).

    Why would ControlTower create a bucket it can't use?

  • Multiverse
    a year ago

    In AWS Systems Manager, there is no page called "StackSets".

0

I am having the same issue.

M Lehner
answered a year ago
0

I had a similar issue when upgrading from Control Tower 2.9 to 3.1. Just selecting the KMS key encryption option caused the update to fail. (I selected an existing key thinking Control Tower had obviously created it for this purpose as it had alias of "ControlTowerV3"). Unselecting the option enabled the update to work but leaves me without customer-managed KMS key encryption for now and will check with support if I should be getting Control Tower to create a new key or if I should amend the policy on the existing key...

KrisH
answered a year ago
0

Hi, I just got this working after enabling encryption to the AWS Control Tower update.

{
            "Sid": "AWSConfigCloudTrailKMSPolicy",
            "Effect": "Allow",
            "Principal": {
                "Service": ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
            },
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKey"
            ],
            "Resource": "<KMS_ARN>"
 }

Check this for more fine-grained permissions

Christson Johnny S
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content