By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Control Tower / Orgs failing to fully add new accounts

0

Been using AWS Control Tower to provision Organization accounts for awhile now - we have around 10 accounts there. A few days ago we started to migrate customer services there and the accounts are failing to build with an 'enrollment failed' error message and no specifics given.

  • I have tried to hit up AWS on the support (we don't have any) resource under the accounts sections but have had no response.
  • I have also tried manually adding in an Org account in order to Set the IAM policy required but when I log in using the root account I am being told that billing has not yet been setup.
  • Our Orgs are child accounts and billing belongs to the parent (management) account.
  • We thought that maybe there was quota limits so we upped our Org count but it didn't resolve the issue.
  • Now today I was asked to update the Control Tower accounts and some have not re-enrolled correctly. SOLVED
  • Also can we have a quicker turnaround on closed accounts?

This is quite critical to our deployment and its seems to be failing with no changes on our part.

Are AWS Control Tower and Organizations not fit for production use?

Topics
Management & Governance
Tags
AWS Control TowerAWS OrganizationsAWS Account Management
Language
English
dub
asked a year ago348 views
2 Answers
0
Accepted Answer

Solved:
This was the weirdest thing. After one of our team read a post regarding payment options and this is what worked:
Add a . to the credit card info so it updates the payment method. Then remove.
All newly added accounts now accessible via SSO and within the Org / Control Tower structure.

dub
answered a year ago
0

Hi There

You mentioned that you requested a quota increase (default number of accounts per Organization is 10). Have you checked you Service Limits console in the Payer account to verify the quota has been increased? What is the new quota?

For the enrollment issue, please check the provisioned product for each account in Service Catalog, you should be able to get more information about the issue. You may also need to remove the provisioned product for the failed accounts before attempting enrollment again. Refer to https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html#enrollment-failed

profile pictureAWS
EXPERT
Matt-B
answered a year ago
  • dub
    a year ago

    Thanks for your reply. We requested an increase from 10 to 50 accounts - this is how we plan on provisioning for new customers but I am now having some reservations about its usefulness as a production service. AWS have confirmed this increase although on the quota service it says I must put in a request through the support center.

    I have solved the enrollment issue on the existing account - a user had created a default VPC for their workloads - once that was removed the account enrolled ok.

    I am still seeing the issue despite the Org increase - when I log in as root I get the complete setup issue / loop. I cannot add to Control Tower as I cannot add the IAM policy required.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content