Stuck with ControlTower unable to start landing zone

Question

Hi there

I'm trying to set up ControlTower. I had a first failure looking pretty much like https://repost.aws/questions/QU6yHDMU2VTQeUnZp-FQvQRA/how-to-proceed-after-failed-landing-zone-creation-through-control-tower

Fixing the KMS permission didn't solved it. So I tried removing the faulty bucket on the basis that a retry would then set things straight. It failed. Tried removing the specific stacksets again hoping it'ld fix it. Failed again

Looking at CF stacks, I only have AWSControlTowerBP-BASELINE-CONFIG-MASTER, the other one AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER didn't got re-created. I also made a retry disabling logging, hoping that it'ld finalize the creation then I'ld have tried an upgrade / reconfiguration to fill in the missing part.

So now I'm stuck with

> AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy one or more stack set instances: StackSet Id: AWSControlTowerLoggingResources:c74fd63a-c5e2-4b43-920f-XXXXXXXXXXX, Stack instance Id: arn:aws:cloudformation:eu-north-1:XXXXXXXXXXXX:stack/StackSet-AWSControlTowerLoggingResources-f8ac1539-43e1-4185-bec1-XXXXXXXXX/afb8cdb0-05ce-11ee-b85a-XXXXXXXXXX, Status: OUTDATED, Status Reason: ResourceLogicalId:S3LoggingBucket, ResourceType:AWS::S3::Bucket, ResourceStatusReason:The specified bucket does not exist (Service: Amazon S3; Status Code: 404; Error Code: NoSuchBucket; Request ID: S4435MM69RD2T5SC; S3 Extended Request ID: v0PVGxtncMbvVPn0gSsXXXXXXXXXXXXXXXXXXXXXXXXXXXX=; Proxy: null). Learn more

This is a bit out of control. I'ld like to wipe this attempt & start over, but since it didn't finished I can't access the decommissioning UI as explained in https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html. I can't delete the account, it's the company's historical account with everything in it, I intended to move on progressively from this old one to organization's account.

So, what are my option to proceed from here ?

Answer

Hello,

AWS Control Tower leverages multiple underlying services on AWS, thus understanding what is being used is crucial to clean up and start it again.
Things I always do are mostly listed on the users guide at https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html and https://docs.aws.amazon.com/controltower/latest/userguide/known-issues-decommissioning.html

* Removing the AWS Service Catalog product created by control tower
* Make sure there is no Control Tower stack/stacksets still on in CloudFormation
* Remove the AWS Config components deployed by Control Tower
* Remove the IAM users/roles/policies it created
* Remove s3 buckets created by control tower if they still persist.
* In case you want to reuse the same log archive and Audit accounts, make sure to follow the instructions https://aws.amazon.com/blogs/mt/use-existing-logging-and-security-account-with-aws-control-tower/

I would not recommend enabling KMS in the setup of Control Tower, as it adds a layer of configuration that you need to do, unless you have strict security requirements for the control tower logs itself to be encrypted with KMS. There are specific instructions to use KMS with Control Tower - you must create them properly before setting up control tower otherwise the install will fail - https://docs.aws.amazon.com/controltower/latest/userguide/kms-guidance.html

If nothing of that helps, I always raise a support ticket with AWS and they help clean up whatever might still be holding you down.

Stuck with ControlTower unable to start landing zone

Relevant content