- Newest
- Most votes
- Most comments
Hello,
AWS Control Tower leverages multiple underlying services on AWS, thus understanding what is being used is crucial to clean up and start it again. Things I always do are mostly listed on the users guide at https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html and https://docs.aws.amazon.com/controltower/latest/userguide/known-issues-decommissioning.html
- Removing the AWS Service Catalog product created by control tower
- Make sure there is no Control Tower stack/stacksets still on in CloudFormation
- Remove the AWS Config components deployed by Control Tower
- Remove the IAM users/roles/policies it created
- Remove s3 buckets created by control tower if they still persist.
- In case you want to reuse the same log archive and Audit accounts, make sure to follow the instructions https://aws.amazon.com/blogs/mt/use-existing-logging-and-security-account-with-aws-control-tower/
I would not recommend enabling KMS in the setup of Control Tower, as it adds a layer of configuration that you need to do, unless you have strict security requirements for the control tower logs itself to be encrypted with KMS. There are specific instructions to use KMS with Control Tower - you must create them properly before setting up control tower otherwise the install will fail - https://docs.aws.amazon.com/controltower/latest/userguide/kms-guidance.html
If nothing of that helps, I always raise a support ticket with AWS and they help clean up whatever might still be holding you down.
Relevant content
- asked 5 years ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago
Have you tried deleting the AWS Cloudformation stacks and trying again? be sure to launch in a supported region