AWS Control Tower Landing Zone Setup
Please help me to fix this error: AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot create an account using email <---@---> because an AWS account with that email already exists, but it is not part of your AWS Control Tower organization. Now, I am not able to edit the new email id when I try to retry the landing zone setup.
- Topics
- Management & Governance
- Language
- English
- Newest
- Most votes
- Most comments
Hi There
Are you letting Control Tower create you shared accounts (Log Archive and Audit) or are you bringing existing accounts? For the email listed in the error, do you have another aws account with this email address? or did you ever have one with that email address that you closed/suspended?
You will need to decommission your landing zone and start again with unique email addressees. I recommend using the CLI (Cloudshell) to do this. See https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-decommission.html
Hello Abhishek, When AWS Control Tower can't create an account with an email that's already in use, you have a few options.
If the account still exists, simply log into it as the root user and change the email address in account settings. This frees up your original email for use in Control Tower. For accounts you've already closed, AWS permanently reserves that email address. You'll need to use a different email for your new account. Many organizations use email aliases or plus addressing (eg: original+test@domain.com) to work around this limitation.
Remember that changing an email before closing an account is the best practice. This preserves your preferred email addresses for future use, especially important when rebuilding environments or restructuring your AWS organization.
https://docs.aws.amazon.com/controltower/latest/userguide/change-account-email.html https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.html
Hi Matt,
I tried all the steps to decommission halfway stuck landing zone, followed all manual steps to clean the resources. But the red flash message is still available on Control Tower page. How to get rid of it and to start the fresh landing zone.
Regards, Abhishek
Hi Matt, I am getting below error. Please take a look.
~ $ aws controltower --region us-east-1 list-landing-zone-operations { "landingZoneOperations": [ { "operationIdentifier": "3bbbbb-21b6-4160-8c73-2923bbbbbbb", "operationType": "CREATE", "status": "FAILED" }, { "operationIdentifier": "9yyyyyy-ee76-42bc-ae5e-2c36bbbbbbb", "operationType": "CREATE", "status": "FAILED" }, { "operationIdentifier": "ezzzzzz-7cee-4f7d-8af9-2250bbbbbbb", "operationType": "CREATE", "status": "FAILED" } ] } ~ $ aws controltower --region us-east-1 delete-landing-zone --landing-zone-identifier 9yyyyyy-ee76-42bc-ae5e-2c36bbbbbbb
An error occurred (UnauthorizedException) when calling the DeleteLandingZone operation: Unauthorized ~ $