Control Tower Landing zone update failed

Hi,

Tried to update control tower landing zone. It failed with below error: ResourceLogicalId:ConfigDeliveryChannel, ResourceType:AWS::Config::DeliveryChannel, ResourceStatusReason:Insufficient delivery policy to s3 bucket: aws-controltower-logs-123-eu-west-1, unable to write to bucket, provided s3 key prefix is 'org-id-number', provided kms key is 'null'. (Service: AmazonConfig; Status Code: 400; Error Code: InsufficientDeliveryPolicyException; Request ID: 123; Proxy: null).

Prior to the update, Control Tower was working fine. Checked similar issues in re:Post and tried to delete ConfigDeliveryChannels in all AWS accounts. This did not help.

Tried to delete stacksets in CloudFormation which had failed stacks. Didn't help.

What else needs to be checked when ControlTower landing zone update fails?

Regards, Vijay

Topics

Management & Governance

Tags

AWS CloudFormation AWS Control Tower StackSets

Language

English

Vijay

asked a month ago430 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Hi There

Do you have any custom SCP's on your OU's that would be denying access to the ControlTowerExecutionRole?

EXPERT

Matt-B

answered a month ago

Vijay
a month ago
There are no SCPs which are denying access to the ControlTowerExecutionRole.
Vijay
a month ago
I am suspecting Cloudformation as I have retried several times and deleted some failed stacks. Will that cause any failures?
Matt-B EXPERT
a month ago
Are there any stack sets in the DELETE_FAILED state in ANY account (log archive or audit accounts)? Do you have ANY custom SCP that might be interfering? Can you can try a Landing Zone repair?
Vijay
a month ago
There are no stack sets in DELETE_FAILED state in any acccount. Only five SCP enabled and they are not related. Landing zone is not shown/reachable. There is a retry but on top of Control Tower dashboard. "Enrolled accounts" and "Registered organizational units" are empty.

Relevant content

Automating AWS Control Tower Landing Zone with Terraform
Accepted Answer
Sameed
asked 5 months ago
Control Tower Landing Zone Setup Retry Failed - Only one AWS Control Tower environment is permitted per organization.
Accepted Answer
zf
asked 5 months ago
AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is not authorized to baseline the VPC in the enrolled account.
Thai Diep
asked 2 years ago
AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot create the account. To create accounts in this organization, first migrate your organization's management ac.
Vipin
asked 4 months ago
How do I gain access as an AWS account root user to the account created by Account Factory or Account Vending Machine in AWS Control Tower?
AWS OFFICIALUpdated 3 years ago
How do consolidated controls view and consolidated control findings affect my workflows?
AWS OFFICIALUpdated 8 months ago
How do I update a CloudFormation stack that's failing because of a resource that I manually deleted?
AWS OFFICIALUpdated 3 years ago
How do I control access to my WorkSpaces?
AWS OFFICIALUpdated 2 years ago
Upgrade Control Tower Landing Zone From 2.x to 3.x
EXPERT
Tyler_P
published 2 months ago
VMware on AWS Updates - November 2023
EXPERT
Chris Porter
published 5 months ago