AWS control Tower setup failed

Hi, There are a number of reasons why AWS Control Tower Landing Zone will fail during setup, the most common issues are documented here - https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html

That error you shared does not have not enough information to determine the root cause (we only know that stack is deploying the CloudTrail in that account) so you will need to look at the events in the failed CloudFormation stack to identify why it failed and then resolve that issue.

The most common cause of the error "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:us-east-1:058264521814:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/23d0fde0-c3b5-11ee-af84-0e7e2c57393b" is misconfigured KMS key policy used while configuring ControlTower.

When you enable KMS encryption on Control Tower, you need to update the KMS Key policy to allow Config and CloudTrail services access to the key.

As this is initial setup the CloudFormation stack "arn:aws:cloudformation:us-east-1:058264521814:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/23d0fde0-c3b5-11ee-af84-0e7e2c57393b" must be in failed rollback status. You may need to cleanup the stack"AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER", and try setting up the landing zone again.