Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Control Tower creation issue

0

Hi, I created a new account and then immediately went to creating control tower. Everything seemed to work except I have this error: Error "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot deploy the required stack set because the bucket policy for the logging bucket, aws-controltower-logs-642978469219-us-east-1, is incorrect."

I'm not seeing this bucket anywhere, what should I do? And whatever it is do I do it in control tower? Thanks.

Argomenti
Gestione e amministrazione
Tag
AWS Control Tower
Lingua
English
rePost-User-7903133
posta un anno fa2237 visualizzazioni
2 Risposte
3

Hi @rePost-User-7903133:

I got the same error. I forgot to set permissions in KMS using the following instructions https://docs.aws.amazon.com/en_us/controltower/latest/userguide//kms-guidance.html. After that, I needed to remove two cloudformations AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER and restart the process.

I hope this can help someone.

etoledo
con risposta 10 mesi fa
0

Hi User,

very strange behaviour. Normally there should not be a problem when setting up control tower. The logging bucket should be located in the "log archive" account wich was created with control tower. Check out the Cloudformation-Stack-Events for more details.

Also check out the documentation, it explains that there could be problems if you immediatly create a landing zone with control tower in a freshly created account: https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html

Landing Zone Launch Failed

Common causes of landing zone launch failure:

    Lack of response to a confirmation email message.

    AWS CloudFormation StackSet failure.

Confirmation email messages: If your management account is less than an hour old, you may encounter issues when the additional accounts are created.
Action to take

If you encounter this issue, check your email. You might have been sent confirmation email that is awaiting response. Alternatively, we recommend that you wait an hour, and then try again. If the issue persists, contact AWS Support

.

Failed StackSets: Another possible cause of landing zone launch failure is AWS CloudFormation StackSet failure. AWS Security Token Service (STS) regions must be enabled in the management account for all AWS Regions that AWS Control Tower is governing, so that the provisioning can be successful; otherwise, stack sets will fail to launch.
Action to take

Be sure to enable all of your required AWS Security Token Service (STS) endpoint regions

before you launch AWS Control Tower.

Currently, AWS Control Tower is supported in the following AWS Regions:

    US East (N. Virginia)

    US East (Ohio)

    US West (Oregon)

    Canada (Central) Region

    Asia Pacific (Sydney)

    Asia Pacific (Singapore) Region

    Europe (Frankfurt) Region

    Europe (Ireland)

    Europe (London) Region

    Europe (Stockholm) Region

    Asia Pacific (Mumbai) Region

    Asia Pacific (Seoul) Region

    Asia Pacific (Tokyo) Region

    Europe (Paris) Region

    South America (São Paulo) Region

AWS Support is probably your best bet in the end.

Sincerely Heiko

profile picture
HeikoMR
con risposta un anno fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente