Hi,
Tried to update control tower landing zone.
It failed with below error:
ResourceLogicalId:ConfigDeliveryChannel, ResourceType:AWS::Config::DeliveryChannel, ResourceStatusReason:Insufficient delivery policy to s3 bucket: aws-controltower-logs-123-eu-west-1, unable to write to bucket, provided s3 key prefix is 'org-id-number', provided kms key is 'null'. (Service: AmazonConfig; Status Code: 400; Error Code: InsufficientDeliveryPolicyException; Request ID: 123; Proxy: null).
Prior to the update, Control Tower was working fine. Checked similar issues in re:Post and tried to delete ConfigDeliveryChannels in all AWS accounts. This did not help.
Tried to delete stacksets in CloudFormation which had failed stacks. Didn't help.
What else needs to be checked when ControlTower landing zone update fails?
Regards,
Vijay
AWS UFFICIALEAggiornata un anno fa
There are no SCPs which are denying access to the ControlTowerExecutionRole.
I am suspecting Cloudformation as I have retried several times and deleted some failed stacks. Will that cause any failures?
Are there any stack sets in the DELETE_FAILED state in ANY account (log archive or audit accounts)? Do you have ANY custom SCP that might be interfering? Can you can try a Landing Zone repair?
There are no stack sets in DELETE_FAILED state in any acccount. Only five SCP enabled and they are not related. Landing zone is not shown/reachable. There is a retry but on top of Control Tower dashboard. "Enrolled accounts" and "Registered organizational units" are empty.