How do I resolve "Not authorized to baseline the VPC in the enrolled account" errors in AWS Control Tower?

Short description

You receive the following error when you try to set up or update a landing zone:

"AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is not authorized to baseline the VPC in the enrolled account."

You receive the following error when you use AWS Control Tower Account Factory to create an AWS account or update an enrolled account:

"AWS Control Tower could not enroll your account for the following reason: AWS Control Tower is not authorized to baseline the VPC in the enrolled account."

You might receive the preceding errors for the following reasons:

• AWS Control Tower has insufficient permissions to perform required Amazon Virtual Private Cloud (Amazon VPC) actions. For example, this happens when the AWS Identity and Access Management (IAM) role AWSControlTowerExecution has its actions restricted. You can use service control policies (SCPs) or policies associated with the role to restrict the role's actions.
• AWS Control Tower can't delete the existing default VPC in your governed AWS Regions because of its resource dependencies.

Note: If you use Account Factory to create an account, AWS Control Tower automatically deletes the default Amazon VPC. Also, AWS Control Tower only configures a new Amazon VPC in your governed Regions based on your Account Factory Network configuration. If you enroll an existing account, then AWS Control Tower doesn't remove the default Amazon VPC or create a new Amazon VPC for that account.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Important: A member account refers to different accounts based on your failure type. For landing zone failures, complete the steps in Log Archive and Audit accounts. These accounts are also known as shared or integration accounts. For account enrollment failures, complete the steps in the member account that failed to enroll.

Review the CloudTrail events in the member account

To identify the failed action, complete the following steps in all your AWS Control Tower Regions:

1. Open the AWS CloudTrail console in the member account that failed to enroll, and then choose Event history.
2. From the Lookup attributes menu, choose Event source.
3. In the search box, enter ec2.amazonaws.com as the event source.
4. Select the Filter by date and time box, and then choose Absolute range.
5. Enter the start date, end date, and time of the operation failure period, and then choose Apply.
6. Choose the settings icon, activate Error Code, and then choose Confirm.
7. To identify failed events, look for UnauthorizedOperation, AccessDenied, DependencyViolation, or CannotDelete error codes in the Error code column.
8. Select the event for a detailed error message.
9. Review the error message from the failed CloudTrail event to identify the probable cause. If the error message shows an unauthorized or insufficient permission error, then complete the steps in the Verify SCPs and AWSControlTowerExecution role permissions section. If the error relates to a resource dependency, then complete the steps in the Identify and resolve default VPC dependency in AWS Control Tower Regions section.

Verify SCPs and AWSControlTowerExecution role permissions

The AWSControlTowerExecution IAM role must have the AdministratorAccess policy with a trust relationship to the management account of AWS Organizations. Make sure that the SCPs of organizations or policies associated with the IAM role don't restrict the role's actions.

Complete the following steps:

1. Open the Organizations console in your AWS Control Tower management account.
2. From the navigation pane, choose AWS accounts.
3. In the search box, search for and then select the account ID that failed to enroll.
4. Choose the Policies tab and make sure that the FullAWSAccess SCP is attached to all entities of organizations, including the root, organizational unit (OU), and account.
5. Review all the attached SCPs to identify any restriction for ec2 actions.
6. Detach custom SCPs from the entity temporarily. Or, modify the SCPs to use a Condition block to exempt the AWSControlTowerExecution IAM role.

The following example SCP denies all Amazon Elastic Compute Cloud (Amazon EC2) actions except when performed by the AWSControlTowerExecution role:

{
   "Version":"2012-10-17",
   "Statement": [
       {
           "Sid": "Statement1",
           "Effect": "Deny",
           "Action": "ec2:*",
           "Resource": "*",
           "Condition": {
               "ArnNotLike": {
                   "aws:PrincipalARN": [
                       "arn:aws:iam::*:role/AWSControlTowerExecution"
                   ]
               }
           }
       }
   ]
}

Identify and resolve default VPC dependency in AWS Control Tower Regions

AWS Control Tower can't delete the existing default VPC in your governed Regions because of its resource dependencies. To find and manually delete the default VPCs in your AWS Control Tower Regions, take the following actions.

Find default VPCs

You can use AWS Global View, the Amazon VPC console, or the AWS CLI to find default VPCs in the AWS Control Tower Regions of member accounts.

AWS Global View

Use AWS Global View to list all your VPC resources across multiple Regions simultaneously in a single view. In View resources across Regions using AWS Global View, review the Required permissions section and follow the steps under To use AWS Global View.

Select the VPC IDs for your governed Regions to verify if Default VPC is set to YES.

Amazon VPC console

Complete the following steps in each AWS Control Tower Region:

1. Sign in to your member account and then open the Amazon VPC console.
2. From the navigation pane, choose Your VPCs.
3. Identify the VPCs where Default VPC is set to Yes.

AWS CLI

To use the AWS CLI, run the following bash script in your member account:

for region in $(aws ec2 describe-regions \
   --all-regions \
   --query 'Regions[?OptInStatus!=`not-opted-in`].RegionName' \
   --output text); do

   vpc=$(aws ec2 describe-vpcs \
       --filters Name=isDefault,Values=true \
       --region "$region" \
       --query 'Vpcs[*].{VpcId:VpcId,CIDR:CidrBlock}' \
       --output text 2>/dev/null)

   [ -n "$vpc" ] && echo "$region: $vpc" || echo "$region: No default VPC"
done

Unenroll and then re-enroll the account

Important: Complete the following steps only if your member account enrollment fails. If you have landing zone failures, then skip this section.

To prevent AWS Control Tower from removing default VPCs that have important dependencies in your member account, unenroll the account from AWS Control Tower. Then, manually enroll the account with its prerequisites.

Re-register the OU

Important: Complete the following steps only if your member account enrollment fails. If you have landing zone failures, then skip this section.

To prevent AWS Control Tower from removing default VPCs that have important dependencies in your member account, re-register the OU where the account is located. Re-registering the OU will skip VPC baselining, enroll the accounts, and preserve the default VPCs.

Delete default VPCs

Important: Before you delete a VPC, you must remove all the resources associated with the VPC. Deleting default VPCs can affect existing resources or applications that depend on them. It's best practice to review the contents of a VPC before you delete it.

You can use the Amazon VPC console or AWS CLI to delete default VPCs in your AWS Control Tower Regions.

To use the console, complete the following steps:

1. Sign in to your member account and open the Amazon VPC console.
2. Select your default VPC.
3. Choose Actions, and then choose Delete VPC.
4. In the Delete VPC dialog box, select the I acknowledge that I want to delete my Default VPC checkbox.
   Note: When you select this option, you delete all elements associated with your VPC, including subnets and security groups.
5. In the confirmation box, enter delete default vpc, and then choose Delete.

To use the AWS CLI, run the following delete-vpc command:

aws ec2 delete-vpc --vpc-id YOUR_VPC_ID --region YOUR_REGION

Note: Replace YOUR_VPC_ID with your VPC ID and YOUR_REGION with your Region.

Finally, retry the landing zone setup or account enrollment operation in AWS Control Tower.