AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Control Tower creation issue

0

Hi, I created a new account and then immediately went to creating control tower. Everything seemed to work except I have this error: Error "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot deploy the required stack set because the bucket policy for the logging bucket, aws-controltower-logs-642978469219-us-east-1, is incorrect."

I'm not seeing this bucket anywhere, what should I do? And whatever it is do I do it in control tower? Thanks.

주제
관리 및 거버넌스
태그
AWS 컨트롤 타워
언어
English
rePost-User-7903133
질문됨 일 년 전2237회 조회
2개 답변
3

Hi @rePost-User-7903133:

I got the same error. I forgot to set permissions in KMS using the following instructions https://docs.aws.amazon.com/en_us/controltower/latest/userguide//kms-guidance.html. After that, I needed to remove two cloudformations AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER and restart the process.

I hope this can help someone.

etoledo
답변함 10달 전
0

Hi User,

very strange behaviour. Normally there should not be a problem when setting up control tower. The logging bucket should be located in the "log archive" account wich was created with control tower. Check out the Cloudformation-Stack-Events for more details.

Also check out the documentation, it explains that there could be problems if you immediatly create a landing zone with control tower in a freshly created account: https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html

Landing Zone Launch Failed

Common causes of landing zone launch failure:

    Lack of response to a confirmation email message.

    AWS CloudFormation StackSet failure.

Confirmation email messages: If your management account is less than an hour old, you may encounter issues when the additional accounts are created.
Action to take

If you encounter this issue, check your email. You might have been sent confirmation email that is awaiting response. Alternatively, we recommend that you wait an hour, and then try again. If the issue persists, contact AWS Support

.

Failed StackSets: Another possible cause of landing zone launch failure is AWS CloudFormation StackSet failure. AWS Security Token Service (STS) regions must be enabled in the management account for all AWS Regions that AWS Control Tower is governing, so that the provisioning can be successful; otherwise, stack sets will fail to launch.
Action to take

Be sure to enable all of your required AWS Security Token Service (STS) endpoint regions

before you launch AWS Control Tower.

Currently, AWS Control Tower is supported in the following AWS Regions:

    US East (N. Virginia)

    US East (Ohio)

    US West (Oregon)

    Canada (Central) Region

    Asia Pacific (Sydney)

    Asia Pacific (Singapore) Region

    Europe (Frankfurt) Region

    Europe (Ireland)

    Europe (London) Region

    Europe (Stockholm) Region

    Asia Pacific (Mumbai) Region

    Asia Pacific (Seoul) Region

    Asia Pacific (Tokyo) Region

    Europe (Paris) Region

    South America (São Paulo) Region

AWS Support is probably your best bet in the end.

Sincerely Heiko

profile picture
HeikoMR
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠