By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Control Tower failed to set up your landing zone completely

0

I received an error "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is unable to assume the AWSControlTowerExecution role in the account. Add the role to your account if it's not present, and try again." after "Retry" of setting Landing zone.

Control tower decommission was also done previously

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Control TowerAWS Organizations
Language
English
rePost-User-1950377
asked a year ago3020 views
2 Answers
2

When you deprivation your landing zone in Control Tower the AWSControlTowerExecution role is removed. However, the organization and the accounts remain. Therefore, in order to set up a new landing zone with Control Tower you must follow these steps.

Preparatory steps to bring an account into the same organization as AWS Control Tower

  1. Drop the account from its existing organization. You must provide a separate payment method if you use this approach
  2. Invite the account to join the AWS Control Tower organization. For more information, see Inviting an AWS account to join your organization in the AWS Organizations User Guide.
  3. Accept the invitation. The account shows up in the root of the organization. This step moves the account into the same organization as AWS Control Tower. and establishes SCPs and consolidated billing.

OR

Steps to fulfill the remaining prerequisites:

  1. Create the necessary AWSControlTowerExecution role.
  2. Clear out the default VPC. (This part is optional. AWS Control Tower doesn't change your existing default VPC.)
  3. Delete or modify any existing AWS Config configuration recorder or delivery channel through the AWS CLI or AWS CloudShell. For more information, see Example AWS Config CLI commands for resource status and Enroll accounts that have existing AWS Config resources

The following YAML template may assist you in creating the required role in an account, so that it can be enrolled programmatically.

AWSTemplateFormatVersion: 2010-09-09
Description: Configure the AWSControlTowerExecution role to enable use of your
  account as a target account in AWS CloudFormation StackSets.
Parameters:
  AdministratorAccountId:
    Type: String
    Description: AWS Account Id of the administrator account (the account in which
      StackSets will be created).
    MaxLength: 12
    MinLength: 12
Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AWSControlTowerExecution
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - AdministratorAccountId
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess

https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html

AWS
abemusa
answered a year ago
0

Hi There

Please double check you have addressed all of the items in Setup after decommissioning a landing zone before retrying.

Are you bringing your own log archive and Audit accounts or is Control Tower creating new ones?

profile pictureAWS
EXPERT
Matt-B
answered a year ago
  • rePost-User-1950377
    a year ago

    I bring ones created by Control Tower in previous set up.

    I tried to close these account the and create new ones but I received "ConstraintViolationException You have exceeded close account quota for the past 30 days. " error

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content