By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AWS Control Tower failed to set up your landing zone completely

0

I decommissioned the landing zone a while back and I am trying to create a new one. I followed the manual cleanup steps as outlined here.

The issue I am having is that I am getting: "AWS Control Tower failed to deploy one or more stack set instances b/c AWSControlTowerExecution role is not authorized to perform: logs:DeleteLogGroup on resource: arn:aws:logs:us-east-1:XXXXXXXXXX:log-group:/aws/lambda/aws-controltower-NotificationForwarder:log-stream: with an explicit deny in a service control policy" and I currently have no SCPs in place other than FullAWSAccess.

When I check the CloudFormation, I see similar complaints about SCPs preventing deletion of certain log groups. I appreciate any insight regarding the issue.

Topics
Management & Governance
Tags
AWS Control TowerService Control Policy
Language
English
funlu
asked 8 months ago337 views
2 Answers
0

Did you check the correct organizational unit(OUs) or member account? If you go to your management account - AWS Organizations - Policies - Service control policies. What can you see?

profile picture
myronix88
answered 8 months ago
  • funlu
    8 months ago

    Yup, I checked the SCPs and it's showing only FullAWSAccess in place both at the root and all child nodes of the org tree.

0

Try the following:

Add the logs:DeleteLogGroup permission for arn:aws:logs:${region}

AWS
abemusa
answered 8 months ago
  • funlu
    8 months ago

    Attach that action on that resource to what principal? If you mean AWSControlTowerExecution, it already has admin level permissions as created by Control Tower.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content