issues after upgrading control tower
I see the previous error while upgrading cotnrol tower & i noticed also the control tower aneable the aws config only for the member account with ohio region ince the home region in the control tower is ohio .. and i see this is make many conflicts AWS Control Tower failed to set up your landing zone completely: AWS Control Tower finished setting up your landing zone, but was unable to validate the preventive control on your OUs. As a result, some of your OUs may be in a state of drift. Learn more
we noticed also for 2 member account that the cost of AWS configuration has been increased, we could not determine the root cause for the issue to resolve it
- Topics
- Management & Governance
- Language
- English
- Newest
- Most votes
- Most comments
The cost can increase because when you updated Landing Zone, it added newer preventative controls by default.
Your CloudFormation can be in drift because a different process or user might have made changes manually (that is, outside of Control Tower / Landing Zone) update. Find the specific CloudFormation and check what exactly fails. From experience, I had issues with Landing Zone updates in multiple region when those regions do not support the same feature consistently. For example, many Config actions are not supported in all regions.
The error you're experiencing after upgrading AWS Control Tower indicates that your landing zone setup is incomplete, specifically with issues related to preventive controls on your Organizational Units (OUs), causing them to be in a state of drift.
This type of issue can occur for several reasons:
-
Region Configuration Issues: Since your home region is Ohio (us-east-2), Control Tower is configuring AWS Config only for member accounts in that region. This can cause conflicts if you have resources or configurations in other regions that Control Tower needs to manage.
-
Policy Conflicts: There might be conflicts with policies attached to permission sets in IAM Identity Center (formerly AWS SSO) that are not supported by Control Tower. These policies might be restricting Control Tower's ability to apply preventive controls.
-
Failed CloudFormation Stacks: The upgrade might have left some CloudFormation stacks in a failed state, preventing Control Tower from fully applying preventive controls.
-
AWS Config Resources: Pre-existing AWS Config resources in certain accounts can interfere with Control Tower's ability to set up its own configuration.
To resolve this issue:
-
Check for any failed CloudFormation stacks related to Control Tower (look for stacks with names like "AWSControlTowerBP-*") and delete any that failed or are stuck.
-
Review permission sets in IAM Identity Center and detach any custom policies that might be conflicting with Control Tower's requirements.
-
Ensure IAM Identity Center is configured in the same region as your Control Tower home region (Ohio in your case).
-
If you've made changes to AWS Config manually, this could be causing conflicts. Control Tower expects to manage AWS Config resources itself.
-
If the issue persists, you may need to reset your landing zone or contact AWS Support, especially if you have production workloads running in the organization.
Remember that AWS Control Tower does not automatically roll back to a previous landing zone version if an update fails, which can leave your landing zone in an indeterminate state.
Sources
Control Tower Account Enrollment Error | AWS re:Post
ControlTower error after changing the region. | AWS re:Post
Getting "Error AWS Control Tower encountered an error when retrieving the AWS Region configuration" when trying to reset Control Tower version 3.2 | AWS re:Post
Troubleshooting - AWS Control Tower
Hi There Preventive controls are implemented with SCP's and would not cause an increase in AWS config cost