AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is not authorized to baseline the VPC in the enrolled account.


Hi all, I got this issue when setup Control Tower. "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower is not authorized to baseline the VPC in the enrolled account."

Firstly, I tried to add all required permissions, tried again but still failed. Then, I removed all the relevant settings, and policies and re-try but still failed. When I click retry, it shows more errors messages below:

"AWS Control Tower could not update your landing zone at this time. Retry updating your landing zone for access to AWS Control Tower. If the problem persists, contact AWS Support."


"Error Failed to assume role arn:aws:iam::3084000xxxxx:role/service-role/AWSControlTowerAdmin"

For the assume role error, I've created and manually added all the required permission but still failed.

Please share your experienced on this issues. I'm stuck now.

AWS Control Tower doesn't support the AWS default VPC. Deploying one causes the account to enter a Tainted state. When it is in that state, you cannot update the account through AWS Service Catalog. You must delete the default VPC that you added, and then you will be able to update the account.

