- Newest
- Most votes
- Most comments
We had the same issue when setting up control tower with KMS encryption enabled. We found the issue to be that AWS Config could not use the KMS key due to the KMS key resource policy being set up wrong by us when creating the key. When using the policy documented for AWS Config our issue was that we did not use the correct account as the sourceAccountID. We typed in the controltower account id, but what fixed it for us was changing that to the Log Archive account id.
KMS key policy granting config access to the key (cloudtrail also needs access as described in the control tower doc)
{ "Id": "Policy_ID", "Statement": [ { "Sid": "AWSConfigKMSPolicy", "Effect": "Allow", "Principal": { "Service": "config.amazonaws.com" }, "Action": [ "kms:Decrypt", "kms:GenerateDataKey" ], "Resource": "<myKMSKeyARN>", "Condition": { "StringEquals": { "AWS:SourceAccount": "<myLogArchiveAccountID>" } } } ] }
It sounds like you have encountered an issue with the bucket policy for the logging bucket during the setup of your Control Tower Landing Zone. Here are a few things you can try to diagnose and resolve the issue:
Review the bucket policy: Check the bucket policy for the logging bucket, "aws-controltower-logs-1111111111111-us-west-2", to see if it is incorrect or if there are any issues with the permissions. Verify that the policy allows the necessary permissions for Control Tower to write logs to the bucket.
Check the IAM roles: Verify that the IAM roles used by Control Tower have the necessary permissions to access the logging bucket.
Check the stack set: Review the CloudFormation stack set used by Control Tower to see if there are any issues with the parameters or settings. This can be done in the AWS Systems Manager, under the “StackSets” page.
Check the CloudTrail: Check if there are any CloudTrail logs that might provide more information on the failure, specifically the Control Tower Management Events.
Contact AWS Support: If you are unable to diagnose and resolve the issue, you may want to contact AWS Support for further assistance.
It's important to note that Control Tower is designed to create the necessary resources and policies automatically during the setup process, but in some cases, issues may occur that prevent the setup from completing successfully. If you find out that it's a bug in the Control Tower, please contact AWS Support with the details of the issue, so they can investigate and fix the problem.
Thank you for these recommendations, @jayamaheizengerg, especially about the specific types of events to focus on. In this case Control Tower is responsible for creating all artifacts, including all policies, roles, and resources to which those apply, so I was expecting it all to be created self-consistently. The only artifact I created myself was an encryption key during the Control Tower wizard, and then told it to use that. I'm surprised CT is working for anyone right now for creating the initial "well-architected" org structure. I didn't expect to be debugging CT stacksets as my initiation to AWS.
How does one search CloudTrail for events of type "Control Tower Management"? There are only a few attributes I can search for in CloudTrail / Event History. For example, there are attributes Event name, Event Source, and Resource Type, but none of these have any entries that resemble "Control Tower" or even "Control...".
In the following section: CloudFormation / StackSets / AWSControlTowerBP-BASELINE-CONFIG: StackSet details there is an instance listed with Detailed Status: FAILED The Status Reason is given as:
ResourceLogicalId:ConfigDeliveryChannel, ResourceType:AWS::Config::DeliveryChannel, ResourceStatusReason:Insufficient delivery policy to s3 bucket: aws-controltower-logs-..., unable to write to bucket, ... (Service: AmazonConfig; Status Code: 400; Error Code: InsufficientDeliveryPolicyException; Request ID: ...).
Why would ControlTower create a bucket it can't use?
In AWS Systems Manager, there is no page called "StackSets".
I had a similar issue when upgrading from Control Tower 2.9 to 3.1. Just selecting the KMS key encryption option caused the update to fail. (I selected an existing key thinking Control Tower had obviously created it for this purpose as it had alias of "ControlTowerV3"). Unselecting the option enabled the update to work but leaves me without customer-managed KMS key encryption for now and will check with support if I should be getting Control Tower to create a new key or if I should amend the policy on the existing key...
Hi, I just got this working after enabling encryption to the AWS Control Tower update.
{
"Sid": "AWSConfigCloudTrailKMSPolicy",
"Effect": "Allow",
"Principal": {
"Service": ["config.amazonaws.com", "cloudtrail.amazonaws.com"]
},
"Action": [
"kms:Decrypt",
"kms:GenerateDataKey"
],
"Resource": "<KMS_ARN>"
}
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 4 months ago
If the error persists, you'll also need to to add permission for AWS Config with sourceAccount as Audit account. Check my answer