I created a management account and proceeded to create landing zone through control tower. Opted for most default options except KMS encryption with single region. The creation process part succeeded - AWSControlTowerBP-BASELINE-CONFIG-MASTER completed successfully while AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER failed.
Failiure message
Resource handler returned message: "Invalid request provided: Insufficient permissions to access S3 bucket aws-controltower-logs-xxxxxxxx-us-east-1 or KMS key arn:aws:kms:us-east-1:xxxxxxx:key/xxxxxx. (Service: CloudTrail, Status Code: 400
The rollback for the failed stack failed too.
So, I deleted the stack manually and retried the operation.
Now I am with a different error as below.
Resource handler returned message: "User: arn:aws:sts::xxxxxxx:assumed-role/AWSControlTowerAdmin/AssumeAdminRole is not authorized to perform: logs:DeleteLogGroup on resource: arn:aws:logs:us-east-1:xxxxxxxxx:log-group:aws-controltower/CloudTrailLogs:log-stream: because no identity-based policy allows the logs:DeleteLogGroup action (Service: CloudWatchLogs, Status Code: 400
I could try to address these issues one by one. But will the landing zone be ever able to complete successfully now considering it was partially done and I manually deleted the stack? Or should I just delete the root and everything under it and start over?
This worked after I deleted AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER stack.
This was the reason in my case since I have opted in for KMS for encryption