使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Control Tower creation issue

0

Hi, I created a new account and then immediately went to creating control tower. Everything seemed to work except I have this error: Error "AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot deploy the required stack set because the bucket policy for the logging bucket, aws-controltower-logs-642978469219-us-east-1, is incorrect."

I'm not seeing this bucket anywhere, what should I do? And whatever it is do I do it in control tower? Thanks.

主題
管理與治理
標籤
AWS Control Tower
語言
English
rePost-User-7903133
已提問 1 年前檢視次數 2237 次
2 個答案
3

Hi @rePost-User-7903133:

I got the same error. I forgot to set permissions in KMS using the following instructions https://docs.aws.amazon.com/en_us/controltower/latest/userguide//kms-guidance.html. After that, I needed to remove two cloudformations AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER and restart the process.

I hope this can help someone.

etoledo
已回答 10 個月前
0

Hi User,

very strange behaviour. Normally there should not be a problem when setting up control tower. The logging bucket should be located in the "log archive" account wich was created with control tower. Check out the Cloudformation-Stack-Events for more details.

Also check out the documentation, it explains that there could be problems if you immediatly create a landing zone with control tower in a freshly created account: https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html

Landing Zone Launch Failed

Common causes of landing zone launch failure:

    Lack of response to a confirmation email message.

    AWS CloudFormation StackSet failure.

Confirmation email messages: If your management account is less than an hour old, you may encounter issues when the additional accounts are created.
Action to take

If you encounter this issue, check your email. You might have been sent confirmation email that is awaiting response. Alternatively, we recommend that you wait an hour, and then try again. If the issue persists, contact AWS Support

.

Failed StackSets: Another possible cause of landing zone launch failure is AWS CloudFormation StackSet failure. AWS Security Token Service (STS) regions must be enabled in the management account for all AWS Regions that AWS Control Tower is governing, so that the provisioning can be successful; otherwise, stack sets will fail to launch.
Action to take

Be sure to enable all of your required AWS Security Token Service (STS) endpoint regions

before you launch AWS Control Tower.

Currently, AWS Control Tower is supported in the following AWS Regions:

    US East (N. Virginia)

    US East (Ohio)

    US West (Oregon)

    Canada (Central) Region

    Asia Pacific (Sydney)

    Asia Pacific (Singapore) Region

    Europe (Frankfurt) Region

    Europe (Ireland)

    Europe (London) Region

    Europe (Stockholm) Region

    Asia Pacific (Mumbai) Region

    Asia Pacific (Seoul) Region

    Asia Pacific (Tokyo) Region

    Europe (Paris) Region

    South America (São Paulo) Region

AWS Support is probably your best bet in the end.

Sincerely Heiko

profile picture
HeikoMR
已回答 1 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容