0

I'm trying to add a new account (created using account factory) in existing OU but the enrollment is failling repeatedly. we're getting this error:

"AWS Control Tower could not enroll your account for the following reason: AWS Control Tower setup failed. Be sure your account is subscribed to the AmazonCloudFormation service, then try again. If this error persists, contact AWS Support."

Note: The SSO method was changed to Azure AD after creating the OU and enrolling the first account which was successful, all these errors are coming after this was changed so is this the prime reason and how could I fix it?

On trying to manually enroll the new account, the account is stuck in "Compelete Sign-Up Process" and is asking for payment information which I did not provide for any other account that I created earlier so this doesn't make sense.

Then, we tried to re-register OU, this led to failed enrollment of both accounts, the previous one also which was enrolled earlier.

Jaskaran Singh Puri
  • 729
  • 2
  • 11
  • 37

1 Answers1

0

Found some possible solutions.

According to New Account Creation Error from AWS Control Tower, which is a Stack Overflow answer, there are some common causes of account provisioning failure in AWS Control Tower, such as:

• You may be logged in as root. AWS Control Tower does not support creating accounts when you're logged in as root.

• Your SSO user has not been added to the appropriate permission group.

• If you are authenticated as an IAM user, you must add it to the AWS Service Catalog portfolio so that it has the correct permissions.

The answer also provides some links to the official documentation for more details.

According to https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.html, which is the troubleshooting guide for AWS Control Tower, there are some common causes of landing zone launch failure, such as:

• Lack of response to a confirmation email message.

• AWS CloudFormation StackSet failure.

• STS regions not enabled in the management account for all AWS Regions that AWS Control Tower is governing.

The guide also provides some actions to take to resolve these issues.

According to https://docs.aws.amazon.com/controltower/latest/userguide/common-eg-failures.html][3], which is another troubleshooting guide for AWS Control Tower, there are some common causes of failure during registration or re-registration of an OU or its member accounts, such as:

• Landing zone not ready

• Exceeds maximum number of SCPs

• Conflicting SCPs

• Exceeds stack set quota

• Exceeds account limit

• Pre-checks prevented on accounts

• Email address error

Piyush Patil
  • 14,512
  • 6
  • 35
  • 54