Select Language:
If you’re experiencing issues with your AWS Control Tower setup, especially when it comes to creating backup vaults or working with KMS, the problem often lies with permissions. In particular, the AWSControlTowerExecution role in the target account (like Audit or Log Archive) may not have the right permissions to create the backup vault or interact with the Key Management Service (KMS). Since your deployment uses StackSets, restrictions from Service Control Policies (SCPs) or Permissions Boundaries might be blocking actions, even if you have administrator rights.
Here’s a simple way to troubleshoot and fix this issue:
First, check your Service Control Policies in AWS Organizations. Log into the management account, go to AWS Organizations, and then select Policies. Look for any SCPs that might be denying backup or KMS actions—specifically, search for policies that include “Deny-All-Except-Listed-Regions” or similar language. Make sure there are no policies explicitly blocking actions in the region you’re working in, such as eu-central-1.
Next, review your KMS Key Policy if encryption is enabled for your Control Tower. This policy must allow the cloudformation.amazonaws.com service principal and the AWSControlTowerExecution role to perform actions like kms:CreateGrant and kms:GenerateDataKey. If these permissions are missing, the deployment cannot generate the necessary encryption keys.
Finally, check if the AWSControlTowerExecution role has a Permissions Boundary attached that might be restricting its actions. Some organizations attach boundaries to control what roles can do. Ensure that the boundary doesn’t exclude the AWS Backup service or any necessary KMS actions.
Once you’ve updated the SCPs, Key Policies, or Permissions Boundaries, go to your Control Tower Dashboard. Find the Landing Zone Settings and select the Repair option to rerun the deployment. This should resolve the permission issues and allow your backup vaults and KMS interactions to proceed smoothly.
ChatGPT
Perplexity
Gemini AI
Grok AI
