DEV Community

AWS Community Builders profile image Atsushi Suzuki
Atsushi Suzuki for AWS Community Builders

Posted on

AWS Control Tower Landing Zone Setup: Troubleshooting Account Limits and KMS Policies

#aws #cloud #devops #tutorial

While setting up a multi-account environment and trying to enable AWS Control Tower, I encountered two mysterious errors. Here's how I resolved them.

  • "Account limit reached" error (even though I hadn't reached the limit)
  • CloudFormation deployment failure (KMS key policy related)

Account Limit Error

When enabling Control Tower, it creates a Log Archive account and an Audit account. However, only the Audit account was created, and I got an error saying "Account limit reached" for the Log Archive account.

AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot create an account because you have reached the limit on the number of accounts in your organization.
Enter fullscreen mode Exit fullscreen mode

Screenshot 2025-08-21 16.51.09.png

When I checked Service Quotas, the Default maximum number of accounts was set to 10, but my actual account count was clearly below that (only 3 including the management account).

Screenshot 2025-08-22 15.27.02.png

I couldn't figure out the root cause (which is frustrating), but I resolved it by increasing the Service Quota to 15. Perhaps Control Tower internally reserves some account slots...?

Screenshot 2025-09-02 8.51.08.png

CloudFormation Deployment Failure (KMS Key Policy Related)

Just when I thought I'd resolved the account limit error, I ran into a CloudFormation deployment error.

AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:ap-northeast-1:XXXXXXXX:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/4787d990-8144-11f0-ad99-0625194a54fd. To continue, review the failed stack(s) and try again.
Enter fullscreen mode Exit fullscreen mode

Screenshot 2025-09-02 8.56.29.png

When I opened the CloudFormation console, I saw this:

Screenshot 2025-09-02 9.00.28.png

I had configured CloudTrail and Config to use KMS for encryption, but apparently these services lacked the necessary permissions to access the KMS key.

Required Permissions:

  • Config: kms:Decrypt, kms:GenerateDataKey
  • CloudTrail: kms:GenerateDataKey*, kms:Decrypt

So I added the following to my KMS policy:

{
  "Sid": "AllowConfigToUseKms",
  "Effect": "Allow",
  "Principal": { "Service": "config.amazonaws.com" },
  "Action": ["kms:Decrypt","kms:GenerateDataKey"],
  "Resource": "arn:aws:kms:ap-northeast-1:xxxxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
{
  "Sid": "AllowCloudTrailToUseKms",
  "Effect": "Allow",
  "Principal": { "Service": "cloudtrail.amazonaws.com" },
  "Action": ["kms:GenerateDataKey*","kms:Decrypt"],
  "Resource": "arn:aws:kms:ap-northeast-1:xxxxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "Condition": {
    "StringEquals": {
      "aws:SourceArn": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/aws-controltower-BaselineCloudTrail"
    },
    "StringLike": {
      "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

After that, I deleted the failed CloudFormation stack AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER and retried the Control Tower setup. All errors were resolved!

Screenshot 2025-08-25 15.01.27.png

Conclusion

I'm still puzzled about the root cause of the account limit error. If anyone knows what might have caused it, please let me know!

References

https://dev.classmethod.jp/articles/aws-control-tower-setup-failed-kms/

Top comments (1)

The discussion has been locked. New comments can't be added.
Collapse
 
svetlinsem profile image
Svetlin Popov

Can you share the full kms policy?
Thank you

Some comments may only be visible to logged-in visitors. Sign in to view all comments.