DEV Community

AWS Control Tower Landing Zone Setup: Troubleshooting Account Limits and KMS Policies

While setting up a multi-account environment and trying to enable AWS Control Tower, I encountered two mysterious errors. Here's how I resolved them.

  • "Account limit reached" error (even though I hadn't reached the limit)
  • CloudFormation deployment failure (KMS key policy related)

Account Limit Error

When enabling Control Tower, it creates a Log Archive account and an Audit account. However, only the Audit account was created, and I got an error saying "Account limit reached" for the Log Archive account.

AWS Control Tower failed to set up your landing zone completely: AWS Control Tower cannot create an account because you have reached the limit on the number of accounts in your organization.
Enter fullscreen mode Exit fullscreen mode

Screenshot 2025-08-21 16.51.09.png

When I checked Service Quotas, the Default maximum number of accounts was set to 10, but my actual account count was clearly below that (only 3 including the management account).

Screenshot 2025-08-22 15.27.02.png

I couldn't figure out the root cause (which is frustrating), but I resolved it by increasing the Service Quota to 15. Perhaps Control Tower internally reserves some account slots...?

Screenshot 2025-09-02 8.51.08.png

CloudFormation Deployment Failure (KMS Key Policy Related)

Just when I thought I'd resolved the account limit error, I ran into a CloudFormation deployment error.

AWS Control Tower failed to set up your landing zone completely: AWS Control Tower failed to deploy stack(s): arn:aws:cloudformation:ap-northeast-1:XXXXXXXX:stack/AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER/4787d990-8144-11f0-ad99-0625194a54fd. To continue, review the failed stack(s) and try again.
Enter fullscreen mode Exit fullscreen mode

Screenshot 2025-09-02 8.56.29.png

When I opened the CloudFormation console, I saw this:

Screenshot 2025-09-02 9.00.28.png

I had configured CloudTrail and Config to use KMS for encryption, but apparently these services lacked the necessary permissions to access the KMS key.

Required Permissions:

  • Config: kms:Decrypt, kms:GenerateDataKey
  • CloudTrail: kms:GenerateDataKey*, kms:Decrypt

So I added the following to my KMS policy:

{
  "Sid": "AllowConfigToUseKms",
  "Effect": "Allow",
  "Principal": { "Service": "config.amazonaws.com" },
  "Action": ["kms:Decrypt","kms:GenerateDataKey"],
  "Resource": "arn:aws:kms:ap-northeast-1:xxxxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
},
{
  "Sid": "AllowCloudTrailToUseKms",
  "Effect": "Allow",
  "Principal": { "Service": "cloudtrail.amazonaws.com" },
  "Action": ["kms:GenerateDataKey*","kms:Decrypt"],
  "Resource": "arn:aws:kms:ap-northeast-1:xxxxxxxxxxxx:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "Condition": {
    "StringEquals": {
      "aws:SourceArn": "arn:aws:cloudtrail:ap-northeast-1:xxxxxxxxxxxx:trail/aws-controltower-BaselineCloudTrail"
    },
    "StringLike": {
      "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:xxxxxxxxxxxx:trail/*"
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

After that, I deleted the failed CloudFormation stack AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER and retried the Control Tower setup. All errors were resolved!

Screenshot 2025-08-25 15.01.27.png

Conclusion

I'm still puzzled about the root cause of the account limit error. If anyone knows what might have caused it, please let me know!

References

https://dev.classmethod.jp/articles/aws-control-tower-setup-failed-kms/

Top comments (0)