1. Control Tower를 Decommission한 후에 다시 생성하려 할 때, 아래와 같은 에러가 발생하며 Control Tower가 생성이 불가하다
AWS Control Tower failed to set up your landing zone completely: User: arn:aws:sts::123412341234:assumed-role/AWSControlTowerAdmin/AssumeAdminRole is not authorized to perform: organizations:DescribeAccount on resource: arn:aws:organizations::123412341234:account/o-abcdefgh/123412341234 because no identity-based policy allows the organizations:DescribeAccount action
이 에러는 아래에서 확인하여 해결했다.
Recreating IAM service roles to fix a failed AWS Control Tower deployment
As Enterprises continue to adopt, many organizations are starting to build an organizational setup of their AWS accounts with the…
medium.com
결론적으로 Decommission할 때에 IAM Role의 AWSControlTowerAdmin에 Managed Policy인 AWSControlTowerServiceRolePolicy가 detach되어 발생된 문제인 듯하다. 해당 Policy를 Role에 추가해주니 문제가 해결되었다.
'Cloud Architecture' 카테고리의 다른 글
| Service Mesh (0) | 2022.06.17 |
|---|---|
| L4와 L7 (0) | 2022.06.16 |
| CAP 이론, ACID, Eventual Consistency VS Strong Consistency (0) | 2022.06.16 |
| Proxy / Forward Proxy / Reverse Proxy (0) | 2022.06.15 |
| TCP, UDP, TCP Window Size (0) | 2022.06.15 |