How to solve service limit not sufficient error when launching Control Tower in a new AWS Account

Last Updated on June 29, 2022

If you just created an AWS account and tried to set up the Landing Zone via Control Tower in the AWS management console, you might encounter the error Your AWS environment is not ready for AWS Control Tower to be set up. AWS Control Tower detected issues with your AWS account environment that prevent successful setup. Your existing service limits for this AWS account are not sufficient for AWS Control Tower to launch. For more information, contact your account manager or AWS Support.

To solve this, launch a free tier EC2 instance (t2.micro) in the region where your AWS Control Tower will be launched. After 20 minutes just terminate the instance. Try setting up the AWS Landing Zone again and this time the error is no longer there but it will ask you for details in launching Control Tower.

Set up Landing Zone page without the AWS Control Tower error

I know the fix is weird. When I told my teammates about this solution, they all looked and laughed thinking that I was joking. After checking the service quotas and limits of different services related to AWS Control Tower and could not find anything that would hinder the launching of the Landing Zone, they decided to try launching the t2.micro EC2 instance and terminating it after 20 minutes, and it worked!

Note: I was laughing with my teammates. I know how weird doing something totally unrelated to solving an issue would actually solve that problem.

Note 2: AWS Control Tower does not have a service quota or limit. It uses different AWS services to function.

I found this out when I was doing some reading about AWS Control Tower. Apparently, it’s related to what AWS calls the Security Containment Score.

I tried looking at what this Security Containment Score is in AWS documentation but failed to find anything about it. From what I can remember it is something that will stop an AWS account from launching too many resources without the account going through some “process”. Since the AWS Account is totally new, the security containment score is low and need to be upgraded by using other AWS services.

Anyway, if you do encounter something weird in AWS, the best course of action is to submit technical support and they will be able to point you in the right direction. I was lucky this time to remember the solution but most of the time I always go to AWS Support.

I hope this helps. Let me know your experience in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *