Introduction

As an AWS Community Builder, I was thrilled to receive $500 of AWS credits to build something practical. My vision? Setting up a Trusted Enclaves landing zone pattern with Entra ID integration for AWS access management. Little did I know I was embarking on a journey that would test my patience, troubleshooting skills, and sanity.

Join me on this cautionary tale of what happens when AWS Landing Zone deployment goes sideways.

The Initial Plan

My approach seemed straightforward:

  1. Use my personal AWS account + $500 Community Builders credit
  2. Deploy AWS Landing Zone Accelerator with Control Tower as the account creation mechanism
  3. Apply the Trusted Enclaves configuration
  4. Connect everything to Entra ID for streamlined access
  5. Document the process to help fellow builders

Simple, right? Oh, how naïve I was.

Day 1: The Innocent Beginnings

I started by following the AWS Landing Zone Accelerator documentation. First hurdle? Service quotas.

Dear AWS User,

Your service quota increase request for the number of accounts in Organizations
is being processed. This may take up to 12 hours.

Regards,
AWS Support

A 12-hour wait just to increase my account quota. Fine, I can be patient. Little did I know this was just the appetizer to a feast of frustration.

Day 2: Control Tower Dreams and SCP Nightmares

After quota increases cleared, I successfully deployed stage one of the landing zone and then applied the Trusted Enclaves configuration. That's when my troubles truly began.

The configuration attempted to create a new OU and apply a 6th Service Control Policy (SCP) to it. Problem? AWS only allows 5 SCPs per OU by default.

"No problem," I thought. "I'll just remove the direct all-access SCP on the OU to make room."

Narrator: That was, in fact, a problem.

The process progressed further but then became completely wedged. The newly created accounts lost their trust relationships to both the audit account and the master billing account. I spent hours digging through CloudWatch logs trying to understand what went wrong.

I even attempted heroic measures - manually applying new cross-account trust relationships to help reinduct these wayward accounts back into Control Tower. No luck.

Day 3-4: The Clean Slate Approach

After much hair-pulling, I decided to throw everything out and start fresh. But there was a catch - I needed to keep my master billing account to retain that precious $500 credit.

My plan:

  1. Close all child accounts
  2. Remove all resources (with help from bash scripts to hunt down and terminate everything)
  3. Get the master biller account back to pristine condition
  4. Suspend/close all other accounts
  5. Try again

But when I attempted the new deployment, I ran into this issue - the Landing Zone Accelerator was detecting my suspended accounts as active accounts and refusing to deploy!

Day 5-6: Account Purgatory

Now I needed those suspended accounts to be unsuspended so I could properly remove them from the organization. Cue another support case and another 24-hour wait.

When the accounts were finally unsuspended, I logged into each one, set up billing information, and tried to leave the organization cleanly (to then close them properly).

The response? An unexplained error. No reason. Just failure.

And so here I am, with another AWS support case open, waiting to understand why these child accounts refuse to leave the organization - like adult children who keep returning to live in your basement.

Lessons Learned (The Hard Way)

Service Quotas Matter: Request quota increases well in advance of starting deployment.

SCPs Are Tricky: Understand the SCP limits and how they affect your architecture before modifying them.

Document Everything: Track every change, error message, and support response. You'll need it to piece together the story later.

Understand Account Lifecycle: AWS accounts have complex lifecycle states that can affect operations in non-obvious ways.

Allow More Time Than You Think: What I estimated would take a weekend has stretched into a multi-week saga.

A Question for Fellow Builders

Have you deployed AWS Landing Zone with enhanced security controls? What challenges did you face? I'd love to hear your experiences - misery loves company, after all!