Stack creation fails in AWS Control-Tower enrolled account

Question

We tried creating a Solo stack in a new AWS account provisioned through our AWS Control Tower. This would be our second Solo stack, but the only one in this account. Not being used to everything AWS, I didn't think of creating myself an admin IAM user and launched the Cloud Formation directly from my admin SSO account. Here's what happened while creating the Storage's MountTargets:

CREATE_FAILED: The IAM identity making this call has an IAM policy that is too large. Reduce...

I then realized what was happening and started afresh with a new IAM admin user. But here's what happens, again while creating the Storage:

CREATE_FAILED: Embedded stack arn:aws:cloudformation:us-east-1:<ACCOUNT>:stack/yada-demo-Storage<...> was not successfully created: The following resource(s) failed to create: [DatomicCmk, CatalogTable, FileSystem, LogGroup, LogTable].

I suspect the creation failed because of leftovers that the Cloud Formation wasn't able to remove to replace them.

More precisely, I suspect what's happening is that some of the Control Tower's Guardrails impede the stack (re)creation:

I'm currently cleaning out the leftovers and will try again one more time after that.

If anyone knows anything about this, please share some help! I'll report back with my findings too.

Answer 1

After cleaning out the leftovers from my previous creation attempts, the Cloud Formation succeeded in creating the stack.

I made sure not to schedule the deletion of the KMS key for datomic, as it might impede the re-creation of the stack.

I'm not sure what made it pass this time, but it did.

So if you were wondering like me, it looks like Control Tower's default guardrails are not incompatible with Datomic Cloud.

This was our second stack under AWS Control Tower, but our previous stack had been created in an AWS account prior to its enrollment in the Organization.