# Decommission an AWS Control Tower landing zone
<a name="decommission-landing-zone"></a>

AWS Control Tower allows you to set up and govern secure multi-account AWS environments, known as landing zones. The process of cleaning up all of the resources allocated by AWS Control Tower is referred to as *decommissioning* a landing zone. 

If you no longer want to use AWS Control Tower, the automated decommissioning tool cleans up the resources allocated by AWS Control Tower. To begin the automated decommissioning process, navigate to the **Landing Zone Settings** page, select the decommission tab, and choose **Decommission landing zone**.

For a list of actions performed during decommissioning, see [Overview of the decommissioning process](decommissioning-process-overview.md).

**Warning**  
Manually deleting all of your AWS Control Tower resources is not the same as decommissioning. It will not allow you to set up a new landing zone.

 Your data and your existing AWS Organizations are not changed by the decommissioning process, in the following ways.
+ AWS Control Tower does not remove your data, it only removes parts of the landing zone that it created.
+ After the decommissioning process is complete, a few resource artifacts remain, such as Amazon S3 buckets and Amazon CloudWatch Logs log groups. These resources must be deleted manually before you set up another landing zone, and to avoid possible costs associated with maintaining certain resources.
+ You can’t use automated decommissioning to remove a landing zone that’s partially set up. If your landing zone setup process fails, you must resolve the failure state and set it up all the way to make automated decommissioning possible, or you must manually delete the resources individually.

*Decommissioning a landing zone is a process with significant consequences, and it cannot be undone.* The decommissioning actions taken by AWS Control Tower and the artifacts that remain after decommissioning are described in the following sections.

**Important**  
 We strongly recommend that you perform this decommissioning process only if you intend to stop using your landing zone. It is not possible to re-create your existing landing zone after you've decommissioned it.

# Overview of the decommissioning process
<a name="decommissioning-process-overview"></a>

When you request decommissioning of your landing zone, AWS Control Tower does the following actions.
+ Disables each detective control enabled in the landing zone. AWS Control Tower deletes the CloudFormation resources supporting the control.
+ Disables each preventive control by removing service control policies (SCPs) from AWS Organizations. If a policy is empty (which it should be after removing all SCPs managed by AWS Control Tower), AWS Control Tower detaches and deletes the policy entirely.
+ Deletes all blueprints deployed as CloudFormation StackSets.
+ Deletes all blueprints deployed as CloudFormation Stacks across all Regions.
+ For each provisioned account, AWS Control Tower does the following actions during the decommissioning process.
  + Deletes records of each account factory account. 
  + Revokes the AWS Control Tower permissions to the account by removing the IAM role that AWS Control Tower created (unless additional policies have been added to it) and recreates the standard `OrganizationsFullAccessRole` IAM role.
  + Removes records of the account from AWS Service Catalog.
  + Removes the account factory product and portfolio from AWS Service Catalog.
+ Deletes the blueprints for the shared (Audit and Log Archive) accounts. 
+ Revokes the AWS Control Tower permissions from the shared accounts by removing the IAM role that AWS Control Tower created (unless additional policies have been added to it) and recreates the `OrganizationsFullAccessRole` IAM role.
+ Deletes records related to the shared accounts.
+ Deletes records related to customer-created OUs.
+ Deletes internal records that identify the home Region.

**Note**  
After decommissioning, you may wish to remove the Account Factory VPC blueprint (`BP_ACCOUNT_FACTORY_VPC`) to clean up the routes and NAT gateways, if your VPC was not empty. 

# How to decommission a landing zone
<a name="how-to-decommission"></a>

To decommission your AWS Control Tower landing zone from the console, follow the procedure given here.

**Note**  
We recommend that you unmanage your enrolled accounts prior to decommissioning.

1. Navigate to the **Landing Zone Settings** page in the AWS Control Tower console.

1. Choose **Decommission your landing zone** within the **Decommission your landing zone** section.

1.  A dialog appears, explaining the action you are about to perform, with a required confirmation process. To confirm your intent to decommission, you must select every box and type the confirmation as requested.
**Important**  
*The decommissioning process cannot be undone.*

1. If you confirm your intent to decommission your landing zone, you are redirected to the AWS Control Tower home page while decommissioning is in progress. The process may require up to two hours.

1. When decommissioning has succeeded, you must delete remaining resources manually before setting up a new landing zone from the AWS Control Tower console. These remaining resources include some specific Amazon S3 buckets, organizations, and CloudWatch Logs log groups.
**Note**  
*These actions may have significant consequences for your billing and compliance activities. For example, failure to delete these resources can result in unexpected charges.*

    For more information about how to delete resources manually, see [About removing AWS Control Tower resources](walkthrough-delete.md#manual-decommissioning).

1. If you intend to set up a new landing zone in a new AWS Region, follow this additional step. Enter the following command through the CLI: 

   ```
   aws organizations disable-aws-service-access --service-principal controltower.amazonaws.com
   ```

# Decommission your landing zone with APIs
<a name="lz-api-decommission"></a>

The process of cleaning up all of a landing zones resources is referred to as *decommissioning* a landing zone. 

**Important**  
We strongly recommend that you perform this decommissioning process only if you intend to stop using your landing zone. It is not possible to re-create your existing landing zone after you've decommissioned it.

For more details about decommissioning a landing zone, including important information about how AWS Control Tower handles your data and existing AWS Organizations, review [Decommission an AWS Control Tower landing zone](decommission-landing-zone.md). 

To decommission a landing zone, call `DeleteLandingZone` API. This API returns an `OperationIdentifier`, which you can then use when calling the `GetLandingZoneOperation` API to check the delete operation's status. 

```
 aws controltower delete-landing-zone --landing-zone-identifier "arn:aws:controltower:us-west-2:123456789012:landingzone/1A2B3C4D5E6F7G8H"
```

**Output**: 

```
{
   "operationIdentifier": "55XXXXXX-e2XX-41XX-a7XX-446XXXXXXXXX"
}
```

# Manual cleanup tasks required after decommissioning
<a name="manual-cleanup-required"></a>

This section lists manual cleanup tasks you must perform after the initial decommissioning step.
+ You must specify different email addresses for the Log archive and Audit accounts if you create a new landing zone after decommissioning one, or follow the procedure for bringing your own existing Log archive or Audit accounts.
+ The CloudWatch Logs log group, `aws-controltower/CloudTrailLogs`, must be deleted manually before you set up another landing zone.
+ The two Amazon S3 buckets with reserved names for logs must be removed, or renamed, manually.
+ You must delete, or rename, the existing **Security** and **Sandbox** organizational units manually.
**Note**  
Before you can delete the AWS Control Tower **Security OU** organization, you must first delete the logging and audit accounts, but not the management account. To delete these accounts, you must [When to sign in as a root user](root-login.md) to the audit account and to the logging account and delete them individually. 
+  You may wish to delete the AWS IAM Identity Center (IAM Identity Center) configuration for AWS Control Tower manually, but you can proceed with the existing IAM Identity Center configuration.
+ You may wish to remove the VPC created by AWS Control Tower, and remove the associated AWS CloudFormation stack set.
+ Before you can set up a new landing zone in a new AWS Region, you must follow these additional steps. 
  + Enter the following command through the CLI:

    ```
    aws organizations disable-aws-service-access --service-principal controltower.amazonaws.com
    ```
  + Delete the remaining managed rule, called `AWSControlTowerManagedRule`, from the shared and member accounts for all governed Regions. `AWSControlTowerManagedRule` is an Amazon EventBridge rule. 

# Resources not removed during decommissioning
<a name="resources-not-removed"></a>

Decommissioning a landing zone does not fully reverse the AWS Control Tower setup process. Certain resources remain, which may be removed manually.

**AWS Organizations**

For customers without existing AWS Organizations organizations, AWS Control Tower sets up an organization with one or more organizational units (OUs). The designated **Security OU** and optionally created **Sandbox OU**. When you decommission your landing zone, the hierarchy of the organization is preserved, as follows:
+ Organizational Units (OUs) you created from the AWS Control Tower console are not removed.
+ The Security and Sandbox OUs are not removed.
+ The organization is not deleted from AWS Organizations.
+ No accounts in AWS Organizations (shared, provisioned, or management) are moved or removed.

**AWS IAM Identity Center (SSO)**

For customers without an existing IAM Identity Center directory, AWS Control Tower sets up IAM Identity Center and configures an initial directory. When you decommission your landing zone, AWS Control Tower makes no changes to IAM Identity Center. If needed, you can delete the IAM Identity Center information stored in your management account manually. In particular, these areas are unchanged by decommissioning:
+ Users created with Account Factory are not removed.
+ Groups created by AWS Control Tower setup are not removed.
+ Permission sets created by AWS Control Tower are not removed.
+ Associations between AWS accounts and IAM Identity Center permission sets are not removed.
+ IAM Identity Center directories are not changed. 
+ These IAM Identity Center policies for AWS Control Tower are not removed:
  + `AWSControlTowerAdminPolicy`
  + `AWSControlTowerCloudTrailRolePolicy`
  + `AWSControlTowerStackSetRolePolicy`

**Roles**

During setup, AWS Control Tower creates certain roles for you if you use the console, or it asks you to create these roles if you set up your landing zone through the APIs. When you decommission your landing zone, the following roles are not removed:
+ `AWSControlTowerAdmin`
+ `AWSControlTowerCloudTrailRole`
+ `AWSControlTowerStackSetRole`
+ `AWSControlTowerConfigAggregatorRoleForOrganizations`

**Note**  
 The `AWSControlTowerExecution` role in member accounts will be deleted when landing zone is deleted, whether AWS Control Tower created the role on your behalf or if you created the role manually. However, if you have attached additional policies to this role, or modified the policies attached to this role, AWS Control Tower may be unable to delete this role during Landing Zone deletion. For such cases, the Landing Zone deletion will succeed but role will be retained in your member account. 

**Amazon S3 Buckets**

During setup, AWS Control Tower creates buckets in the log archive account for AWS CloudTrail and in the config central aggregator account for AWS Config integration. AWS Control Tower creates buckets for logging and for logging access in each of these accounts. When you decommission your landing zone, the following resources are not removed:
+ Logging and logging access S3 buckets in the log archive account are not removed.
+ Logging and logging access S3 buckets in the config central aggregator account are not removed.
+ Contents of the logging and logging access buckets in each of these accounts are not removed.

**Service integration Accounts**

AWS Control Tower requires each service integration configuration to have a central account. This account may or may not be created during the AWS Control Tower setup based on landing zone version. When you decommission your landing zone:
+ Service integration accounts that were created during AWS Control Tower setup are not closed.
+ The `OrganizationAccountAccessRole` IAM role is recreated to align with standard AWS Organizations configuration.
+ The `AWSControlTowerExecution` role is removed.

**Provisioned Accounts**

AWS Control Tower customers can use account factory to create new AWS accounts. When you decommission your landing zone:
+ Provisioned accounts you created with Account Factory are not closed.
+ Provisioned products in AWS Service Catalog are not removed. If you clean those up by terminating them, their accounts are moved into the **Root OU**.
+ The VPC that AWS Control Tower created is not removed, and the associated AWS CloudFormation stack set (`BP_ACCOUNT_FACTORY_VPC`) is not removed. 
+ The `OrganizationAccountAccessRole` IAM role is recreated to align with standard AWS Organizations configuration.
+ The `AWSControlTowerExecution` role is removed.

**CloudWatch Logs Log Group**
+ A CloudWatch Logs log group, `aws-controltower/CloudTrailLogs`, is created as part of the blueprint named `AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER`. This log group is not removed. Instead, the blueprint is deleted and the resources are retained.

**Note**  
Customers on landing zone 3.0 and later do not need to delete their individual enrolled account’s CloudTrail logs and CloudTrail logs roles, because these are created in the management account only, for the organization-level trail.  
Beginning with landing zone version 3.2, AWS Control Tower creates an Amazon EventBridge rule, called `AWSControlTowerManagedRule`. This rule is created in each member account, for all governed Regions. The rule is not deleted automatically during decommissioning, so you must delete it manually from the service integration accounts and member accounts for all governed Regions before you can set up a landing zone in a new Region.

Procedures for how to delete AWS Control Tower resources are given in [Remove AWS Control Tower resources](walkthrough-delete.md).

# Remove AWS Control Tower resources
<a name="walkthrough-delete"></a>

This document provides instructions for how to remove AWS Control Tower resources individually, as part of regular maintenance and administrative tasks. The procedures given in this chapter are intended only for removing individual resources, or a few resources, when needed. It not the same as decommissioning your landing zone.

**Two types of tasks may require you to remove resources:**
+ To delete resources as you manage your landing zone in ordinary situations.
+ To clean up resources that remain after automated decommissioning.

**Warning**  
Manually removing resources will not allow you to set up a new landing zone. It is not the same as decommissioning. If you intend to decommission your AWS Control Tower landing zone, follow the instructions on [Decommission an AWS Control Tower landing zone](decommission-landing-zone.md) before you take any actions described in this chapter. The instructions in this chapter can help you clean up resources that remain after automated decommissioning is complete. Even if you delete all of your landing zone resources manually, it is not the same as decommissioning the landing zone, and you may incur unexpected charges.

 If you need to remove an account from AWS Control Tower, see the following sections to close an account: 
+  [Unmanage an account](https://docs.aws.amazon.com/controltower/latest/userguide/unmanage-account.html) 
+  [Close an account created in Account Factory](https://docs.aws.amazon.com/controltower/latest/userguide/delete-account.html) 

## Do I need decommissioning instead of deleting?
<a name="about-decommissioning"></a>

If you no longer intend to use AWS Control Tower for your enterprise, or if you require a major redeployment of your organizational resources, you may want to decommission the resources created when you initially set up your landing zone.
+ After the decommissioning process is complete, a few resource artifacts remain, such as Amazon S3 buckets and Amazon CloudWatch Logs log groups.
+ You must clean up the remaining resources in your accounts manually before you set up another landing zone, and to avoid the possibility of unexpected charges. For more information, see [Resources not removed during decommissioning](resources-not-removed.md).

**Warning**  
 We strongly recommend that you perform a decommissioning process *only if* you intend to stop using your landing zone. This process cannot be undone.

## About removing AWS Control Tower resources
<a name="manual-decommissioning"></a>

The individual procedures in this chapter guide you through manual methods of removing AWS Control Tower resources. These procedures can be followed when you need to delete a specific resource from your landing zone.

Before performing these procedures, unless it's otherwise indicated, you must be signed in to the AWS Management Console in the home Region for your landing zone, and you must be signed in as an IAM user or user in IAM Identity Center with administrative permissions for the management account that contains your landing zone.

**Warning**  
These are destructive actions that can introduce governance drift into your AWS Control Tower setup. They cannot be undone.

**Topics**
+ [Do I need decommissioning instead of deleting?](#about-decommissioning)
+ [About removing AWS Control Tower resources](#manual-decommissioning)
+ [Delete SCPs](controltower-walkthrough-delete-scps.md)
+ [Delete StackSets and Stacks](controltower-walkthrough-delete-stacksets.md)
+ [Delete Amazon S3 Buckets in the Log Archive Account](controltower-walkthrough-delete-s3-buckets.md)
+ [Remove an Account Factory Portfolio and Product](controltower-walkthrough-cleanup-account-factory.md)
+ [Remove AWS Control Tower Roles and Policies](controltower-walkthrough-cleanup-identity.md)
+ [AWS Control Tower resource help](#control-tower-cleanup-help)

# Delete SCPs
<a name="controltower-walkthrough-delete-scps"></a>

AWS Control Tower uses service control policies (SCPs) for its controls. This procedure walks through how to delete the SCPs specifically related to AWS Control Tower.

**To delete AWS Organizations SCPs**

1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).

1. Open the **Policies** tab, and find the Service Control Policies (SCPs) that have the prefix **aws-guardrails-** and do the following for each SCP:

   1. Detach the SCP from the associated OU.

   1. Delete the SCP.

# Delete StackSets and Stacks
<a name="controltower-walkthrough-delete-stacksets"></a>

AWS Control Tower uses StackSets and stacks to deploy AWS Config Rules related to controls in your landing zone. The following procedures walk through how to delete these specific resources.

**To delete CloudFormation StackSets**

1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

1. From the left navigation menu, choose **StackSets**.

1. For each StackSet with the prefix **AWSControlTower**, do the following. If you have many accounts in a StackSet, this can take some time.

   1. Choose the specific StackSet from the table in the dashboard. This opens the properties page for that StackSet.

   1. At the bottom of the page, in the **Stacks** table, make a record of the AWS account IDs for all the accounts in the table. Copy the list of all accounts.

   1. From **Actions**, choose **Delete stacks from StackSet**.

   1. On **Set deployment options**, from **Deployment locations**, choose **Deploy stacks in accounts**.

   1. In the text field, enter the AWS account IDs you made a record of in step 3.b, separated by commas. For example: *123456789012*, *098765431098*, and so on.

   1. From **Specify regions**, choose **Add all**, leave the rest of the parameters on the page set to their defaults, and choose **Next**.

   1. On the **Review** page, review your choices, and then choose **Delete stacks**.

   1. On the **StackSet properties** page, you can begin this procedure again for your other StackSets.

1. The process is complete when the records in the **Stacks** table of the different **StackSets properties** pages are empty.

1. When the records in the **Stacks** table are empty, choose **Delete StackSet**.

**To delete CloudFormation stacks**

1. Open the CloudFormation console at [https://console.aws.amazon.com/cloudformation](https://console.aws.amazon.com/cloudformation/).

1. From the **Stacks** dashboard, search for all of the stacks with the prefix **AWSControlTower**.

1. For each stack in the table, do the following:

   1. Choose the check box next to the name of the stack.

   1. From the **Actions** menu, choose **Delete Stack**.

   1. In the dialog box that opens, review the information to make sure it's accurate, and choose **Yes, Delete**.

# Delete Amazon S3 Buckets in the Log Archive Account
<a name="controltower-walkthrough-delete-s3-buckets"></a>

The following procedures guide you through how to sign in to the log archive account as an IAM Identity Center user in the **AWSControlTowerExecution** group and then delete the Amazon S3 buckets in your log archive account.

**To sign in to your log archive account with the right permissions**

1. Open the Organizations console at [https://console.aws.amazon.com/organizations/](https://console.aws.amazon.com/organizations/).

1. From the **Accounts** tab, find the **Log archive** account.

1. From the right pane that opens, make a record of the log archive account number.

1. From the navigation bar, choose your account name to open your account menu.

1. Choose **Switch Role**.

1. On the page that opens, provide the account number for the log archive account in **Account**.

1. For **Role**, enter **AWSControlTowerExecution**.

1. The **Display Name** populates with text.

1. Choose your favorite **Color**.

1. Choose **Switch Role**.

**To delete Amazon S3 buckets**

1. Open the Amazon S3 console at [https://console.aws.amazon.com/s3/](https://console.aws.amazon.com/s3/).

1. Search for bucket names that contain **aws-controltower**.

1. For each bucket in the table, do the following:

   1. Choose the check box for the bucket in the table.

   1. Choose **Delete**.

   1. In the dialog box that opens, review the information to make sure it's accurate, enter the name of the bucket to confirm, and then choose **Confirm**.

# Remove an Account Factory Portfolio and Product
<a name="controltower-walkthrough-cleanup-account-factory"></a>

The following procedure guides you through how to sign in as an IAM Identity Center user in the **AWSServiceCatalogAdmins** group and then clean up your Account Factory portfolio and products.

**To sign in to your management account with the right permissions**

1. Go to your user portal URL at *directory-id*.awsapps.com/start

1. From **AWS Account**, find the **Management** account.

1. From **AWSServiceCatalogAdminFullAccess**, choose **Management console** to sign in to the AWS Management Console as this role.

**To clean up Account Factory**

1. Open the Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/).

1. From the left navigation menu, choose **Portfolios list**.

1. In the **Local Portfolios** table, search for a portfolio named **AWS Control Tower Account Factory Portfolio**.

1. Choose the name of that portfolio to go to its details page.

1. Expand the **Constraints** section of the page, and choose the radio button for the constraint with the product name **AWS Control Tower Account Factory**.

1. Choose **REMOVE CONSTRAINTS**.

1. In the dialog box that opens, review the information to make sure it's accurate, and then choose **CONTINUE**.

1. From the **Products** section of the page, choose the radio button for the product named **AWS Control Tower Account Factory**.

1. Choose **REMOVE PRODUCT**.

1. In the dialog box that opens, review the information to make sure it's accurate, and then choose **CONTINUE**.

1. Expand the **Users, Groups, and Roles** section of the page, and choose the check boxes for all the records in this table.

1. Choose **REMOVE USERS, GROUP OR ROLE**.

1. In the dialog box that opens, review the information to make sure it's accurate, and then choose **CONTINUE**.

1. From the left navigation menu, choose **Portfolios list**.

1. In the **Local Portfolios** table, search for a portfolio named **AWS Control Tower Account Factory Portfolio**.

1. Choose the radio button for that portfolio, and then choose **DELETE PORTFOLIO**.

1. In the dialog box that opens, review the information to make sure it's accurate, and then choose **CONTINUE**.

1. From the left navigation menu, choose **Product list**.

1. On the **Admin products** page, search for the product named **AWS Control Tower Account Factory**.

1. Choose the product to open the **Admin product details** page.

1. From **Actions**, choose **Delete product**.

1. In the dialog box that opens, review the information to make sure it's accurate, and then choose **CONTINUE**.

# Remove AWS Control Tower Roles and Policies
<a name="controltower-walkthrough-cleanup-identity"></a>

These procedures walk you through how to clean up the roles and policies that AWS Control Tower created when your landing zone was set up, or later.

**To delete the IAM Identity Center AWSServiceCatalogEndUserAccess role**

1. Open the AWS IAM Identity Center console at [https://console.aws.amazon.com/singlesignon/](https://console.aws.amazon.com/singlesignon/).

1. Change your AWS Region to your home Region, which is the Region where you initially set up AWS Control Tower.

1. From the left navigation menu, choose **AWS accounts**.

1. Choose your management account link.

1. Choose the dropdown for **Permission sets**, select **AWSServiceCatalogEndUserAccess**, and then choose **Remove**.

1. Choose **AWS accounts** from the left panel.

1. Open the **Permission sets** tab.

1. Select **AWSServiceCatalogEndUserAccess** and delete it.

**To delete IAM roles**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. From the left navigation menu, choose **Roles**.

1. From the table, search for roles with the name **AWSControlTower**.

1. For each role in the table, do the following:

   1. Choose the check box for the role.

   1. Choose **Delete role**.

   1. In the dialog box that opens, review the information to make sure it's accurate, and then choose **Yes, delete**.

**To delete IAM policies**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. From the left navigation menu, choose **Policies**.

1. From the table, search for policies with the name **AWSControlTower**.

1. For each policy in the table, do the following:

   1. Choose the check box for the policy.

   1. Choose **Policy actions**, and **Delete** from the dropdown menu.

   1. In the dialog box that opens, review the information to make sure it's accurate, and then choose **Delete**.

## AWS Control Tower resource help
<a name="control-tower-cleanup-help"></a>

If you encounter any issues that you can't resolve when you remove AWS Control Tower resources, contact [AWS Support](https://aws.amazon.com/premiumsupport/).

# Setup after decommissioning a landing zone
<a name="known-issues-decommissioning"></a>

After you decommission your landing zone, you cannot successfully execute setup again until manual cleanup is complete. Also, without manual cleanup of these remaining resources, you may incur unexpected billing charges. You must attend to these issues:
+ The AWS Control Tower management account is part of the AWS Control Tower **Root OU**. Be sure that these IAM roles and IAM policies are removed from the management account: 
  + Roles: 

    `- AWSControlTowerAdmin`

    `- AWSControlTowerCloudTrailRole`

    `- AWSControlTowerStackSetRole`
  + Policies: 

    `- AWSControlTowerAdminPolicy`

    `- AWSControlTowerCloudTrailRolePolicy`

    `- AWSControlTowerStackSetRolePolicy`
+ You may wish to delete or update the existing IAM Identity Center configuration for AWS Control Tower before you set up a landing zone again, but it is not required that you delete it.
+ You may wish to remove the VPC created by AWS Control Tower.
+ Setup fails if the email addresses specified for the logging or audit accounts are associated with an existing AWS account. You may close the AWS accounts, or use different email addresses to set up a landing zone again. Alternatively, you may re-use these existing shared accounts, with the feature that allows you to bring your own logging and audit accounts. For more information, see [Considerations for bringing existing security or logging accounts](accounts.md#considerations-for-existing-shared-accounts).
+ Setup fails if Amazon S3 buckets with the following reserved names already exist in the logging account:
  + `aws-controltower-logs-{accountId}-{region}` (used for the logging bucket).
  + `aws-controltower-s3-access-logs-{accountId}-{region}` (used for the logging access bucket).

   You must either rename or remove these buckets, or use a different account for the logging account.
+ Setup fails if the management account has the existing log group, `aws-controltower/CloudTrailLogs`, in CloudWatch Logs. You must either rename or remove the log group. 

**Before you set up in a new AWS Region**

If you intend to set up a new landing zone in a new AWS Region, follow these additional steps. 
+ Enter the following command through the CLI:

  ```
  aws organizations disable-aws-service-access --service-principal controltower.amazonaws.com
  ```
+ Delete the remaining managed rule, called `AWSControlTowerManagedRule`, from shared and member accounts for all governed Regions.

**Note**  
You cannot set up a new landing zone in an organization with top-level OUs named either **Security** or **Sandbox**. You must rename or remove these OUs to set up a landing zone again.