Common Issues Citadel

Common Issues Citadel

Common Issues

AWS Region selected has no support for an AWS Service created by Citadel

In this case the region can’t be used with Citadel, please contact support to help find an alternative solution.

AWS Service Limits are reached

Most AWS Services have limits on usage. Citadel might try to create a resource above the limit allowed by the account. For remediation:

Failed to deploy baseline on region

This error usually happens when you are deploying a new Foundation or when you are redeploying an existing region.


  1. Go to the AWS account and log into the Log Archive account with a user or role with permissions;
  2. Select the S3 service and select Buckets;
  3. Look for any bucket with the AWS Account Number and delete it;
  4. Go back to;
  5. Select the Management page and then select Regions on the left menu;
  6. Find the Region with the Failed status, click on the three dots and click Redeploy.

Failed to deploy domain

This error occurs when you try to deploy a domain that is already in use or if the domain you are trying to create is reserved by AWS.


Try to use a different domain.

Failed to deploy linked baseline - Account should have OrganizationAccountAccessRole

This error occurs when you try to create a linked account but your AWS Account does not allow Citadel to deploy Cloud Formation Templates.


Check if your account has been connected to Citadel.

  1. Go to the Dashboard page on the;
  2. Check if the Connect Citadel to your AWS Account is checked.
  3. If not, click on Connect to AWS.
  4. Follow the steps to connect Citadel to your AWS Account.

Failed to enable compliance assessment for environment

This error occurs when you try to deploy a new compliance to your environment.


Cause: Resource handler returned message: "Resource of type AWS::AuditManager::Assessment with identifier <compliance-standard> was not found." (RequestToken: <aws-id>, HandlerErrorCode: NotFound).

  1. Go to the AWS console and log to the environment account ;
  2. Go to the S3 Buckets service to delete the bucket assessment-<aws-account-number>-<aws-region> created by Citadel;
  3. Go to the Cloud Formation Stacks, find and delete the stacks below if they exist: citadel-workload-compliance-baseline citadel-workload-compliance-hipaa