Getting started

Creating an Organization

Creating Audit and Log Archive AWS Accounts

Management

Creating an AWS Account

Initial Setup

Billing Alerts

Configuring AWS SSO (IAM Identity Center)

Generating As-Built-Documentation

Environments

Configuring AWS Client VPN

Configuring Private Bastion

Deleting an Environment

Compliance

Configuring a standard

Reference

Choosing Email Addresses for your AWS Accounts

Checklist end-of-deployment

Configuring SSO for Microsoft Azure

Configuring SSO for G-Suite

Deploying Applications

Notification History

Removing Citadel Access from AWS Accounts

What’s deployed in my account

Troubleshooting

Common Issues Citadel

Common Issues

Finding the Root Cause of a Failed Job

Creating new environment failed

Fixing Network Access is not connecting to RDS

SSO G-Suite - Deploy Lambda Error

Common issues

Common Issues

AWS Region selected has no support for an AWS Service created by Citadel

In this case the region can’t be used with Citadel, please contact support to help find an alternative solution.

AWS Service Limits are reached

Most AWS Services have limits on usage. Citadel might try to create a resource above the limit allowed by the account. For remediation:

Find current limits on the “Service Quotas” dashboard at the AWS Console of the user’s Accounts.
Ask to increase the limits through AWS Support, see: https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html

‣

Failed to deploy baseline on region

This error usually happens when you are deploying a new Foundation or when you are redeploying an existing region.

Remediation

Go to the AWS account and log into the Log Archive account with a user or role with permissions;
Select the S3 service and select Buckets;
Look for any bucket with the AWS Account Number and delete it;
Go back to app.citadel.run;
Select the Management page and then select Regions on the left menu;
Find the Region with the Failed status, click on the three dots and click Redeploy.

‣

Failed to deploy domain

This error occurs when you try to deploy a domain that is already in use or if the domain you are trying to create is reserved by AWS.

Remediation

Try to use a different domain.

‣

Failed to deploy linked baseline - Account should have `OrganizationAccountAccessRole`

This error occurs when you try to create a linked account but your AWS Account does not allow Citadel to deploy Cloud Formation Templates.

Remediation

Check if your account has been connected to Citadel.

Go to the Dashboard page on the app.citadel.run;
Check if the Connect Citadel to your AWS Account is checked.
If not, click on Connect to AWS.
Follow the steps to connect Citadel to your AWS Account.

‣

Failed to enable compliance assessment for environment

This error occurs when you try to deploy a new compliance to your environment.

Remediation

Cause: Resource handler returned message: "Resource of type AWS::AuditManager::Assessment with identifier <compliance-standard> was not found." (RequestToken: <aws-id>, HandlerErrorCode: NotFound).

Go to the AWS console and log to the environment account ;
Go to the S3 Buckets service to delete the bucket assessment-<aws-account-number>-<aws-region> created by Citadel;
Go to the Cloud Formation Stacks, find and delete the stacks below if they exist: citadel-workload-compliance-baseline citadel-workload-compliance-hipaa

On this page

Common Issues

AWS Region selected has no support for an AWS Service created by Citadel

AWS Service Limits are reached

Common Issues Citadel

Common Issues

AWS Region selected has no support for an AWS Service created by Citadel

AWS Service Limits are reached

Failed to deploy baseline on region

Remediation

Failed to deploy domain

Remediation

Failed to deploy linked baseline - Account should have OrganizationAccountAccessRole

Remediation

Failed to enable compliance assessment for environment

Remediation

Failed to deploy linked baseline - Account should have `OrganizationAccountAccessRole`