I was working with a customer who needed to vend 50 new accounts for their development teams. They launched the Account Factory product in Service Catalog, but every other account got stuck in UNDER_CHANGE status forever. After checking AWS Organizations API rate limits and verifying the Lambda role permissions, we realized they were hitting the soft limit of 1 account per 5 minutes. In this post, I’ll walk through exactly what causes Account Factory failures and how to fix them.
The Problem
When you launch the Landing Zone Account Factory product in Service Catalog, one of these happens:
- The provisioned product gets stuck in
UNDER_CHANGEstatus and never completes - It immediately fails with
FAILEDstatus and no obvious error message - It succeeds but with a different account name or email than expected
- You get “Service Catalog provisioning artifact not found” errors
| Error Symptom | Root Cause |
|---|---|
| UNDER_CHANGE forever | API rate limit hit or Lambda timeout |
| FAILED immediately | Invalid parameters or email already in use |
| Wrong account created | Service Catalog product version mismatch |
| No artifact found | Service Catalog product is broken or outdated |
Why Does This Happen?
The Account Factory uses AWS Service Catalog to wrap a Lambda function that calls AWS Organizations APIs. Several things can cause failures:
- AWS Organizations rate limits: The
CreateAccountAPI has a soft limit of 1 account per 5 minutes per management account. If you try to create multiple accounts simultaneously, requests queue and some time out. - Email address already in use: Every AWS account needs a unique root email. If you’re reusing an email or if the email was only recently deleted (AWS keeps deleted accounts for 90 days), CreateAccount fails.
- Invalid parameters: If your account name contains special characters, the OU name is wrong, or the account email isn’t in valid format, the Lambda function fails.
- Service Catalog product version outdated: If the underlying Lambda function in the Service Catalog product is an old version, it might have bugs or incompatibilities.
- Lambda execution role missing permissions: The Lambda needs
organizations:CreateAccount,servicecatalog:UpdateProvisionedProduct, and other permissions. Missing permissions cause silent failures. - AWS Organizations is in a weird state: Sometimes AWS Organizations API becomes slow or returns throttling errors temporarily.
The Fix
Step 1: Check the Provisioned Product Status
List all provisioned products:
aws servicecatalog list-provisioned-products \
--filters Key=Account,Value=SELF \
--region us-east-1 \
--output table
Find the failed product by name and get its detailed status:
aws servicecatalog describe-provisioned-product \
--id pp-abc123def456 \
--region us-east-1
If the status is UNDER_CHANGE, wait a few more minutes. If it stays stuck for 30+ minutes, it’s likely hit a timeout.
Step 2: Check the Provisioning Activity
Get detailed provisioning activity to see where it failed:
aws servicecatalog list-provisioning-artifacts \
--product-id prod-abc123 \
--region us-east-1
Describe the provisioned product events:
aws servicecatalog scan-provisioned-products \
--access-level-filter Key=Account,Value=SELF \
--region us-east-1 \
--query 'ProvisionedProducts[?Id==`pp-abc123def456`]'
Unfortunately, Service Catalog doesn’t expose Lambda logs directly. You need to check CloudWatch.
Step 3: Check CloudWatch Logs
The Account Factory Lambda writes logs. Find the log group:
aws logs describe-log-groups \
--log-group-name-prefix /aws/lambda/AWS-Landing-Zone \
--region us-east-1
Stream the logs:
aws logs tail /aws/lambda/AWS-Landing-Zone-AccountFactory \
--follow \
--region us-east-1 \
--since 1h
Look for “ERROR”, “FAILED”, “TimeoutError”, or “InvalidParameter” messages.
Step 4: Verify the Email Address
Check if the email is already in use:
# AWS doesn't have a direct "check if email is registered" API
# But you can try to create the account and see what error you get
aws organizations create-account \
--account-name test-account \
--email your-email@example.com
If you get an error like “EmailAlreadyInUse” or “ConstraintViolationException”, use a different email. AWS allows email aliases with the + operator:
# Use your-email+prod1@example.com
# Use your-email+dev1@example.com
# Each one is treated as a unique email
Verify your email provider supports this (Gmail does, most corporate email does not).
Step 5: Verify Lambda Permissions
Check the Lambda execution role has the right permissions:
aws iam list-role-policies \
--role-name AWS-Landing-Zone-AccountFactory-Role \
--region us-east-1
Get the policy document:
aws iam get-role-policy \
--role-name AWS-Landing-Zone-AccountFactory-Role \
--policy-name AWS-Landing-Zone-AccountFactory-Permissions
The role should have these permissions:
organizations:CreateAccountservicecatalog:UpdateProvisionedProductcloudformation:DescribeStackssts:AssumeRole
If permissions are missing, add them.
Step 6: Handle Rate Limiting
If you’re creating many accounts, AWS Organizations will rate-limit you to 1 account per 5 minutes. To create multiple accounts safely:
# Create accounts with delays
for account_name in account1 account2 account3; do
aws organizations create-account \
--account-name "$account_name" \
--email "$account_name@example.com"
echo "Waiting 5 minutes before next account..."
sleep 300
done
Or use the Account Factory in Service Catalog with manual waits between launches.
Step 7: Retry or Terminate the Product
If the product is stuck in UNDER_CHANGE, you can terminate it and retry:
aws servicecatalog terminate-provisioned-product \
--provisioned-product-id pp-abc123def456 \
--region us-east-1
Wait a few minutes, then launch the Account Factory product again.
Is This Safe?
Terminating a provisioned product is safe—it just removes the Service Catalog entry. If the account was already created, it remains in AWS Organizations. You can still use it; the Service Catalog product just won’t be associated with it.
Key Takeaway
Account Factory failures usually come down to rate limiting, invalid email addresses, or missing IAM permissions. Always verify your email is unique, understand the 1-account-per-5-minutes rate limit, and ensure the Lambda role has the right permissions before launching multiple accounts.
Have questions or ran into a different Landing Zone issue? Connect with me on LinkedIn or X.