Prerequisites for enrollment
These prerequisites are required before you can enroll an existing AWS account in AWS Control Tower:
To enroll an existing AWS account, the
AWSControlTowerExecution
role must be present in the account you are enrolling. You can review Enroll an account for details and instructions.-
In addition to the
AWSControlTowerExecution
role, the existing AWS account you want to enroll must have the following permissions and trust relationships in place. Otherwise, enrollment will fail.Role Permission:
AdministratorAccess
(AWS managed policy)Role Trust Relationship:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::
:root" }, "Action": "sts:AssumeRole" } ] }Management Account ID
-
We recommend that the account should not have an AWS Config configuration recorder or delivery channel. These may be deleted or modified through the AWS CLI before you can enroll an account. Otherwise, review Enroll accounts that have existing AWS Config resources for instructions on how you can modify your existing resources.
-
The account that you wish to enroll must exist in the same AWS Organizations organization as the AWS Control Tower management account. The account that exists can be enrolled only into the same organization as the AWS Control Tower management account, in an OU that already is registered with AWS Control Tower.
To check other prerequisites for enrollment, see Getting Started with AWS Control Tower.
Note
When you enroll an account into AWS Control Tower, your account is governed by the AWS CloudTrail trail for the AWS Control Tower organization. If you have an existing deployment of a CloudTrail trail, you may see duplicate charges unless you delete the existing trail for the account before you enroll it in AWS Control Tower.