If you manage resources outside of AWS Control Tower
AWS Control Tower sets up accounts, organizational units, and other resources on your behalf, but you are the owner of these resources. You can change these resources within AWS Control Tower or outside it. The most common place to change resources outside of AWS Control Tower is the AWS Organizations console. This topic describes how to reconcile changes to AWS Control Tower resources when you make the changes outside of AWS Control Tower.
Renaming, deleting, and moving resources outside of the AWS Control Tower console causes the console to become out of sync. Many changes can be reconciled automatically. Certain changes require a reset to your landing zone, to update the information that's displayed in the AWS Control Tower console.
In general, changes that you make outside the AWS Control Tower console to AWS Control Tower resources create a state of resolvable drift in your landing zone. For more information about these changes, see Repairable changes to resources.
Tasks that require landing zone reset
-
Deleting the Security OU (A special case, not to be done lightly.)
-
Removing a shared account from the Security OU (Not recommended.)
-
Updating, attaching, or detaching an SCP associated with the Security OU.
Changes that are updated automatically by AWS Control Tower
-
Changing the email address of an enrolled account
-
Renaming an enrolled account
-
Creating a new top-level organizational unit (OU)
-
Renaming a registered OU
-
Deleting a registered OU (Except the Security OU, which requires an update.)
-
Deleting an enrolled account (Except a shared account in the Security OU.)
Note
AWS Service Catalog handles changes differently than AWS Control Tower. AWS Service Catalog may create a change in governance posture when it reconciles your changes. For more information about updating a provisioned product, see Updating Provisioned Products in the AWS Service Catalog documentation.
Referring to resources outside of AWS Control Tower
When you create new OUs and accounts outside of AWS Control Tower, they are not governed by AWS Control Tower, even though they may be displayed.
Creating an OU
Organizational Units (OUs) created outside of AWS Control Tower are referred to as Unregistered. They are displayed in the Organization page, but they are not governed by AWS Control Tower controls.
Creating an account
Accounts created outside of AWS Control Tower are referred to as Unenrolled. Enrolled and unenrolled accounts that belong to an OU that’s registered with AWS Control Tower are displayed in the Organization page. Accounts that do not belong to a registered OU can be invited by using the AWS Organizations console. This invitation to join does not enroll the account in AWS Control Tower or extend AWS Control Tower governance to the account. To extend governance by enrolling the account, go to the Organization page or the Account detail page in AWS Control Tower and choose Enroll account.
Externally changing AWS Control Tower resource names
You can change the names of your organizational units (OUs) and accounts outside of the AWS Control Tower console, and the console updates automatically to reflect those changes.
Renaming an OU
In AWS Organizations, you can change the name of an OU by using either the AWS Organizations API or the console. When you change an OU name outside of AWS Control Tower, the AWS Control Tower console automatically reflects the name change. However, if you provision your accounts using AWS Service Catalog, you also must reset your landing zone to ensure that AWS Control Tower stays consistent with AWS Organizations. The Reset workflow ensures consistency across services for the Foundational and Additional OUs. You can resolve this type of drift from the Landing zone settings page. See the section called "Resolving Drift" in Detect and resolve drift in AWS Control Tower.
AWS Control Tower displays the names of OUs on the Organization page in the AWS Control Tower dashboard. You can see when your landing zone reset operation has succeeded.
Renaming an enrolled account
Each AWS account has a display name that can be changed by the account's root user in the AWS Billing and Cost Management console. When you rename an account that's enrolled in AWS Control Tower, the name change is automatically reflected in AWS Control Tower. For more information about changing an account's name, see Managing an AWS account in the AWS Billing User Guide.
Deleting the Security OU
This type of drift is a special case. If you delete the Security OU, you will see an error message page, prompting you to reset your landing zone. You must reset your landing zone before you can take any other actions in AWS Control Tower.
-
You will not be able to perform any actions in the AWS Control Tower console and you will not be able to create any new accounts in AWS Service Catalog until the reset is done.
-
You won't be able to view the Landing zone settings page to see the Reset button there.
In this situation, the landing zone reset process creates a new Security OU and moves the two shared accounts into the new Security OU. AWS Control Tower marks the Log Archive and Audit accounts as drifted. The same process resolves the drift in these accounts.
If you determine that you must delete the Security OU, here's what you need to know:
Before you can delete the Security OU, you must make sure it contains no accounts. Specifically, you must remove the Log Archive and Audit accounts from the OU. We recommend that you move these accounts to another OU.
Note
The action of deleting your Security OU is not to be performed without due consideration. The action could create compliance concerns if logging is suspended temporarily, and because some controls might not be enforced.
For general information about drift, see "Resolving Drift" in Detect and resolve drift in AWS Control Tower.
Removing an account from the Security OU
We do not recommend that you remove any of the shared accounts from your organization or move them out of the Security OU. If you have removed a shared account accidentally, you can follow the remediation steps in this section to restore the account.
-
From within the AWS Control Tower console: To start the remediation process, follow the semi-manual remediation steps. Ensure the user or role you use to access the AWS Control Tower console has permissions to run
organizations:InviteAccountToOrganization
. If you don't have such permissions, follow the manual remediation steps, which use both the AWS Control Tower console and the AWS Organizations console. -
Starting from the AWS Organizations console: This remediation process is a slightly longer, fully manual procedure. When following the manual remediation steps, you'll switch between the AWS Organizations console and the AWS Control Tower console. When working in AWS Organizations, you'll need a user or role with the
AWSOrganizationsFullAccess
managed policy or equivalent. When working in the AWS Control Tower console, you'll need a user or role with theAWSControlTowerServiceRolePolicy
managed policy or equivalent, and permission to run all AWS Control Tower actions (controltower:*). -
If the remediation steps don't restore the account, contact AWS Support.
The results of removing a shared account through AWS Organizations:
-
The account is no longer protected by AWS Control Tower mandatory controls with service control policies (SCPs). Result: The resources created by AWS Control Tower in the account may be modified or deleted.
-
The account is no longer under the AWS Organizations management account. Result: The administrator of the AWS Organizations management account no longer has visibility into the account's spending.
-
The account is no longer guaranteed to be monitored by AWS Config. Result: The administrator of the AWS Organizations management account may not be able to detect resource changes.
-
The account is no longer in the organization. Result: AWS Control Tower updates and reset will fail.
To restore a shared account using the AWS Control Tower console (semi-manual procedure)
-
Sign in to the AWS Control Tower console at https://console.aws.amazon.com/controltower
. You must sign in as an IAM user, user in IAM Identity Center, or role with permissions to run organizations:InviteAccountToOrganization
. If you don't have such permissions, use the manual remediation procedure described later in this topic. -
On the Landing zone drift detected page, choose Re-Invite to remediate shared account removal by re-inviting the shared account into the organization. An automatically-generated email is sent to the email address for the account.
-
Accept the invitation to bring the shared account back into the organization. Do one of the following:
-
Sign in to the shared account that was removed, then go to https://console.aws.amazon.com/organizations/home#/invites
-
If you have access to the email message sent when you re-invited the account, sign in to the removed account, then click the link in the message to navigate directly to the account invitation.
-
If the shared account that was removed is not in another organization, sign into the account, open the AWS Organizations console and navigate to Invitations.
-
-
Sign in to the management account again, or reload the AWS Control Tower console if it's already open. You'll see the Landing zone drift page. Choose Reset to repair the landing zone.
-
Wait for the reset process to complete.
If remediation is successful, the shared account appears in a normal state and compliance.
If the remediation steps don't restore the account, contact AWS Support.
To restore a shared account using the AWS Control Tower and AWS Organizations consoles (Manual remediation)
-
Sign in to the AWS Organizations console at https://console.aws.amazon.com/organizations/
. You must sign in as an IAM user, user in IAM Identity Center, or role with the AWSOrganizationsFullAccess
managed policy or equivalent. -
Invite the shared account back to the organization. For information on the requirements, prerequisites, and procedure for inviting an account to AWS Organizations, see Inviting an AWS account to your organization in the AWS Organizations User Guide.
-
Sign in to the shared account that was removed, then go to https://console.aws.amazon.com/organizations/home#/invites
to accept the invitation. -
Sign in to the management account again.
-
Sign in to the AWS Control Tower console as a user or role with the
AWSControlTowerServiceRolePolicy
managed policy or equivalent, and permissions to run all AWS Control Tower actions (controltower:*). -
You'll see the Landing zone drift page with an option to reset the landing zone. Choose Reset to repair the landing zone.
-
Wait for the reset process to complete.
If remediation is successful, the shared account appears in a normal state and compliance.
If the remediation steps don't restore the account, contact AWS Support.
External changes that are updated automatically
Changes that you make to your account email addresses are updated by AWS Control Tower automatically, but Account Factory does not update them automatically.
Changing the email address of a governed account
AWS Control Tower retrieves and displays email addresses as required by the console experience. Therefore, shared and other account email addresses are updated and shown consistently in AWS Control Tower after you change them.
Note
In AWS Service Catalog, the Account Factory displays the parameters that were specified in the console when you created a provisioned product. However, the original account email address is not updated automatically when the account email address changes. That’s because the account is conceptually contained within the provisioned product; it is not the same as the provisioned product. To update this value, you must update the provisioned product, which may cause a change in governance posture.
Applying external AWS Config rules
AWS Control Tower displays the compliance status of all AWS Config rules deployed into organizational units registered with AWS Control Tower, including rules that were activated outside of the AWS Control Tower console.
Deleting AWS Control Tower resources outside AWS Control Tower
You can delete OUs and accounts in AWS Control Tower and you don't need to take any further action to see the updates. Account Factory is updated automatically when you delete an OU, but not when you delete an account.
Deleting a registered OU (except the Security OU)
Within AWS Organizations, you can remove empty organizational units (OUs) by using the API or the console. OUs that contain accounts cannot be deleted.
AWS Control Tower receives a notification from AWS Organizations when an OU is deleted. It updates the OU list in the Account Factory, so that the list of registered OUs remains consistent.
Note
In AWS Service Catalog, the Account Factory is updated to remove the deleted OU from the list of available OUs into which you can provision an account.
Deleting an enrolled account from an OU
When you delete an enrolled account, AWS Control Tower receives a notification and makes updates, so that the information remains consistent.
Note
In AWS Service Catalog, the Account Factory provisioned product that represents the governed
account is not updated to delete the account. Instead, the provisioned product
is displayed as TAINTED
and in an error state. To clean up, go to
AWS Service Catalog, choose the provisioned product, and then choose
Terminate.