Migrate an AWS member account from AWS Organizations to AWS Control Tower
Created by Rodolfo Jr. Cerrada (AWS)
Environment: Production | Technologies: Management & governance; Modernization | AWS services: AWS Organizations; AWS Control Tower |
Summary
This pattern describes how to migrate an Amazon Web Services (AWS) account from AWS Organizations, where it is a member account that's governed by a management account, to AWS Control Tower. By enrolling the account in AWS Control Tower, you can take advantage of preventive and detective guardrails and features that streamline your account governance. You might also want to migrate your member account if your AWS Organizations management account has been compromised, and you want to move member accounts to a new organization that is governed by AWS Control Tower.
AWS Control Tower provides a framework that combines and integrates the capabilities of several other AWS services, including AWS Organizations, and ensures consistent compliance and governance across your multi-account environment. With AWS Control Tower, you can follow a set of prescribed rules and definitions that extend the capabilities of AWS Organizations. For example, you can use guardrails to ensure that security logs and necessary cross-account access permissions are created, and not altered.
Prerequisites and limitations
Prerequisites
An active AWS account
AWS Control Tower set up in your target organization in AWS Organizations (for instructions, see Setting up in the AWS Control Tower documentation)
Administrator credentials for AWS Control Tower (member of the AWSControlTowerAdmins group)
Administrator credentials for the source AWS account
Limitations
The source management account in AWS Organizations must be different from the target management account in AWS Control Tower.
Product versions
AWS Control Tower version 2.3 (February 2020) or later (see release notes)
Architecture
The following diagram illustrates the migration process and reference architecture. This pattern migrates the AWS account from the source organization to a target organization that is governed by AWS Control Tower.
The enrollment process consists of these steps:
The account leaves the source organization in AWS Organizations.
The account becomes a standalone account. This means that it doesn't belong to any organization, so governance and billing are managed independently by account administrators.
The target organization sends an invitation for the account to join the organization.
The standalone account accepts the invitation and becomes a member of the target organization.
The account is enrolled in AWS Control Tower and moved to a registered organizational unit (OU). (We recommend that you check the AWS Control Tower dashboard to confirm the enrollment.) At this point, all guardrails that are enabled in the registered OU take effect.
Tools
AWS services
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into a single entity (an organization) that you create and centrally manage.
AWS Control Tower integrates the capabilities of other services, including AWS Organizations, AWS IAM Identity Center (successor to AWS Single Sign-On), and AWS Service Catalog, to help you enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud.
Epics
| Task | Description | Skills required |
|---|---|---|
Verify that the member account can run as a stand-alone account. | Confirm that the member account that will leave the source organization has the information that is required for it to operate as a standalone account. For example, if the member account doesn't have billing information, it can't operate as a standalone account, because AWS uses the payment information to charge for any billable AWS activity that occurs while the account isn't attached to an organization. Typically, if you created the member account by using the AWS Organizations console, API, or AWS Command Line Interface (CLI) commands, the information required of standalone accounts isn't automatically collected. To add this information, sign in to the account, and specify a support plan, contact information, and a payment method. For more information about what you need to know before removing an account from an organization, see Before removing an account from organization in the AWS Organizations documentation. | Account administrator |
Remove the member account from its source organization. | Follow the instructions in the AWS Organizations documentation to remove a member account from an organization. You can sign in to the organization's management account and remove the member account, or sign in to the member account and leave the organization. If you don't have administrator-level credentials to remove or leave the account, ask for assistance from your organization's administrator. If the member account is missing a support plan, contact information, or payment information, you will be prompted to provide and verify that information. When you leave the organization, you are redirected to the Getting Started page of the AWS Organizations console, where you can view invitations for your account to join other organizations. Important: At this point, your account is a standalone account. If you are running workloads that aren't covered by AWS Free Tier, you will be charged according to the payment and billing information you provided for the account. | Management account administrator or account administrator |
Verify that the member account is no longer part of the source organization. | In the AWS Organizations console, you should no longer see the Leave organization button. Instead. you should see pending invitations, if any, from other organizations. | Account administrator |
Remove the IAM roles that grant access to your account from the organization you left. | When you remove the account from the source organization, AWS Identity and Access Management (IAM) roles created by AWS Organizations or by administrators aren't automatically deleted. To terminate access from the source organization's management account, you must manually delete the IAM roles. For more information, see Deleting roles or instance profiles in the IAM documentation. When a member account leaves an organization, all tags that were attached to the account are deleted. Standalone accounts do not support tags. | Account administrator |
| Task | Description | Skills required |
|---|---|---|
Sign in to AWS Control Tower. | Sign in to the AWS Control Tower console as an administrator. Currently, there is no direct way to move an AWS account from a source organization to an organization in an OU that's governed by AWS Control Tower. However, you can extend AWS Control Tower governance to an existing AWS account when you enroll it into an OU that's already governed by AWS Control Tower. That's why you have to log in to AWS Control Tower for this step. | AWS Control Tower administrator |
Invite the member account. |
Important: Verify that no applications or network connectivity will be affected by the account transfer. This action sends an invitation email with a link to the member account. When the account administrator follows the link and accepts the invitation, the member account appears in the AWS accounts page. For more information, see Inviting an AWS account to join your organization in the AWS Organizations documentation. | AWS Control Tower administrator |
Test applications and connectivity. | When the member account has been registered into the new organization, it appears in the OU within a root. It also appears in the AWS Control Tower console, flagged as not enrolled in accounts, because it hasn't yet been enrolled in the AWS Control Tower registered OU. Verify the following:
| AWS Control Tower administrator, Member account administrator, Application owners |
| Task | Description | Skills required |
|---|---|---|
Review guardrails and fix any violations. | Review the guardrails that are defined in the target OU, especially the preventive guardrails, and fix any violations. A number of mandatory, preventive guardrails are enabled by default when you set up your AWS Control Tower landing zone. These can't be disabled. You must review these mandatory guardrails and fix the member account (manually or by using a script) before you enroll the account. Note: Preventive guardrails keep AWS Control Tower registered accounts compliant and prevent policy violations. Any violation of preventive guardrails might affect enrollment. Detective guardrail violations appear in the AWS Control Tower dashboard, if detected, after successful enrollment. They do not affect the enrollment process. For more information, see Guardrails in AWS Control Tower in the AWS documentation. | AWS Control Tower administrator, Member account administrator |
Check for connectivity issues after fixing guardrail violations. | In some cases, you might have to close specific ports or disable services to fix guardrail violations. Make sure that applications that use those ports and services are remediated before you enroll the account. | Application owner |
| Task | Description | Skills required |
|---|---|---|
Sign in to the AWS Control Tower console. | Use sign-in credentials that have administrative permissions for AWS Control Tower. Do not use the root user (management account) credentials to enroll an AWS Organizations account. This will display an error message. | AWS Control Tower administrator |
Enroll the account. |
For more information, see Enroll an existing account in the AWS Control Tower documentation. | AWS Control Tower administrator |
| Task | Description | Skills required |
|---|---|---|
Verify the account. | From AWS Control Tower, choose Accounts. The account that you just enrolled has an initial state of Enrolling. When enrollment is complete, its state changes to Enrolled. | AWS Control Tower administrator, Member account administrator |
Check for guardrail violations. | Guardrails defined in the OU will automatically apply to the enrolled member account. Monitor the AWS Control Tower dashboard for violations and fix them accordingly. For more information, see Guardrails in AWS Control Tower in the AWS documentation. | AWS Control Tower administrator, Member account administrator |
Troubleshooting
| Issue | Solution |
|---|---|
You receive the error message: An unknown error occurred. Try again later, or contact AWS Support. | This error occurs when you use root user credentials (management account) in AWS Control Tower to enroll a new account. AWS Service Catalog can't map the Account Factory Portfolio or product to the root user, which results in the error message. To remediate this error, use non-root, full-access user (administrator) credentials to enroll the new account. For more information about how to assign administrative access to an administrative user, see Getting started in the AWS IAM Identity Center (successor to AWS Single Sign-On) documentation. |
The AWS Control Tower Activities page displays a Get Catastrophic Drift action. | This action reflects a drift check of the service and does not indicate any issues with the AWS Control Tower setup. No action is required. |
Related resources
Documentation
AWS Organizations terminology and concepts (AWS Organizations documentation)
What is AWS Control Tower? (AWS Control Tower documentation)
Removing a member account from your organization (AWS Organizations documentation)
Creating an administrator account in AWS Control Tower (AWS Control Tower documentation)
Tutorials and videos
AWS Control Tower Workshop
(self-paced workshop) What is AWS Control Tower?
(video)
