Deploying AWS Control Tower in an AWS Landing Zone organization - AWS Prescriptive Guidance
Enrolling existing AWS accounts with AWS Control Tower in an existing organizationEnrolling AWS accounts from an existing organization into AWS Control Tower in a new organization

Deploying AWS Control Tower in an AWS Landing Zone organization

This scenario details the steps involved in deploying AWS Control Tower in an AWS Organizations organization that is currently running the AWS Landing Zone solution.

  1. Make sure that you can create two new accounts without exceeding the current service quotas. If necessary, request service quota increases. The new accounts will be deployed as a part of AWS Control Tower deployment unless you are using existing accounts from the landing zone that you used for AWS Landing Zone.

  2. If you are currently using AWS IAM Identity Center, deploy AWS Control Tower in the same AWS Region where IAM Identity Center is configured.

  3. On the AWS Organizations console, choose Disable trusted access for AWS Config and AWS CloudTrail services if they are activated. For more information, see the AWS documentation.

  4. Deploy AWS Control Tower. For more information, see the AWS documentation.

Here's what to expect when you set up your AWS Control Tower landing zone in an existing organization.

  • You can have one landing zone in each AWS Organizations organization.

  • AWS Control Tower uses the management account from your existing AWS Organizations organization as its management account. No new management account is needed.

  • AWS Control Tower sets up two new accounts in a registered Security OU: an audit account and a log archive account, unless you are using existing accounts during setup. If you are using existing accounts, AWS Control Tower will move the audit and log archive accounts under the OU that you created during AWS Control Tower deployment.

  • Your organization's service quotas must be adequate for the creation of these two additional accounts.

  • After launch, AWS Control Tower guardrails apply automatically to accounts in that OU.

  • You can enroll additional existing AWS accounts into an OU that's governed by AWS Control Tower, so that guardrails apply to those accounts.

If you want to enroll any existing AWS accounts or OUs into AWS Control Tower after it is set up, see the Enrolling existing AWS accounts with AWS Control Tower in an existing organization section of the guide.

Enrolling existing AWS accounts with AWS Control Tower in an existing organization

You can extend AWS Control Tower governance to an individual, existing AWS account when you enroll it into an organizational unit (OU) that's already governed by AWS Control Tower. Eligible accounts exist in unregistered OUs that are part of the same AWS Organizations organization as the AWS Control Tower OU.

You can register an OU to AWS Control Tower from the AWS Control Tower console. When you register an OU, AWS Control Tower will enroll all the accounts under the OU to AWS Control Tower.

We recommend registering an OU, instead of enrolling individual accounts. The benefit of this approach is that the OU ID does not change. If you have any policies or rules that use the OU ID, you won't need to make any changes.

Before you enroll AWS accounts with AWS Control Tower, delete the AWS CloudFormation stack instances from the stack set named AWS-Landing-Zone-Baseline-EnableConfig. In each account that you want to enroll, in every AWS Region where AWS Control Tower is deployed, you must delete AWS-Landing-Zone-Baseline-EnableConfig stack instance. Because deleting the complete stack set takes time, we recommend deleting the stack instances only for the accounts that you are enrolling. Ideally, deleting the stack instances for a specific account should result in deleting the AWS Config recorder and delivery channel. You can verify the deletion by running the following commands for that account.


      aws configservice describe-configuration-recorders --region <region_name>     
      aws configservice describe-delivery-channels --region <region_name>

Use the AWS Control Tower Register OU feature from the AWS Control Tower console

Before you register an entire OU that has existing AWS accounts, make sure to do the following:

  • Delete the AWS Config recorder and delivery channel from all the Regions of all the accounts under that OU, as mentioned previously.

For more information, see Register an existing organizational unit with AWS Control Tower.

After an account is enrolled in AWS Control Tower, you will see another provisioned product in Service Catalog for the account that you enrolled. The name of the provisioned product will be prefixed with Enroll-. This means that you now have two provisioned products in Service Catalog for a single account:

  • One provisioned product from the AWS Landing Zone Account Vending Machine

  • One provisioned product from the enrollment into AWS Control Tower

You have an option to terminate the provisioned product for an account from AWS Landing Zone, but we recommend that you wait until after completing the transition.

When you terminate the provisioned product for accounts vended in AWS Landing Zone environment, the Terminate operation will start deleting the associated baseline AWS CloudFormation stack sets, which you might want to retain. Be sure to assess the baseline stack sets in manifest.yaml, and understand the implications of deleting the stack sets. If you have any resources in the stack sets that you want to retain, avoid deleting the provisioned product. A partial deletion will render the provisioned product in the Tainted state in the Service Catalog console.

Alternatively, you can retain the provisioned product created by Account Vending Machine from AWS Landing Zone.

Enrolling AWS accounts from an existing organization into AWS Control Tower in a new organization

You might want to deploy AWS Control Tower in a new AWS Organizations organization. To set up AWS Control Tower in a new organization, complete the following steps:

  1. Create a new AWS account.

  2. Deploy AWS Control Tower in the newly created account.

  3. To migrate an AWS account from an existing organization to the new organization where you deployed AWS Control Tower, see the instructions. It’s important to review and understand all the account access, billing, licensing, and tax considerations that are covered.

  4. To understand the process of migrating AWS accounts between organizations, see the Migrating accounts between AWS Organizations with consolidated billing to all features blog post.

  5. Start enrolling the AWS account in AWS Control Tower. To perform the enrollment, see the section Enrolling existing AWS accounts with AWS Control Tower in an existing organization.