Provision and manage accounts with Account Factory - AWS Control Tower

Provision and manage accounts with Account Factory

This chapter includes an overview and procedures for provisioning new member accounts in your AWS Control Tower landing zone with Account Factory.

Permissions for Configuring and Provisioning Accounts

The AWS Control Tower account factory enables cloud administrators and AWS IAM Identity Center (successor to AWS Single Sign-On) end users to provision accounts in your landing zone. By default, IAM Identity Center users that provision accounts must be in the AWSAccountFactory group or the management group.


Exercise caution when working from the management account, as you would when using any account that has generous permissions across your organization.

The AWS Control Tower management account has a trust relationship with the AWSControlTowerExecution role, which enables account setup from the management account, including some automated account setup. For more information about the AWSControlTowerExecution role, see How AWS Control Tower works with roles to create and manage accounts.


To enroll an existing AWS account into AWS Control Tower, that account must have the AWSControlTowerExecution role enabled. For more information about how to enroll an existing account, see Enroll an existing AWS account.

Considerations on Managing Account Factory Accounts

Accounts that you provision through the AWS Control Tower Account Factory can be updated, they can be closed, or they can be repurposed. For example, you can repurpose existing accounts for other workloads and other users by updating the user parameters for the account.

If you specify a new IAM Identity Center user email address when you update the provisioned product associated with an account that was vended by account factory, AWS Control Tower creates a new IAM Identity Center user account. The previously created user account is not removed. If you prefer to remove the previous IAM Identity Center user email from IAM Identity Center, see Disabling a User.

With Account Factory you also can change the organizational unit (OU) for an account, or you can unmanage an account, by following the procedures in this chapter. For more information on unmanaging an account, see Unmanage an account. Certain updates require that you or an administrator must When to Sign in as a Root User to the account, to gain appropriate permissions.