Permissions for configuring and provisioning accounts

The AWS Control Tower Account Factory enables cloud administrators and users in AWS IAM Identity Center to provision accounts in your landing zone. By default, IAM Identity Center users that provision accounts must be in the AWSAccountFactory group or the management group.

Note

Exercise caution when working from the management account, as you would when using any account that has permissions across your organization.

The AWS Control Tower management account has a trust relationship with the AWSControlTowerExecution role, which allows account setup from the management account, including some automated account setup. For more information about the AWSControlTowerExecution role, see Roles and accounts.

Note

To enroll an existing AWS account into AWS Control Tower, that account must have the AWSControlTowerExecution role enabled. For more information about how to enroll an existing account, see Enroll an existing AWS account.

For more information about permissions, see Permissions required for accounts.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Account Factory

Create and provision an account