Enrolling an Existing AWS Account in AWS Control Tower - AWS Control Tower

Enrolling an Existing AWS Account in AWS Control Tower

You can extend AWS Control Tower governance to individual, existing AWS accounts by enrolling them into an AWS Control Tower organizational unit (OU). Eligible accounts exist in unregistered OUs that are part of the same AWS Organizations organization as the AWS Control Tower OU.

Before you can enroll an existing AWS account into AWS Control Tower you must give permission for AWS Control Tower to manage, or govern, the account. Specifically, AWS Control Tower requires permission to establish trusted access between AWS CloudFormation and AWS Organizations on your behalf, so that AWS CloudFormation can deploy your stack automatically to the accounts in your selected organization.

To learn more about trusted access and AWS CloudFormation StackSets, see AWS CloudFormation StackSets and AWS Organizations. When trusted access is enabled, AWS CloudFormation can create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. AWS Control Tower relies on this trust capability so it can apply roles and permissions to existing accounts before it moves them into a registered organizational unit and thereby brings them under governance.

During the enrollment process, AWS Control Tower performs these actions:

  • Baselines the account, which includes deploying these stack sets:






    It is a good idea to review the templates of these stack sets and make sure that they don’t conflict with your existing policies.

  • Identifies the account through AWS Single Sign-On or AWS Organizations.

  • Places the account into the OU that you've specified. Be sure to apply all SCPs that are applied in the current OU, so that your security posture remains consistent.

  • Applies mandatory guardrails to the account by means of the SCPs that apply to the selected OU as a whole.

  • Adds the AWS Config rules that apply the AWS Control Tower detective guardrails to the account.

Enrolling Existing Accounts With VPCs

AWS Control Tower handles VPCs differently when you provision a new account in Account Factory than when you enroll an existing account.

  • When you create a new account, AWS Control Tower automatically removes the AWS default VPC and creates a new VPC for that account.

  • When you enroll an existing account, AWS Control Tower does not create a new VPC for that account.

  • When you enroll an existing account, AWS Control Tower does not remove any existing VPC or AWS default VPC associated with the account.

Recommended: You can set up a two-step approach to account enrollment

  • First, use an AWS Config conformance pack to evaluate how your accounts may be affected by some AWS Control Tower guardrails. To determine how enrollment into AWS Control Tower may affect your accounts, see AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack.

  • Next, you may wish to enroll the account. If the compliance results are satisfactory, the migration path is easier because you can enroll the account without unexpected consequences.

  • After you've done your evaluation, if you decide to set up an AWS Control Tower landing zone, you may need to remove the AWS Config delivery channel and configuration recorder that were created for your evaluation. Then you'll be able to set up AWS Control Tower successfully.


The conformance pack also works in situations where the accounts are located in OUs registered by AWS Control Tower, but the workloads run within AWS Regions that don’t have AWS Control Tower support. You can use the conformance pack to manage resources in accounts that exist in Regions where AWS Control Tower is not deployed.

Prerequisites for Enrollment

Before you can enroll an existing account in AWS Control Tower, the account must have the following roles, permissions, and trust relationships in place.

Role Name: AWSControlTowerExecution

Role Permission: AdministratorAccess (AWS managed policy)

Role Trust Relationship:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::Master Account ID:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }

To check other prerequisites for enrollment, see Getting Started with AWS Control Tower.


When you enroll an account into AWS Control Tower, your account is governed by the AWS CloudTrail trail for the AWS Control Tower organization. If you have an existing deployment of a CloudTrail trail, you may see duplicate charges unless you delete the existing trail for the account before you enroll it in AWS Control Tower.

After the AdministratorAccess permission is in place in your existing account, follow these steps to enroll the account:

To enroll an individual account in AWS Control Tower

  • Navigate to the AWS Control Tower Account Factory page and select Enroll account.

  • Specify the current email address of the existing account you'd like to enroll in AWS Control Tower.

  • Specify the first and last name of the account owner.

  • Specify the organizational unit (OU) in which you'd like to enroll the account.

  • Choose Enroll account.

Common Causes for Failure of Enrollment

  • Your IAM principal may lack the necessary permissions to provision an account. To enroll an existing account, the AWSControlTowerExecution role must be present in the account you're enrolling.

  • AWS Security Token Service (AWS STS) is disabled in your AWS account in your home region, or in any region supported by AWS Control Tower.

  • You may be signed in to an account that needs to be added to the Account Factory Portfolio in AWS Service Catalog. The account must be added before you'll have access to Account Factory so you can create or enroll an account in AWS Control Tower. If the appropriate user or role is not added to the Account Factory Portfolio, you’ll receive an error when you attempt to add an account.

  • You may be signed in as root.

  • The account you're trying to enroll may have AWS Config settings that are residual. In particular, the account must not have a configuration recorder or delivery channel, so these must be deleted through the AWS CLI before you can enroll an account.

For more information about how AWS Control Tower works with roles when you're creating new accounts or enrolling existing accounts, see How AWS Control Tower Works With Roles to Create and Manage Accounts .


The account that you wish to enroll must exist in the same AWS Organizations organization as the AWS Control Tower master account. The account that exists can be enrolled only into the same organization as the AWS Control Tower master account, in an OU that already is registered with AWS Control Tower. Otherwise, enrollment will fail.

Automated Enrollment of AWS Organizations Accounts

You can use the enrollment method described in a blog post called Enroll existing AWS accounts into AWS Control Tower to enroll your AWS Organizations accounts into AWS Control Tower with a programmatic process.