Enroll an account - AWS Control Tower

Enroll an account

After the AdministratorAccess permission is in place in your existing account, follow these steps to enroll the account:

To enroll an individual account in AWS Control Tower

  • Navigate to the AWS Control Tower Organization page.

  • On the Organization page, accounts that are eligible to be enrolled allow you to select Enroll from the Actions dropdown menu at the top of the section. These accounts also show an Enroll account button when you view them on the Account details page.

  • When you choose Enroll account, you’ll see an Enroll account page, where you are prompted to add the AWSControlTowerExecution role to the account.

  • Next, select a registered OU from the drop down list. If the account is already in a registered OU, this list will show the OU.

  • Choose Enroll account.

  • You’ll see a modal reminder to add the AWSControlTowerExecution role and confirm the action.

  • Choose Enroll.

  • AWS Control Tower begins the process of enrollment, and you are directed back to the Account details page.

Common causes for failure of enrollment

  • To enroll an existing account, the AWSControlTowerExecution role must be present in the account you're enrolling.

  • Your IAM principal may lack the necessary permissions to provision an account.

  • AWS Security Token Service (AWS STS) is disabled in your AWS account in your home region, or in any region supported by AWS Control Tower.

  • You may be signed in to an account that needs to be added to the Account Factory Portfolio in AWS Service Catalog. The account must be added before you'll have access to Account Factory so you can create or enroll an account in AWS Control Tower. If the appropriate user or role is not added to the Account Factory Portfolio, you’ll receive an error when you attempt to add an account. For instructions on how to grant access to AWS Service Catalog portfolios, see Granting access to users.

  • You may be signed in as root.

  • The account you're trying to enroll may have AWS Config settings that are residual. In particular, the account must not have a configuration recorder or delivery channel. These must be deleted or modified through the AWS CLI before you can enroll an account. For more information, see Enroll accounts that have existing AWS Config resources and Interacting with AWS Control Tower using AWS CloudShell.

  • If the account belongs to another OU with a management account, including another AWS Control Tower OU, you must terminate the account in its current OU before it can join another OU. Existing resources must be removed in the original OU. Otherwise, enrollment will fail.

  • Account provisioning and enrollment fails if your destination OU’s SCPs don’t allow you to create all of the resources required for that account. For example, an SCP in your destination OU may block resource creation without certain tags. In this case, account provisioning or enrollment fails, because AWS Control Tower does not support tagging of resources. For help, contact your account representative, or AWS Support.

For more information about how AWS Control Tower works with roles when you're creating new accounts or enrolling existing accounts, see How AWS Control Tower works with roles to create and manage accounts.


If you cannot confirm that an existing AWS account meets the enrollment prerequisites, you can set up an Enrollment OU and enroll the account into that OU. After enrollment is successful, you can move the account to the desired OU. If enrollment happens to fail, no other accounts or OUs are affected by the failure.

Recommended: You can set up a two-step approach to account enrollment

  • First, use an AWS Config conformance pack to evaluate how your accounts may be affected by some AWS Control Tower guardrails. To determine how enrollment into AWS Control Tower may affect your accounts, see Extend AWS Control Tower governance using AWS Config conformance packs.

  • Next, you may wish to enroll the account. If the compliance results are satisfactory, the migration path is easier because you can enroll the account without unexpected consequences.

  • After you've done your evaluation, if you decide to set up an AWS Control Tower landing zone, you may need to remove the AWS Config delivery channel and configuration recorder that were created for your evaluation. Then you'll be able to set up AWS Control Tower successfully.


The conformance pack also works in situations where the accounts are located in OUs registered by AWS Control Tower, but the workloads run within AWS Regions that don’t have AWS Control Tower support. You can use the conformance pack to manage resources in accounts that exist in Regions where AWS Control Tower is not deployed.