Getting started with AWS Control Tower - AWS Control Tower

Getting started with AWS Control Tower

This getting started procedure is for AWS Control Tower central cloud administrators. Use this procedure when you're ready to set up your landing zone. From start to finish, it should take about an hour. This procedure has a prerequisite and two steps.

Prerequisite: Automated Pre-Launch Checks for Your Management Account

Before AWS Control Tower sets up the landing zone, it automatically runs a series of pre-launch checks in your account. There's no action required on your part for these checks, which ensure that your management account is ready for the changes that establish your landing zone. Here are the checks that AWS Control Tower runs before setting up a landing zone:

  • The existing service limits for the AWS account must be sufficient for AWS Control Tower to launch. For more information, see Limitations and quotas in AWS Control Tower.

  • The AWS account must be subscribed to the following AWS services:

    • Amazon Simple Storage Service (Amazon S3)

    • Amazon Elastic Compute Cloud (Amazon EC2)

    • Amazon SNS

    • Amazon Virtual Private Cloud (Amazon VPC)

    • AWS CloudFormation

    • AWS CloudTrail

    • Amazon CloudWatch

    • AWS Config

    • AWS Identity and Access Management (IAM)

    • AWS Lambda


    By default, all accounts are subscribed to these services.

  • If AWS Single Sign-On (AWS SSO) is already set up, the AWS Control Tower home region must be the same as the AWS SSO region.

Considerations for AWS Config and AWS CloudTrail customers

  • The AWS account cannot have trusted access enabled in the organization management account for either AWS Config or AWS CloudTrail.

  • We recommend that you do not turn AWS Config off to set up AWS Control Tower and then turn it back on. If you do so, you'll incur additional charges.

  • If you are running ephemeral workloads from accounts in AWS Control Tower, you will see an increase in costs associated with AWS Config. Contact your AWS account representative for more specific information about managing these costs.

  • When you enroll an account into AWS Control Tower, your account is governed by the AWS CloudTrail trail for the AWS Control Tower organization. If you have an existing deployment of a CloudTrail trail, you may see duplicate charges unless you delete the existing trail for the account before you enroll it in AWS Control Tower.

Step One: Create Your Shared Account Email Addresses

If you're setting up your landing zone in a new AWS account, for information on creating your account and your IAM administrator, see Setting up.

To set up your landing zone, AWS Control Tower requires two unique email addresses that aren't already associated with an AWS account. These email addresses should each be a collaborative inbox, a shared email account for the different users in your enterprise that will do specific work related to AWS Control Tower. The email addresses are:

  • Audit account – This account is for your team of users that need access to the audit information made available by AWS Control Tower. You can also use this account as the access point for third-party tools that will perform programmatic auditing of your environment to help you audit for compliance purposes.

  • Log archive account – This account is for your team of users that need access to all the logging information for all of your managed accounts within managed OUs in your landing zone.

These accounts are created in the Core OU when you create your landing zone. As a best practice, we recommend that when you need to perform some action in these accounts, you should use an AWS SSO user with the appropriately scoped permissions.

Step Two: Set Up Your Landing Zone

Before you set up your AWS Control Tower landing zone, determine the most appropriate home region. For more information, see Administrative Tips for Landing Zone Setup.

AWS Control Tower has no APIs or programmatic access. To set up your landing zone, perform the following procedure:

To set up your landing zone

  1. Open a web browser, and navigate to the AWS Control Tower console at

  2. In the console, verify that you are working in your desired home region for AWS Control Tower. Then choose Set up your landing zone.

  3. Provide the email addresses for your log archive and audit accounts. Note that the email addresses must not already have associated AWS accounts.

  4. Review the Service permissions, and when you're ready, choose I understand the permissions AWS Control Tower will use to administer AWS resources and enforce rules on my behalf.

  5. Choose Setup landing zone.

This starts the process of setting up your landing zone, which can take about an hour to complete. During setup, your core accounts are created, your root and Core OUs are created, and AWS resources are created, modified, or deleted.


The email address you provided for the audit account will receive AWS Notification - Subscription Confirmation emails from every AWS Region supported by AWS Control Tower. To receive compliance emails in your audit account, you must choose the Confirm subscription link within each email from each AWS Region supported by AWS Control Tower.

Next Steps

Now that your landing zone is set up, it's ready for use.

To learn more about how you can use AWS Control Tower, see the following topics: