# AWS Control Tower User Guide > Describes key concepts for AWS Control Tower. Provides instructions for setting up and using a landing zone, a secure and compliant multi-account AWS environment for enterprises or organizations at scale. - [Terminology](https://docs.aws.amazon.com/controltower/latest/userguide/terminology.md) - [Pricing](https://docs.aws.amazon.com/controltower/latest/userguide/pricing.md) - [Setting up](https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.md) - [The Controls Reference Guide](https://docs.aws.amazon.com/controltower/latest/userguide/link-to-new-guide.md) - [Manage resources](https://docs.aws.amazon.com/controltower/latest/userguide/about-resources.md) - [Troubleshooting](https://docs.aws.amazon.com/controltower/latest/userguide/troubleshooting.md) - [Additional information](https://docs.aws.amazon.com/controltower/latest/userguide/related-information.md) - [Document history](https://docs.aws.amazon.com/controltower/latest/userguide/doc-history.md) - [AWS Glossary](https://docs.aws.amazon.com/controltower/latest/userguide/glossary.md) ## [What Is AWS Control Tower?](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.md) ### [How it works](https://docs.aws.amazon.com/controltower/latest/userguide/how-control-tower-works.md) How AWS Control Tower works. - [What are the shared accounts?](https://docs.aws.amazon.com/controltower/latest/userguide/what-shared.md): In AWS Control Tower, the shared accounts in your landing zone are provisioned during setup: the management account, the log archive account, and the audit account. - [How controls work](https://docs.aws.amazon.com/controltower/latest/userguide/how-controls-work.md): A control is a high-level rule that provides ongoing governance for your overall AWS environment. ## [Getting started](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.md) - [Quick start guide](https://docs.aws.amazon.com/controltower/latest/userguide/quick-start.md): If you are new to AWS, you can follow the steps in this section to get started quickly with AWS Control Tower. - [Pre-launch checks](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-prereqs.md): Learn about the automated pre-launch checks that make sure your management account is ready for changes that establish your landing zone. ### [Setup your controls dedicated environment](https://docs.aws.amazon.com/controltower/latest/userguide/setting-up-controls-dedicated-environment.md) Learn how to get started with AWS Control Tower by setting up a controls dedicated environment. - [Getting Started](https://docs.aws.amazon.com/controltower/latest/userguide/controls-dedicated-env-getting-started.md): Learn about steps for setting up a minimal landing zone for controls only experience. - [AWS Config Considerations](https://docs.aws.amazon.com/controltower/latest/userguide/controls-dedicated-env-considerations.md): Learn about steps for setting up AWS Config integration on a minimal landing zone for controls only experience with detective controls. - [Implementation Process](https://docs.aws.amazon.com/controltower/latest/userguide/controls-dedicated-env-implement.md): Learn about the minimal landing zone for controls only experience with and without detective controls. - [Important Notes](https://docs.aws.amazon.com/controltower/latest/userguide/controls-dedicated-env-notes.md): Learn about the minimal landing zone for controls only experience. ### [Get started from the console](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-from-console.md) Learn how to get started with AWS Control Tower from the console. - [Expectations for landing zone configuration](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-configure.md): Learn about configuration expectations when setting up a landing zone. - [Step 1: Create your shared account email addresses](https://docs.aws.amazon.com/controltower/latest/userguide/step-one.md): Learn about the email addresses that are required for your audit account and log archive account. ### [Step 2. Configure and launch your landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/step-two.md) Learn how to configure and launch your landing zone by first determining the most appropriate home Region. - [Step 2a. Review and select your AWS Regions](https://docs.aws.amazon.com/controltower/latest/userguide/pricing-and-regions.md): Learn how to configure and launch your landing zone by selecting any additional AWS Regions and determining whether certain AWS Regions should be denied access to AWS resources. - [Step 2b. Configure your organizational units (OUs)](https://docs.aws.amazon.com/controltower/latest/userguide/configure-ous.md): Learn how to configure and launch your landing zone by accepting or changing the default names of your organizational units (OUs). ### [Step 2c. Configure your shared accounts, logging, and encryption](https://docs.aws.amazon.com/controltower/latest/userguide/configure-shared-accounts.md) Learn how to configure and launch your landing zone by deciding whether to customize the names of your audit and log archive accounts, optionally specifying exisiting AWS accounts as your shared accounts, and providing unique email addresses for your audit and log archive accounts. - [Optionally configure log retention](https://docs.aws.amazon.com/controltower/latest/userguide/configure-log-retention.md): Learn how to configure and launch your landing zone by deciding whether to customize the log retention policy. - [Optionally self-manage AWS account access](https://docs.aws.amazon.com/controltower/latest/userguide/select-idp.md): You can select whether AWS Control Tower sets up AWS account access with AWS Identity and Access Management (IAM), or whether to self-manage AWS account access—either with AWS IAM Identity Center users, roles, and permissions that you can set up and customize on your own, or with another method such as an external IdP, either for direct account federation or federation to multiple accounts by means of IAM Identity Center. - [Optionally configure AWS CloudTrail trails](https://docs.aws.amazon.com/controltower/latest/userguide/configure-org-trails.md): Learn how to configure and launch your landing zone by deciding whether to set up logging. - [Optionally configure AWS KMS keys](https://docs.aws.amazon.com/controltower/latest/userguide/configure-kms-keys.md): Learn how to configure and launch your landing zone by deciding whether to encrypt and decrypt resources with AWS KMS keys. - [Optionally configure auto-enrollment for accounts](https://docs.aws.amazon.com/controltower/latest/userguide/configure-auto-enroll.md): Learn to configure automatic account enrollment - [Optionally configure and create customized member accounts](https://docs.aws.amazon.com/controltower/latest/userguide/configure-customized-accounts.md): Learn how to configure and launch your landing zone by deciding whether to specify a previously-defined blueprint for provisioning customized member accounts - [Step 3. Review and set up the landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/review-and-set-up.md): Learn how to configure and launch your landing zone by reviewing service permissions and finshing setting up your landing zone. ### [Get started using APIs](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-apis.md) Learn about how to get started with AWS Control Tower using APIs. - [Expectations for landing zone configuration with APIs](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-expectations-api.md): Learn about configuration expectations when setting up a landing zone using APIs. - [Step 1: Configure your landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-prereques.md): The process of setting up your AWS Control Tower landing zone has multiple steps. - [Step 2: Launch your landing zone using the AWS Control Tower APIs](https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-launch.md): You can use AWS Control Tower APIs to launch your landing zone. - [Identify your landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-list.md): Calling ListLandingZones can help you determine if your account is already set up with AWS Control Tower. - [Update your landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-update.md): When a new landing zone version is available, or to make other updates to your landing zone configuration, you can call the UpdateLandingZone API and reference an updated landing zone manifest file. - [Reset the landing zone to resolve drift](https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-reset.md): When you create your landing zone, the landing zone and all the organizational units (OUs), accounts, and resources are compliant with the governance rules enforced by your chosen controls. - [View the details of your landing zone manifest file](https://docs.aws.amazon.com/controltower/latest/userguide/lz-manifest-file.md): Learn about Landing Zone setup operations. - [View the status of your landing zone operations](https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-examples-short.md): Learn about Landing Zone operations. - [Examples: Set up an AWS Control Tower landing zone with APIs only](https://docs.aws.amazon.com/controltower/latest/userguide/walkthrough-api-setup.md): This walkthrough of examples is a companion document. - [Landing zone schemas](https://docs.aws.amazon.com/controltower/latest/userguide/landing-zone-schemas.md): AWS Control Tower landing zones are created using specific schemas, with each version having a unique schema definition. ### [Launch a landing zone using CloudFormation](https://docs.aws.amazon.com/controltower/latest/userguide/lz-apis-cfn.md) Learn how to launch a landing zone using CloudFormation. - [Prerequisites for using CloudFormation](https://docs.aws.amazon.com/controltower/latest/userguide/lz-apis-cfn-setup.md) - [Create a new landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/lz-apis-cfn-launch.md): From the CloudFormation console or using the AWS CLI, deploy the following CloudFormation template to create a landing zone. - [Manage existing landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/lz-apis-cfn-launch-existing.md): You can use CloudFormation to manage a landing zone that you have already launched by importing the landing zone in a new or existing CloudFormation stack. - [Next steps](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-next.md): Learn more about how you can use AWS Control Tower. ## [Limitations and quotas](https://docs.aws.amazon.com/controltower/latest/userguide/limits.md) - [Request a quota increase](https://docs.aws.amazon.com/controltower/latest/userguide/request-an-increase.md): AWS Control Tower provides service quotas that can be viewed and, in some cases, adjusted through the Service Quotas console. - [Control limitations](https://docs.aws.amazon.com/controltower/latest/userguide/control-limitations.md): Learn about the limitations and considerations for AWS Control Tower controls, including regional restrictions and the impact of modifying AWS Control Tower resources. - [Limitations based on underlying AWS services](https://docs.aws.amazon.com/controltower/latest/userguide/region-stackset-limitations.md): AWS Control Tower faces limitations based on underlying AWS services, particularly when registering organizational units (OUs) with a large number of accounts across multiple Regions. - [Regional differences](https://docs.aws.amazon.com/controltower/latest/userguide/regional-differences.md): AWS Control Tower functionality varies across AWS Regions due to the availability of underlying AWS services it orchestrates. ## [Best practices for administrators](https://docs.aws.amazon.com/controltower/latest/userguide/best-practices.md) - [Plan your landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/planning-your-deployment.md): When you go through the setup process, AWS Control Tower launches a key resource associated with your account, called a landing zone, which serves as a home for your organizations and their accounts. - [Best practices: Set up an AWS multi-account landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/aws-multi-account-landing-zone.md): AWS Control Tower customers often seek guidance about how to set up their AWS environment and accounts for best results. AWS has created a unified set of recommendations, called the multi-account strategy, to help you make the best use of your AWS resources, including your AWS Control Tower landing zone. - [Administrative tips for landing zone setup](https://docs.aws.amazon.com/controltower/latest/userguide/tips-for-admin-setup.md): Learn about tips for setting up a landing zone as the administrator. ### [Landing Zone v4.0 migration guide](https://docs.aws.amazon.com/controltower/latest/userguide/landing-zone-v4-migration-guide.md) Learn about updates related to Landing Zone 4.0 and quick guide for migration onto version 4.0 and above - [Key changes](https://docs.aws.amazon.com/controltower/latest/userguide/key-changes-lz-v4.md) - [AWS Config Updates](https://docs.aws.amazon.com/controltower/latest/userguide/config-updates-v4.md) - [Feature comparison with and without AWS Config integration](https://docs.aws.amazon.com/controltower/latest/userguide/config-integration-feature-comparison.md): Compare the AWS Control Tower features that are available in Landing Zone 4.0 with and without AWS Config integration. - [Recommendations for setting up groups, roles, and policies](https://docs.aws.amazon.com/controltower/latest/userguide/roles-recommendations.md): Learn about recommendations for granting users access to accounts when setting up your landing zone. - [Guidance about AWS Control Tower resources](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-guidance.md): Learn about best practices for creating and modifying resources in AWS Control Tower. - [When to sign in as a root user](https://docs.aws.amazon.com/controltower/latest/userguide/root-login.md): Learn about administrative tasks/actions that require you to sign in as the root user. - [AWS Organizations guidance](https://docs.aws.amazon.com/controltower/latest/userguide/orgs-guidance.md): Learn about guidance for using AWS Control Tower with AWS Organizations. - [IAM Identity Center guidance](https://docs.aws.amazon.com/controltower/latest/userguide/sso-guidance.md): Learn about resources that you can use to understand how AWS IAM Identity Center interacts with AWS Control Tower. - [Account Factory guidance](https://docs.aws.amazon.com/controltower/latest/userguide/af-guidance.md): Learn about isses that can occur when provisioning accounts in Account Factory and how you might troubleshoot them. - [Guidance on subscribing to SNS Topics](https://docs.aws.amazon.com/controltower/latest/userguide/sns-guidance.md): Learn about subscribing to SNS topics in AWS Control Tower. - [Guidance for KMS keys](https://docs.aws.amazon.com/controltower/latest/userguide/kms-guidance.md): Learn about best practices for using AWS Control Tower with AWS Key Management Service. - [Landing zone updates](https://docs.aws.amazon.com/controltower/latest/userguide/lz-update-best-practices.md): Find the best practices to use when you update your landing zone version on AWS Control Tower - [Policies for AI-based services](https://docs.aws.amazon.com/controltower/latest/userguide/ai-opt-out.md): You can create service control policies (SCPs) that allow you to opt out of having your data stored by AI-based services on AWS. ## [Configuration update management](https://docs.aws.amazon.com/controltower/latest/userguide/configuration-updates.md) - [About updates](https://docs.aws.amazon.com/controltower/latest/userguide/about-updates.md): AWS Control Tower requires various types of updates to correct governance drift and adopt new versions, including landing zone updates, individual account updates, and full updates. - [Update your landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/update-controltower.md): Updating the AWS Control Tower landing zone can be done through the Landing zone settings page, which shows the current version and available updates. - [Select a landing zone version](https://docs.aws.amazon.com/controltower/latest/userguide/lz-version-selection.md): How to select a landing zone version. - [Retain account trails](https://docs.aws.amazon.com/controltower/latest/userguide/retain-account-trails.md): Learn how to retain account-level trails when you upgrade your landing zone version on AWS Control Tower - [Resolve drift with Reset and Re-register](https://docs.aws.amazon.com/controltower/latest/userguide/resolve-drift.md): AWS Control Tower automatically detects drift in landing zone configurations and provides methods to resolve it, including the Reset and Re-register features in the console and programmatic options. - [Provision and update accounts using automation](https://docs.aws.amazon.com/controltower/latest/userguide/update-accounts-by-script.md): AWS Control Tower offers multiple methods for provisioning and updating individual accounts, including AWS Control Tower Account Factory for Terraform (AFT), Customizations for AWS Control Tower (CfCT), and script automation using Service Catalog APIs. ## [Automate tasks](https://docs.aws.amazon.com/controltower/latest/userguide/automating-tasks.md) ### [AWS CloudShell and the AWS CLI](https://docs.aws.amazon.com/controltower/latest/userguide/using-aws-with-cloudshell.md) Learn about how you can use AWS CloudShell to work with AWS Control Tower through the CLI. - [Interact with AWS Control Tower through AWS CloudShell](https://docs.aws.amazon.com/controltower/latest/userguide/cshell-examples.md): After you launch AWS CloudShell from the AWS Management Console, you can immediately start to interact with AWS Control Tower from the command line interface. - [AWS CloudFormation resources](https://docs.aws.amazon.com/controltower/latest/userguide/creating-resources-with-cloudformation.md): Learn about how to create resources for AWS Control Tower using an AWS CloudFormation template. ## [Customize your landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/customize-landing-zone.md) - [Customize from the AWS Control Tower console](https://docs.aws.amazon.com/controltower/latest/userguide/console-customize.md): To make these customizations to your landing zone, follow the steps given by the AWS Control Tower console. - [Automate customizations outside the AWS Control Tower console](https://docs.aws.amazon.com/controltower/latest/userguide/automate-customizations.md): Some customizations are not available through the AWS Control Tower console, but they can be implemented in other ways. - [AWS Control Tower and LZA](https://docs.aws.amazon.com/controltower/latest/userguide/about-lza.md): This section describes the benefits of working with AWS Control Tower and the Landing Zone Accelerator (LZA) solution, together. ### [Customizations for AWS Control Tower (CfCT) overview](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-overview.md) Learn about customizations for AWS Control Tower. - [Architecture](https://docs.aws.amazon.com/controltower/latest/userguide/architecture.md): Learn about the CfCT architecture. - [Cost](https://docs.aws.amazon.com/controltower/latest/userguide/cost.md): Learn about the cost of CfCT. - [Component services](https://docs.aws.amazon.com/controltower/latest/userguide/components.md): Learn about customizations for AWS Control Tower components - [Deployment considerations](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-considerations.md): Learn about considerations when deploying customizations for AWS Control Tower. - [Template and source code](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-template.md): Learn about deploying customizations for AWS Control Tower. ### [Deploy CfCT](https://docs.aws.amazon.com/controltower/latest/userguide/deployment.md) Learn about the step-by-step deployment instructions for setting up CfCT. - [Step 1. Launch the stack](https://docs.aws.amazon.com/controltower/latest/userguide/step1.md): Learn how to launch the stack, so you can deploy CfCT. - [Step 2. Create a custom package](https://docs.aws.amazon.com/controltower/latest/userguide/step2.md): Learn about creating a custom package to deploy CfCT. - [Update the stack](https://docs.aws.amazon.com/controltower/latest/userguide/update-stack.md): Learn how to update the stack after deploying CfCT. - [Delete a stack set](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-delete-stack.md): Learn how to delete a stack if you enabled stack set deletion in your manifest file. - [Set up Amazon S3 as the configuration source](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-s3-source.md): Learn how to set up Amazon Simple Storage Service as the configuration source if you choose to modify the configuration file. - [Set up GitHub as the configuration source](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-github-configuration-source.md): Learn how to set up GitHub as the configuration source if you choose to modify the configuration file. - [Operational metrics](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-metrics.md): Overview of Customizations for AWS Control Tower operational metrics on AWS. ### [CfCT customization guide](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-customizations-dev-guide.md) Learn about the Customizations for AWS Control Tower (CfCT) guide. - [Code pipeline overview](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-codepipeline-overview.md): Learn about the configuration package for CfCT and AWS CodePipeline. ### [Define a custom configuration](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-custom-configuration.md) You'll define your custom AWS Control Tower configuration with the CfCT manifest file, the accompanying set of templates, and other JSON files. - [The CfCT manifest file](https://docs.aws.amazon.com/controltower/latest/userguide/the-manifest-file.md): The CfCT manifest.yaml file is a text file that describes your AWS resources. - [The resources section of the CfCT manifest file](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-manifest-file-resources-section.md): Learn about the resources section of the CfCT manifest file. - [Root OU](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-root-ou.md): Learn about the Root OU feature. - [Nested OU](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-nested-ou.md): Learn about nested OUs in the manifest file. ### [Build your own customizations](https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-byo-customizations.md) Learn about building your own customizations by modifying the CfCT manifest file. - [Set up a configuration package for SCPs or RCPs](https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-set-up-custom-scps.md): Learn about how to create a configuration package for service control policies (SCPs) or resource control policies (RCPs) - [Set up a configuration package for CloudFormation StackSets](https://docs.aws.amazon.com/controltower/latest/userguide/cfcn-byo-cfn-stacksets.md): Learn about how to set up a configuration package for AWS CloudFormation StackSets. - [The ‘alfred’ helper and the CloudFormation parameter files](https://docs.aws.amazon.com/controltower/latest/userguide/alfred-helper.md): Learn about the 'alfred' helper and the AWS CloudFormation parameter files. - [Version upgrades for the CfCT manifest](https://docs.aws.amazon.com/controltower/latest/userguide/cfct-compatibility.md): Learn about manifest versions and manifest upgrades. ## [Networking](https://docs.aws.amazon.com/controltower/latest/userguide/networking.md) ### [Overview of AWS Control Tower and VPCs](https://docs.aws.amazon.com/controltower/latest/userguide/vpc-concepts.md) Learn about concepts to help you work effectively with AWS Control Tower and VPCs. - [CIDR and Peering for VPC and AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/vpc-ct-cidr.md): Learn about CIDR range for your AWS Control Tower organization. - [AWS PrivateLink](https://docs.aws.amazon.com/controltower/latest/userguide/networking-privatelink.md): You can use an AWS PrivateLink to create a private connection between your VPC and AWS Control Tower. ## [Roles and permissions](https://docs.aws.amazon.com/controltower/latest/userguide/roles-overview.md) ### [Roles and accounts](https://docs.aws.amazon.com/controltower/latest/userguide/roles-how.md) Learn about how AWS Control Tower works with roles. - [AWSControlTowerExecution role](https://docs.aws.amazon.com/controltower/latest/userguide/awscontroltowerexecution.md): The AWSControlTowerExecution role must be present in all enrolled accounts. - [Optional conditions for your role trust relationships](https://docs.aws.amazon.com/controltower/latest/userguide/conditions-for-role-trust.md): To add additional layers of security to your AWS Control Tower environment, you can impose conditions in your role trust policies, to restrict the accounts and resources that interact with certain roles in AWS Control Tower. ## [Configure Regions](https://docs.aws.amazon.com/controltower/latest/userguide/region-how.md) - [Avoid mixed governance when configuring Regions](https://docs.aws.amazon.com/controltower/latest/userguide/mixed-governance.md): Mixed governance in AWS Control Tower occurs when the controls governing an OU do not match those governing each account within the OU, typically after extending or removing governance from a Region. - [About opt-in Regions](https://docs.aws.amazon.com/controltower/latest/userguide/opt-in-region-considerations.md): AWS Control Tower supports the activation and governance of opt-in Regions, which are AWS Regions that require manual selection for activation. - [Configure the Region deny control](https://docs.aws.amazon.com/controltower/latest/userguide/region-deny.md): AWS Control Tower offers two Region deny controls: AWS-GR_REGION_DENY, which applies to the entire landing zone, and CT.MULTISERVICE.PV.1, which can be applied to specific organizational units (OUs). ## [About accounts](https://docs.aws.amazon.com/controltower/latest/userguide/accounts.md) - [About the shared accounts](https://docs.aws.amazon.com/controltower/latest/userguide/special-accounts.md): Three special AWS accounts are associated with AWS Control Tower; the management account, the audit account, and the log archive account. - [Shared account resources](https://docs.aws.amazon.com/controltower/latest/userguide/shared-account-resources.md): This section shows the resources that AWS Control Tower creates in the shared accounts, when you set up your landing zone. - [About member accounts](https://docs.aws.amazon.com/controltower/latest/userguide/member-accounts.md): Member accounts are the accounts through which your users perform their AWS workloads. ### [Interact with AWS Control Tower accounts from AWS Service Catalog](https://docs.aws.amazon.com/controltower/latest/userguide/handle-accounts-with-service-catalog.md) This section tells how to handle your AWS Control Tower accounts with the capabilities of AWS Service Catalog. - [Create and provision an account](https://docs.aws.amazon.com/controltower/latest/userguide/provision-as-end-user.md): Learn how to create and provision accounts as a user in AWS IAM Identity Center through AWS Service Catalog. - [Automate Account Provisioning in AWS Control Tower by Service Catalog APIs](https://docs.aws.amazon.com/controltower/latest/userguide/automated-provisioning-walkthrough.md): This walkthrough demonstrates how to automate account provisioning in AWS Control Tower using Service Catalog APIs and AWS CLI commands. - [Update the provisioned product in Service Catalog](https://docs.aws.amazon.com/controltower/latest/userguide/update-provisioned-product.md): The following procedure guides you through how to update your account in Account Factory or move it to a new OU, by updating the account's provisioned product in Service Catalog. - [Unenroll an account in Service Catalog](https://docs.aws.amazon.com/controltower/latest/userguide/unenroll-with-sc.md): Unenrolling an account can be done in the Service Catalog console by an IAM Identity Center user in the AWSAccountFactory group, by terminating the Provisioned Product. ## [Provision and manage accounts](https://docs.aws.amazon.com/controltower/latest/userguide/provision-and-manage-accounts.md) - [Methods of provisioning](https://docs.aws.amazon.com/controltower/latest/userguide/methods-of-provisioning.md): AWS Control Tower offers multiple methods for creating and updating member accounts, including console-based options like Account Factory and automated approaches such as Lambda code and Terraform. - [Provision accounts in console](https://docs.aws.amazon.com/controltower/latest/userguide/account-create-console.md): Learn how to create and provision accounts as a user in AWS IAM Identity Center through AWS Control Tower. - [View your accounts](https://docs.aws.amazon.com/controltower/latest/userguide/view-your-accounts.md): The Organization page lists all OUs and accounts in your organization, regardless of OU or enrollment status in AWS Control Tower. ### [About enrolling accounts](https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.md) Learn about enrolling an existing AWS account. - [Prerequisites for enrollment](https://docs.aws.amazon.com/controltower/latest/userguide/enrollment-prerequisites.md): Learn about the required prerequisites to enroll an existing AWS account in AWS Control Tower. - [Auto-enrollment option](https://docs.aws.amazon.com/controltower/latest/userguide/account-auto-enrollment.md): The account auto-enrollment feature is available for landing zones of version 3.1 and above. - [Enroll from console](https://docs.aws.amazon.com/controltower/latest/userguide/quick-account-provisioning.md): Learn about enrolling an existing account that is not governed by AWS Control Tower. - [If the account does not meet the prerequisites](https://docs.aws.amazon.com/controltower/latest/userguide/fulfill-prerequisites.md): Remember that, as a prerequisite, accounts eligible to be enrolled into AWS Control Tower governance must be part of the same overall organization. - [Manually add the required IAM role to an existing AWS account and enroll it](https://docs.aws.amazon.com/controltower/latest/userguide/enroll-manually.md): Learn how to enroll organization accounts into an OU that's registered with AWS Control Tower after you've already set up your AWS Control Tower landing zone. - [Enroll accounts that have existing AWS Config resources](https://docs.aws.amazon.com/controltower/latest/userguide/existing-config-resources.md): Learn about enrolling accounts with existing AWS Config resources into AWS Control Tower. ### [Account Factory](https://docs.aws.amazon.com/controltower/latest/userguide/account-factory.md) Learn about how to provision new member accounts in an AWS Control Tower landing zone. - [Update and move accounts](https://docs.aws.amazon.com/controltower/latest/userguide/updating-account-factory-accounts.md): Learn how to update and migrate accounts for Account Factory. - [Change email address of an enrolled account](https://docs.aws.amazon.com/controltower/latest/userguide/change-account-email.md): Learn how to change the email address of an enrolled account in AWS Control Tower. - [Change the name of an enrolled account](https://docs.aws.amazon.com/controltower/latest/userguide/change-account-name.md): Learn how to change the name of an enrolled account in AWS Control Tower. - [Configure Amazon VPC settings](https://docs.aws.amazon.com/controltower/latest/userguide/configuring-account-factory-with-VPC-settings.md): Learn how to configure Account Factory accounts with Amazon VPC settings. - [Unenroll an account](https://docs.aws.amazon.com/controltower/latest/userguide/unmanage-account.md): Learn how to unenroll an enrolled account in Account Factory. - [Close an account](https://docs.aws.amazon.com/controltower/latest/userguide/delete-account.md): Learn about how to close AWS accounts. - [Account Factory resources](https://docs.aws.amazon.com/controltower/latest/userguide/account-factory-considerations.md): Learn about resources that are created when accounts are provisioned with Account Factory. ### [Account Factory Customization (AFC)](https://docs.aws.amazon.com/controltower/latest/userguide/af-customization-page.md) Learn about how AWS Control Tower allows you to customize new and existing accounts from the console. ### [Set up for customization](https://docs.aws.amazon.com/controltower/latest/userguide/afc-setup-steps.md) Learn about the steps to set up Account Factory for the customization process. - [Step 1. Create the required role](https://docs.aws.amazon.com/controltower/latest/userguide/step-1-create-blueprint-access-role.md): Before you begin to customize accounts, you must set up a role that contains a trust relationship between AWS Control Tower and your hub account. - [Step 2. Create the AWS Service Catalog product](https://docs.aws.amazon.com/controltower/latest/userguide/step-2-create-blueprint-product.md): To create an AWS Service Catalog product, follow the steps at Creating products in the AWS Service Catalog Administrator Guide. - [Step 3. Review your custom blueprint](https://docs.aws.amazon.com/controltower/latest/userguide/step-3-review-blueprint.md): You can view your blueprint in the AWS Service Catalog console. - [Step 4. Call your blueprint to create a customized account](https://docs.aws.amazon.com/controltower/latest/userguide/step-4-call-the-blueprint.md): When you follow the Create account workflow in the AWS Control Tower console, you'll see an optional section where you can enter information about the blueprint you'd like to use for customizing accounts. - [Create a customized account from a blueprint](https://docs.aws.amazon.com/controltower/latest/userguide/create-afc-customized-account.md): Learn about how to create custom accounts after you've created custom blueprints. - [Customize accounts with AFC as you enroll them](https://docs.aws.amazon.com/controltower/latest/userguide/enroll-and-customize.md): Learn about the steps to enroll and customize accounts from the AWS Control Tower console. - [Add a blueprint to an AWS Control Tower account](https://docs.aws.amazon.com/controltower/latest/userguide/add-blueprint-to-account.md): Learn about adding a blueprint to an existing AWS Control Tower member account. - [Update a blueprint](https://docs.aws.amazon.com/controltower/latest/userguide/update-a-blueprint.md): Learn how to update and deploy custom blueprints. - [Remove a blueprint from an account](https://docs.aws.amazon.com/controltower/latest/userguide/remove-a-blueprint.md): Learn how to remove a blueprint from an account. - [Partner blueprints](https://docs.aws.amazon.com/controltower/latest/userguide/partner-blueprints.md): Learn about pre-defined blueprints that you can access to customize accounts. ### [AWS Control Tower Account Factory for Terraform (AFT)](https://docs.aws.amazon.com/controltower/latest/userguide/taf-account-provisioning.md) Learn about AWS Control Tower Account Factory for Terraform (AFT). ### [AFT overview](https://docs.aws.amazon.com/controltower/latest/userguide/aft-overview.md) Learn how Account Factory for Terraform (AFT) integrates with AWS Control Tower to provide a Terraform-based pipeline for account provisioning and customization. - [AFT Architecture](https://docs.aws.amazon.com/controltower/latest/userguide/aft-architecture.md): Learn about the architecture and order of operations for AWS Control Tower's Account Factory for Terraform (AFT). - [Cost](https://docs.aws.amazon.com/controltower/latest/userguide/aft-pricing.md): Learn how Account Factory for Terraform (AFT) itself incurs no additional charges, but users pay for the resources and services deployed and enabled by AFT. ### [Deploy AFT](https://docs.aws.amazon.com/controltower/latest/userguide/aft-getting-started.md) Learn about how to set up an Account Factory for Terraform (AFT) environment with a new AFT management account. - [Post-deployment steps](https://docs.aws.amazon.com/controltower/latest/userguide/aft-post-deployment.md): Learn about the post-deployment steps that are required to complete the setup process. - [Provision a new account](https://docs.aws.amazon.com/controltower/latest/userguide/aft-provision-account.md): Learn how Account Factory for Terraform (AFT) enables new account provisioning through the creation of an account request Terraform file containing specific parameters. - [Multiple account requests](https://docs.aws.amazon.com/controltower/latest/userguide/aft-multiple-account-requests.md): Learn how Account Factory for Terraform (AFT) allows users to submit multiple account requests, which are processed in a first-in, first-out order. - [Update an existing account](https://docs.aws.amazon.com/controltower/latest/userguide/aft-update-account.md): Learn about how to update an existing AFT account. ### [Versions supported](https://docs.aws.amazon.com/controltower/latest/userguide/version-supported.md) Account Factory for Terraform (AFT) in AWS Control Tower supports Terraform version 1.6.1 or later and offers compatibility with three Terraform distributions: Community Edition, Cloud, and Enterprise. - [Check the AFT version](https://docs.aws.amazon.com/controltower/latest/userguide/check-aft-version.md): Learn how to check the deployed version of AWS Control Tower Account Factory for Terraform (AFT). - [Update the AFT version](https://docs.aws.amazon.com/controltower/latest/userguide/update-aft-version.md): Updating the deployed AFT (Account Factory for Terraform) version in AWS Control Tower can be done by pulling the latest changes from the main repository branch using the command 'terraform get -update'. - [Enable feature options](https://docs.aws.amazon.com/controltower/latest/userguide/aft-feature-options.md): Learn about Account Factory for Terraform (AFT) optional features for AWS Control Tower environments, including CloudTrail data event logging, automatic Enterprise Support enrollment, and default VPC deletion. - [Resources for AFT](https://docs.aws.amazon.com/controltower/latest/userguide/aft-resources.md): Learn what Account Factory for Terraform (AFT) creates various AWS resources across multiple accounts when setting up a landing zone. - [Required roles](https://docs.aws.amazon.com/controltower/latest/userguide/aft-required-roles.md): Learn why Account Factory for Terraform (AFT) creates multiple IAM roles and policies in the AFT management and AWS Control Tower management accounts to support its pipeline operations. - [Component services](https://docs.aws.amazon.com/controltower/latest/userguide/aft-components.md): Learn about the various AWS services and components that are integrated when deploying AWS Control Tower Account Factory for Terraform (AFT). - [AFT account provisioning pipeline](https://docs.aws.amazon.com/controltower/latest/userguide/aft-provisioning-framework.md): The Account Factory for Terraform (AFT) account provisioning pipeline automates a series of steps to prepare newly provisioned accounts for customization, including metadata storage, role creation, and tag application. - [Account customizations](https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.md): Learn how to apply global and account customizations. ### [Alternative VCS](https://docs.aws.amazon.com/controltower/latest/userguide/aft-alternative-vcs.md) Learn about the process of setting up alternative version control systems for source code in AWS Control Tower's Account Factory for Terraform (AFT), including support for GitHub, BitBucket, GitLab, and Azure DevOps. - [Move to another VCS](https://docs.aws.amazon.com/controltower/latest/userguide/move-a-vcs.md): This section contains procedures to help you move AFT from AWS CodeCommit to another VCS provider. - [Data protection](https://docs.aws.amazon.com/controltower/latest/userguide/aft-data-protection.md): This document outlines data protection practices for AWS Control Tower Account Factory for Terraform (AFT), emphasizing the AWS shared responsibility model and best practices for security. - [Remove an account](https://docs.aws.amazon.com/controltower/latest/userguide/aft-remove-account.md): Learn how to remove an account from AFT. - [Operational metrics](https://docs.aws.amazon.com/controltower/latest/userguide/aft-operational-metrics.md): Learn how Account Factory for Terraform (AFT) collects anonymous operational metrics by default to improve the solution's quality and features. - [Troubleshooting guide](https://docs.aws.amazon.com/controltower/latest/userguide/account-troubleshooting-guide.md): This section provides methods to troubleshoot common issues when using Account Factory for Terraform (AFT). ## [Drift](https://docs.aws.amazon.com/controltower/latest/userguide/drift.md) - [Viewing drift](https://docs.aws.amazon.com/controltower/latest/userguide/viewing-drift.md): You can view the drift status for your accounts and OUs through the console or APIs, and identify when account and OU configurations are drifted, or out of sync. - [Resolving drift](https://docs.aws.amazon.com/controltower/latest/userguide/resolving-drift.md): Although detection is automatic, the steps to resolve drift must be done manually through the console, or with the APIs. (Except in certain cases when auto-enroll is enabled for accounts that are moved.) - [Types of governance drift](https://docs.aws.amazon.com/controltower/latest/userguide/governance-drift.md): Learn about various types of governance drift that can occur in AWS Control Tower, including moved or removed member accounts, unplanned updates to managed SCPs, and changes to organizational units. - [If you manage resources outside of AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/external-resources.md): Learn how to manage resources outside of AWS Control Tower, including renaming, deleting, and moving resources, which can cause the console to become out of sync. ## [Organizations](https://docs.aws.amazon.com/controltower/latest/userguide/existing-orgs.md) - [Extend governance to an existing organization](https://docs.aws.amazon.com/controltower/latest/userguide/about-extending-governance.md): Learn how to extend AWS Control Tower governance to an existing AWS Organizations structure. - [Nested OUs](https://docs.aws.amazon.com/controltower/latest/userguide/nested-ous.md): AWS Control Tower supports nested Organizational Units (OUs), allowing for a more complex hierarchical structure in managing AWS accounts and resources. ### [Register an OU to enroll multiple accounts](https://docs.aws.amazon.com/controltower/latest/userguide/importing-existing.md) Learn how to register an existing organizational unit (OU) with AWS Control Tower, extending governance to multiple AWS accounts efficiently. - [Register an existing OU](https://docs.aws.amazon.com/controltower/latest/userguide/how-to-register-existing-ou.md): In the AWS Control Tower console, on the Organization page, you can view all of of your organization's OUs and accounts in a hierarchy, including OUs that are registered with AWS Control Tower, and those that are not registered. - [Create a new OU](https://docs.aws.amazon.com/controltower/latest/userguide/create-new-ou.md): Learn how to create an OU in AWS Control Tower. - [Remove an OU](https://docs.aws.amazon.com/controltower/latest/userguide/remove-ou.md): Learn how to remove an OU from AWS Control Tower. - [Common causes of failure during registration or re-registration](https://docs.aws.amazon.com/controltower/latest/userguide/common-eg-failures.md): Learn about the common causes of failure during the registration or re-registration of organizational units (OUs) and accounts in AWS Control Tower. ### [Update organizations](https://docs.aws.amazon.com/controltower/latest/userguide/ou-updates.md) Re-registering an organizational unit (OU) is the quickest way to update an OU or multiple accounts within it in AWS Control Tower. - [When to update OUs and accounts](https://docs.aws.amazon.com/controltower/latest/userguide/update-existing-accounts.md): After performing a landing zone update in AWS Control Tower, it's necessary to update enrolled accounts to apply new controls. - [Update multiple accounts in one OU](https://docs.aws.amazon.com/controltower/latest/userguide/update-multiple-accounts.md): AWS Control Tower allows updating multiple accounts within the same organizational unit (OU) through a single action of re-registering the OU. - [Update a single account](https://docs.aws.amazon.com/controltower/latest/userguide/update-account-in-sc.md): Individual AWS Control Tower accounts can be updated through either the AWS Control Tower console or the AWS Service Catalog console. - [Transfer an account](https://docs.aws.amazon.com/controltower/latest/userguide/account-transfer.md): Learn how to transfer a member account that is enrolled in AWS Control Tower to a different AWS Organizations organization. ## [Integrated services](https://docs.aws.amazon.com/controltower/latest/userguide/integrated-services.md) - [AWS Backup](https://docs.aws.amazon.com/controltower/latest/userguide/with-backup.md): AWS Backup allows you to create a backup plan for your AWS Control Tower landing zone. - [CloudFormation](https://docs.aws.amazon.com/controltower/latest/userguide/cloudformation.md): Use CloudFormation in conjunction with AWS Control Tower, and use stacksets to apply controls on accounts, enabling efficient management of cloud resources across an organization. - [CloudTrail](https://docs.aws.amazon.com/controltower/latest/userguide/cloudtrail.md): Learn how AWS Control Tower utilizes AWS CloudTrail to provide centralized logging and auditing capabilities for AWS environments. - [CloudWatch](https://docs.aws.amazon.com/controltower/latest/userguide/cloudwatch.md): Learn how Amazon CloudWatch offers a robust, scalable, and flexible monitoring solution for AWS resources and services that can be quickly implemented. - [AWS Config](https://docs.aws.amazon.com/controltower/latest/userguide/config.md): Learn how AWS Config provides a comprehensive view of AWS account resources, their configurations, and relationships over time, with resources provisioned by AWS Control Tower automatically tagged for easy identification. - [AWS Identity and Access Management](https://docs.aws.amazon.com/controltower/latest/userguide/iam.md): AWS Identity and Access Management is a service for centrally managing access to AWS resources, allowing you to control users, security credentials, and permissions. - [AWS Key Management Service](https://docs.aws.amazon.com/controltower/latest/userguide/kms-integration.md): AWS Key Management Service (AWS KMS) is a service that allows users to create and manage encryption keys for data protection. - [AWS Lambda](https://docs.aws.amazon.com/controltower/latest/userguide/lambda.md): AWS Lambda enables serverless compute functions, allowing users to run code without managing servers for various applications and backend services. - [AWS Organizations](https://docs.aws.amazon.com/controltower/latest/userguide/organizations.md): AWS Organizations is an account management service that allows for the consolidation and central management of multiple AWS accounts within an organization. - [Amazon S3](https://docs.aws.amazon.com/controltower/latest/userguide/s3.md): Amazon Simple Storage Service (Amazon S3) provides internet-based storage, allowing users to store and retrieve any amount of data from anywhere on the web. - [Security Hub CSPM](https://docs.aws.amazon.com/controltower/latest/userguide/security-hub.md): AWS Control Tower is integrated with AWS Security Hub CSPM through the Service-Managed Standard: AWS Control Tower. - [AWS Service Catalog](https://docs.aws.amazon.com/controltower/latest/userguide/service-catalog.md): AWS Service Catalog enables IT administrators to create, manage, and distribute portfolios of approved products to end users, providing access to needed products in a personalized portal. - [Amazon SNS](https://docs.aws.amazon.com/controltower/latest/userguide/sns.md): Learn how AWS Control Tower utilizes Amazon Simple Notification Service (Amazon SNS) to send programmatic alerts to management and audit account email addresses, helping prevent drift within the landing zone. - [Step Functions](https://docs.aws.amazon.com/controltower/latest/userguide/step-functions.md): AWS Step Functions simplifies the process of coordinating components in distributed applications by allowing developers to create visual workflows consisting of a series of steps. ## [Identity and access management](https://docs.aws.amazon.com/controltower/latest/userguide/auth-access.md) ### [IAM Identity Center and AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/sso.md) Manage users and access through AWS IAM Identity Center. - [User groups, roles, and permission sets](https://docs.aws.amazon.com/controltower/latest/userguide/user-groups-roles-permissions.md): AWS Control Tower uses user groups to manage specialized roles within shared accounts, with all group members inheriting the associated permission sets or roles. - [IAM Identity Center Groups for AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/sso-groups.md): AWS Control Tower offers preconfigured groups to organize users performing specific tasks in various accounts, allowing administrators to add users and assign them to these groups directly in IAM Identity Center. ### [Overview of managing resource access with IAM](https://docs.aws.amazon.com/controltower/latest/userguide/access-control-overview.md) Learn how to manage access permissions to AWS Control Tower resources, covering topics such as resource ownership, policy elements, and specifying conditions in policies. ### [Manage access to resources](https://docs.aws.amazon.com/controltower/latest/userguide/access-control-manage-access-intro.md) Learn how to manage access to resources in AWS Control Tower using identity-based policies (IAM policies) attached to IAM identities such as users, groups, or roles. - [Create roles and assign permissions](https://docs.aws.amazon.com/controltower/latest/userguide/assign-permissions.md): Find detailed instructions on creating roles and assigning permissions in AWS Control Tower and other AWS services, including steps for using the IAM console, JSON policy editor, and visual editor to create policies. - [Prevent confused deputy attacks](https://docs.aws.amazon.com/controltower/latest/userguide/prevent-confused-deputy.md): Cross-service impersonation in AWS can lead to the confused deputy problem, where one service manipulates another to act on a customer's resources beyond its intended permissions. ### [IAM policies for AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/access-control-managing-permissions.md) Find detailed information on identity-based policies (IAM policies) used in AWS Control Tower, including the AWSControlTowerAdmin role, AWSControlTowerServiceRolePolicy, and other essential roles and policies. - [Permissions Required to use the AWS Control Tower console](https://docs.aws.amazon.com/controltower/latest/userguide/additional-console-required-permissions.md): Learn about the three essential roles when setting up a landing zone, which are required for console access: AWSControlTowerAdmin, AWSControlTowerStackSetRole, and AWSControlTowerCloudTrailRole. - [Managed policies for AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/managed-policies-table.md): AWS Control Tower uses managed IAM policies to grant necessary permissions for common use cases, reducing the need for manual investigation of required permissions. ## [Security](https://docs.aws.amazon.com/controltower/latest/userguide/security.md) - [Data Protection](https://docs.aws.amazon.com/controltower/latest/userguide/controltower-console-encryption.md): Learn how the AWS shared responsibility model applies to data protection in AWS Control Tower. - [Compliance Validation](https://docs.aws.amazon.com/controltower/latest/userguide/compliance-validation.md): This chapter contains info about our AWS compliance program that you should consider when using AWS Control Tower. - [Resilience](https://docs.aws.amazon.com/controltower/latest/userguide/disaster-recovery-resiliency.md): This chapter contains info about disaster recovery resiliency that you should consider when using AWS Control Tower. - [Infrastructure Security](https://docs.aws.amazon.com/controltower/latest/userguide/infrastructure-security.md): Learn how AWS Control Tower isolates service traffic. ## [Logging and monitoring](https://docs.aws.amazon.com/controltower/latest/userguide/logging-and-monitoring.md) - [About logging in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/about-logging.md): AWS Control Tower automatically logs actions and events through integration with AWS CloudTrail, AWS Config, and CloudWatch, covering both management and member account activities. - [S3 bucket policy](https://docs.aws.amazon.com/controltower/latest/userguide/logging-s3-audit-bucket.md): Learn how AWS Control Tower implements a specific Amazon S3 bucket policy in the audit account to ensure that only AWS services within the organization or organizational unit can access resources. - [Monitoring overview](https://docs.aws.amazon.com/controltower/latest/userguide/monitoring-overview.md): Monitor AWS Control Tower actions to maintain reliability, availability, and performance. - [Logging AWS Control Tower Actions with AWS CloudTrail](https://docs.aws.amazon.com/controltower/latest/userguide/logging-using-cloudtrail.md): Learn how AWS Control Tower integrates with AWS CloudTrail to provide a comprehensive record of actions taken by users, roles, or AWS services within the AWS Control Tower environment. ### [Monitor resource changes with AWS Config](https://docs.aws.amazon.com/controltower/latest/userguide/monitoring-with-config.md) Learn how AWS Control Tower enables AWS Config to enforce detective controls and log resource changes. - [Manage Config costs](https://docs.aws.amazon.com/controltower/latest/userguide/config-costs.md): Learn how AWS Config records and bills for resource changes in AWS Control Tower accounts, helping users understand and manage associated costs. - [Lifecycle Events](https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.md): AWS Control Tower uses lifecycle events to mark the completion of actions that change the state of resources such as organizational units, accounts, and controls. - [User notifications](https://docs.aws.amazon.com/controltower/latest/userguide/using-user-notifications.md): AWS User Notifications User Notifications can be used with AWS Control Tower to set up delivery channels for event notifications through multiple channels, including email, Amazon Q Developer in chat applications chat notifications, and AWS Console Mobile Application push notifications. ## [Backup](https://docs.aws.amazon.com/controltower/latest/userguide/backup.md) - [Prerequisites](https://docs.aws.amazon.com/controltower/latest/userguide/backup-prerequisites.md): Before setting up AWS Backup for AWS Control Tower resources, users must have an existing AWS Organizations organization and allocate two additional AWS accounts for central backup and backup administration. - [Enable backups](https://docs.aws.amazon.com/controltower/latest/userguide/enable-backup.md): AWS Control Tower allows enabling backups for enrolled account resources during landing zone setup or updates, requiring a Backup Administrator account, a Central Backup account, and a multi-Region AWS KMS key. - [Turn off backups](https://docs.aws.amazon.com/controltower/latest/userguide/stop-backups.md): Turning off backups in AWS Control Tower involves a two-step process: first disabling the AWS Backup baseline on each OU with enabled backups, then turning off AWS Backup for the entire landing zone. - [Moved accounts](https://docs.aws.amazon.com/controltower/latest/userguide/moving-accounts-and-backup.md): When an account is moved into an AWS Control Tower OU with AWS Backup enabled, the backup plan doesn't automatically apply if the account isn't enrolled in AWS Control Tower. - [Backup drift](https://docs.aws.amazon.com/controltower/latest/userguide/backup-drift.md): AWS Control Tower does not report drift for AWS Backup configurations, but certain modifications to the backup plan can lead to a state of drift. - [Backup resources](https://docs.aws.amazon.com/controltower/latest/userguide/backup-resources.md): When AWS Backup is enabled in AWS Control Tower, various resources are created across different accounts including the Central Backup account, Backup Administrator account, Audit account, Log Archive account, and member accounts in other OUs. - [Controls for AWS Backup](https://docs.aws.amazon.com/controltower/latest/userguide/backup-controls.md): Enabling AWS Backup in an AWS Control Tower landing zone activates preventive controls to protect resources essential for AWS Backup's operation with AWS Backup. ## [Decommission a landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/decommission-landing-zone.md) - [Overview of the decommissioning process](https://docs.aws.amazon.com/controltower/latest/userguide/decommissioning-process-overview.md): This overview outlines the comprehensive decommissioning process for an AWS Control Tower landing zone. ### [How to decommission a landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/how-to-decommission.md) Learn how to decommission an AWS Control Tower landing zone, including the confirmation process and post-decommissioning cleanup tasks. - [Decommission your landing zone with APIs](https://docs.aws.amazon.com/controltower/latest/userguide/lz-api-decommission.md): The process of cleaning up all of a landing zones resources is referred to as decommissioning a landing zone. - [Manual cleanup tasks required after decommissioning](https://docs.aws.amazon.com/controltower/latest/userguide/manual-cleanup-required.md): This section lists manual cleanup tasks you must perform after the initial decommissioning step. - [Resources not removed during decommissioning](https://docs.aws.amazon.com/controltower/latest/userguide/resources-not-removed.md): Decommissioning an AWS Control Tower landing zone does not fully reverse the setup process, leaving certain resources intact. ### [Remove AWS Control Tower resources](https://docs.aws.amazon.com/controltower/latest/userguide/walkthrough-delete.md) This chapter contains walkthrough procedures so you can maintain or clean up specific resources and workflows in your AWS Control Tower landing zone. - [Delete SCPs](https://docs.aws.amazon.com/controltower/latest/userguide/controltower-walkthrough-delete-scps.md): Learn how to delete Service Control Policies (SCPs) specifically related to AWS Control Tower within AWS Organizations. - [Delete StackSets and Stacks](https://docs.aws.amazon.com/controltower/latest/userguide/controltower-walkthrough-delete-stacksets.md): Review step-by-step instructions for deleting CloudFormation StackSets and stacks associated with AWS Control Tower. - [Delete Amazon S3 Buckets in the Log Archive Account](https://docs.aws.amazon.com/controltower/latest/userguide/controltower-walkthrough-delete-s3-buckets.md): Learn about deleting S3 buckets in the log archive account of AWS Control Tower. - [Remove an Account Factory Portfolio and Product](https://docs.aws.amazon.com/controltower/latest/userguide/controltower-walkthrough-cleanup-account-factory.md): Learn about removing an Account Factory Portfolio and Product in AWS Control Tower. - [Remove AWS Control Tower Roles and Policies](https://docs.aws.amazon.com/controltower/latest/userguide/controltower-walkthrough-cleanup-identity.md): Learn how to remove AWS Control Tower roles and policies that were created during the landing zone setup or subsequently. - [Setup after decommissioning a landing zone](https://docs.aws.amazon.com/controltower/latest/userguide/known-issues-decommissioning.md): After decommissioning an AWS Control Tower landing zone, manual cleanup of remaining resources is necessary before setting up a new landing zone. ## [Walkthroughs](https://docs.aws.amazon.com/controltower/latest/userguide/walkthroughs.md) - [Walkthrough: Move from ALZ to AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/alz-to-control-tower.md): Transition from ALZ to AWS Control Tower. - [Walkthrough: Configure AWS Control Tower Without a VPC](https://docs.aws.amazon.com/controltower/latest/userguide/configure-without-vpc.md): Find out how to configure your AWS Control Tower accounts without a VPC. - [Walkthrough: Set Up Security Groups in AWS Control Tower With AWS Firewall Manager](https://docs.aws.amazon.com/controltower/latest/userguide/firewall-setup-walkthrough.md): Learn how to enhance network security in AWS Control Tower using AWS Firewall Manager to set up and manage security groups. ## [Baselines](https://docs.aws.amazon.com/controltower/latest/userguide/types-of-baselines.md) - [Partial enrollment](https://docs.aws.amazon.com/controltower/latest/userguide/partial-enrollment.md): When you're working with baselines, an account can be placed into a state called Partially enrolled. - [Compare console and API](https://docs.aws.amazon.com/controltower/latest/userguide/console-vs-api-baseline.md): When you change the governance status of an OU, the AWS Control Tower console performs more operations for you automatically, compared to changing governance by means of the APIs for baselines. - [AWSControlTowerBaseline table](https://docs.aws.amazon.com/controltower/latest/userguide/table-of-baselines.md): AWS Control Tower baselines allow setting governance standards at the OU level, with the AWSControlTowerBaseline available for registering OUs. - [Examples: Register an AWS Control Tower OU with APIs only](https://docs.aws.amazon.com/controltower/latest/userguide/walkthrough-baseline-steps.md): Learn about registering and re-registering AWS Control Tower organizational units (OUs) using APIs only. - [Baseline API examples](https://docs.aws.amazon.com/controltower/latest/userguide/baseline-api-examples.md): See examples of how to call the AWS Control Tower baseline APIs. ## [Release notes](https://docs.aws.amazon.com/controltower/latest/userguide/release-notes.md) - [January 2026 - Present](https://docs.aws.amazon.com/controltower/latest/userguide/2026-all.md): See the updates released by AWS Control Tower in 2026. - [January 2025 - December 2025](https://docs.aws.amazon.com/controltower/latest/userguide/2025-all.md): See the updates released by AWS Control Tower in 2025. - [January - December 2024](https://docs.aws.amazon.com/controltower/latest/userguide/2024-all.md): See the updates released by AWS Control Tower in 2024. - [January - December 2023](https://docs.aws.amazon.com/controltower/latest/userguide/2023-all.md): See the updates released by AWS Control Tower in 2023. - [January - December 2022](https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.md): See the updates released by AWS Control Tower in 2022. - [January - December 2021](https://docs.aws.amazon.com/controltower/latest/userguide/2021-all.md): See the updates released by AWS Control Tower in 2021. - [January - December 2020](https://docs.aws.amazon.com/controltower/latest/userguide/2020-all.md): See the updates released by AWS Control Tower in 2020. - [June - December 2019](https://docs.aws.amazon.com/controltower/latest/userguide/2019-all.md): See the updates released by AWS Control Tower in 2019.