Enroll an existing AWS account - AWS Control Tower
What happens during account enrollmentEnrolling existing accounts with VPCsWhat if the account does not meet the prerequisites?Example AWS Config CLI commands for resource statusAutomated enrollment of AWS Organizations accounts

Enroll an existing AWS account

You can extend AWS Control Tower governance to an individual, existing AWS account when you enroll it into an organizational unit (OU) that's already governed by AWS Control Tower. Eligible accounts exist in unregistered OUs that are part of the same AWS Organizations organization as the AWS Control Tower OU.

Note

You cannot enroll an existing account to serve as your audit or log archive account except during initial landing zone setup.

Set up trusted access first

Before you can enroll an existing AWS account into AWS Control Tower you must give permission for AWS Control Tower to manage, or govern, the account. Specifically, AWS Control Tower requires permission to establish trusted access between AWS CloudFormation and AWS Organizations on your behalf, so that AWS CloudFormation can deploy your stack automatically to the accounts in your selected organization. With this trusted access, the AWSControlTowerExecution role conducts activities required to manage each account. That's why you must add this role to each account before you enroll it.

When trusted access is enabled, AWS CloudFormation can create, update, or delete stacks across multiple accounts and AWS Regions with a single operation. AWS Control Tower relies on this trust capability so it can apply roles and permissions to existing accounts before it moves them into a registered organizational unit, and thereby brings them under governance.

To learn more about trusted access and AWS CloudFormation StackSets, see AWS CloudFormationStackSets and AWS Organizations.

What happens during account enrollment

During the enrollment process, AWS Control Tower performs these actions:

  • Baselines the account, which includes deploying these stack sets:

    • AWSControlTowerBP-BASELINE-CLOUDTRAIL

    • AWSControlTowerBP-BASELINE-CLOUDWATCH

    • AWSControlTowerBP-BASELINE-CONFIG

    • AWSControlTowerBP-BASELINE-ROLES

    • AWSControlTowerBP-BASELINE-SERVICE-ROLES

    • AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLES

    • AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1

    It is a good idea to review the templates of these stack sets and make sure that they don’t conflict with your existing policies.

  • Identifies the account through AWS IAM Identity Center or AWS Organizations.

  • Places the account into the OU that you've specified. Be sure to apply all SCPs that are applied in the current OU, so that your security posture remains consistent.

  • Applies mandatory controls to the account by means of the SCPs that apply to the selected OU as a whole.

  • Enables AWS Config and configures it to record all resources in the account.

  • Adds the AWS Config rules that apply the AWS Control Tower detective controls to the account.

Accounts and organization-level CloudTrail trails

All member accounts in an OU are governed by the AWS CloudTrail trail for the OU, enrolled or not:

  • When you enroll an account into AWS Control Tower, your account is governed by the AWS CloudTrail trail for the new organization. If you have an existing deployment of a CloudTrail trail, you may see duplicate charges unless you delete the existing trail for the account before you enroll it in AWS Control Tower.

  • If you move an account into a registered OU—for example by means of the AWS Organizations console—and you do not proceed to enroll the account into AWS Control Tower, you may wish to remove any remaining account-level trails for the account. If you have an existing deployment of a CloudTrail trail, you will incur duplicate CloudTrail charges.

If you update your landing zone and choose to opt out of organization-level trails, or if your landing zone is older than version 3.0, organization-level CloudTrail trails do not apply to your accounts.

Enrolling existing accounts with VPCs

AWS Control Tower handles VPCs differently when you provision a new account in Account Factory than when you enroll an existing account.

  • When you create a new account, AWS Control Tower automatically removes the AWS default VPC and creates a new VPC for that account.

  • When you enroll an existing account, AWS Control Tower does not create a new VPC for that account.

  • When you enroll an existing account, AWS Control Tower does not remove any existing VPC or AWS default VPC associated with the account.

Tip

You can change the default behavior for new accounts by configuring Account Factory, so it does not set up a VPC by default for accounts in your organization under AWS Control Tower. For more information, see Create an Account in AWS Control Tower Without a VPC.

What if the account does not meet the prerequisites?

Remember that, as a prerequisite, accounts eligible to be enrolled into AWS Control Tower governance must be part of the same overall organization. To fulfill this prerequisite for account enrollment, you can follow these preparatory steps to move an account into the same organization as AWS Control Tower.

Preparatory steps to bring an account into the same organization as AWS Control Tower

  1. Drop the account from its existing organization. You must provide a separate payment method if you use this approach.

  2. Invite the account to join the AWS Control Tower organization. For more information, see Inviting an AWS account to join your organization in the AWS Organizations User Guide.

  3. Accept the invitation. The account shows up in the root of the organization. This step moves the account into the same organization as AWS Control Tower. and establishes SCPs and consolidated billing.

Tip

You can send the invitation for the new organization before the account drops out of the old organization. The invitation will be waiting when the account officially drops out of its existing organization.

Steps to fulfill the remaining prerequisites:

  1. Create the necessary AWSControlTowerExecution role.

  2. Clear out the default VPC. (This part is optional. AWS Control Tower doesn't change your existing default VPC.)

  3. Delete or modify any existing AWS Config configuration recorder or delivery channel through the AWS CLI or AWS CloudShell. For more information, see Example AWS Config CLI commands for resource status and Enroll accounts that have existing AWS Config resources

After you've completed these preparatory steps, you can enroll the account into AWS Control Tower. For more information, see Steps to enroll an account. This step brings the account into full AWS Control Tower governance.

Optional steps to deprovision an account, so it can be enrolled and keep its stack

  1. To keep the applied AWS CloudFormation stack, delete the stack instance from the stack sets, and choose Retain stacks for the instance.

  2. Terminate the account provisioned product in AWS Service Catalog Account Factory. (This step only removes the provisioned product from AWS Control Tower. It doesn't delete the account.)

  3. Set up the account with the necessary billing details, as required for any account that doesn't belong to an organization. Then remove the account from the organization. (You do this, so the account doesn't count against the total in your AWS Organizations quota.)

  4. Clean up the account if resources remain, and then close it, following the account closure steps in Unmanage an account.

  5. If you have a Suspended OU with defined controls, you can move the account there instead of doing Step 1.

Example AWS Config CLI commands for resource status

Here are some example AWS Config CLI commands you can use to determine the status of your configuration recorder and delivery channel.

View commands:

  • aws configservice describe-delivery-channels

  • aws configservice describe-delivery-channel-status

  • aws configservice describe-configuration-recorders

The normal response is something like "name": "default"

Delete commands:

  • aws configservice stop-configuration-recorder --configuration-recorder-name NAME-FROM-DESCRIBE-OUTPUT

  • aws configservice delete-delivery-channel --delivery-channel-name NAME-FROM-DESCRIBE-OUTPUT

  • aws configservice delete-configuration-recorder --configuration-recorder-name NAME-FROM-DESCRIBE-OUTPUT

Automated enrollment of AWS Organizations accounts

You can use the enrollment method described in a blog post called Enroll existing AWS accounts into AWS Control Tower to enroll your AWS Organizations accounts into AWS Control Tower with a programmatic process.

The following YAML template may assist you in creating the required role in an account, so that it can be enrolled programmatically.

AWSTemplateFormatVersion: 2010-09-09
Description: Configure the AWSControlTowerExecution role to enable use of your
  account as a target account in AWS CloudFormation StackSets.
Parameters:
  AdministratorAccountId:
    Type: String
    Description: AWS Account Id of the administrator account (the account in which
      StackSets will be created).
    MaxLength: 12
    MinLength: 12
Resources:
  ExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: AWSControlTowerExecution
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                - !Ref AdministratorAccountId
            Action:
              - sts:AssumeRole
      Path: /
      ManagedPolicyArns:
        - !Sub arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess