Migrate an AWS member account from AWS Organizations to AWS Control Tower - AWS Prescriptive Guidance

Migrate an AWS member account from AWS Organizations to AWS Control Tower

Created by Rodolfo Jr. Cerrada (AWS)

Environment: Production

Technologies: Management & governance; Modernization

AWS services: AWS Organizations; AWS Control Tower

Summary

This pattern describes how to migrate an Amazon Web Services (AWS) account from AWS Organizations, where it is a member account that's governed by a management account, to AWS Control Tower. By enrolling the account in AWS Control Tower, you can take advantage of preventive and detective guardrails and features that streamline your account governance. You might also want to migrate your member account if your AWS Organizations management account has been compromised, and you want to move member accounts to a new organization that is governed by AWS Control Tower. 

AWS Control Tower provides a framework that combines and integrates the capabilities of several other AWS services, including AWS Organizations, and ensures consistent compliance and governance across your multi-account environment. With AWS Control Tower, you can follow a set of prescribed rules and definitions that extend the capabilities of AWS Organizations. For example, you can use guardrails to ensure that security logs and necessary cross-account access permissions are created, and not altered.

Prerequisites and limitations

Prerequisites 

  • An active AWS account

  • AWS Control Tower set up in your target organization in AWS Organizations (for instructions, see Setting up in the AWS Control Tower documentation)

  • Administrator credentials for AWS Control Tower (member of the AWSControlTowerAdmins group)

  • Administrator credentials for the source AWS account

Limitations 

  • The source management account in AWS Organizations must be different from the target management account in AWS Control Tower.

Product versions

  • AWS Control Tower version 2.3 (February 2020) or later (see release notes)

Architecture

The following diagram illustrates the migration process and reference architecture. This pattern migrates the AWS account from the source organization to a target organization that is governed by AWS Control Tower.  

The enrollment process consists of these steps:

  1. The account leaves the source organization in AWS Organizations.

  2. The account becomes a standalone account. This means that it doesn't belong to any organization, so governance and billing are managed independently by account administrators.

  3. The target organization sends an invitation for the account to join the organization. 

  4. The standalone account accepts the invitation and becomes a member of the target organization.

  5. The account is enrolled in AWS Control Tower and moved to a registered organizational unit (OU). (We recommend that you check the AWS Control Tower dashboard to confirm the enrollment.) At this point, all guardrails that are enabled in the registered OU take effect.

Tools

AWS services

  • AWS Organizations – AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into a single entity (an organization) that you create and centrally manage.

  • AWS Control Tower – AWS Control Tower integrates the capabilities of other services, including AWS Organizations, AWS IAM Identity Center (successor to AWS Single Sign-On), and AWS Service Catalog, to help you enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud.

Epics

TaskDescriptionSkills required
Verify that the member account can run as a stand-alone account.

Confirm that the member account that will leave the source organization has the information that is required for it to operate as a standalone account. For example, if the member account doesn't have billing information, it can't operate as a standalone account, because AWS uses the payment information to charge for any billable AWS activity that occurs while the account isn't attached to an organization.

Typically, if you created the member account by using the AWS Organizations console, API, or AWS Command Line Interface (CLI) commands, the information required of standalone accounts isn't automatically collected. To add this information, sign in to the account, and specify a support plan, contact information, and a payment method.

For more information about what you need to know before removing an account from an organization, see Before removing an account from organization in the AWS Organizations documentation.

Account administrator
Remove the member account from its source organization.

Follow the instructions in the AWS Organizations documentation to remove a member account from an organization. You can sign in to the organization's management account and remove the member account, or sign in to the member account and leave the organization.

If you don't have administrator-level credentials to remove or leave the account, ask for assistance from your organization's administrator.

If the member account is missing a support plan, contact information, or payment information, you will be prompted to provide and verify that information.

When you leave the organization, you are redirected to the Getting Started page of the AWS Organizations console, where you can view invitations for your account to join other organizations.

Important: At this point, your account is a standalone account. If you are running workloads that aren't covered by AWS Free Tier, you will be charged according to the payment and billing information you provided for the account.

Management account administrator or account administrator
Verify that the member account is no longer part of the source organization.

In the AWS Organizations console, you should no longer see the Leave organization button. Instead. you should see pending invitations, if any, from other organizations.

Account administrator
Remove the IAM roles that grant access to your account from the organization you left.

When you remove the account from the source organization, AWS Identity and Access Management (IAM) roles created by AWS Organizations or by administrators aren't automatically deleted. To terminate access from the source organization's management account, you must manually delete the IAM roles. For more information, see Deleting roles or instance profiles in the IAM documentation.

When a member account leaves an organization, all tags that were attached to the account are deleted. Standalone accounts do not support tags.

Account administrator
TaskDescriptionSkills required
Sign in to AWS Control Tower.

Sign in to the AWS Control Tower console as an administrator. 

Currently, there is no direct way to move an AWS account from a source organization to an organization in an OU that's governed by AWS Control Tower. However, you can extend AWS Control Tower governance to an existing AWS account when you enroll it into an OU that's already governed by AWS Control Tower. That's why you have to log in to AWS Control Tower for this step.

AWS Control Tower administrator
Invite the member account.
  1. Sign in to the AWS Organizations console, and navigate to the AWS Accounts page. 

  2. On the Add an AWS account page, choose Invite an existing AWS account

  3. Complete the account information, including the 12-digit account number (without dashes) and the optional description and tags, and then choose Send invitation.

Important: Verify that no applications or network connectivity will be affected by the account transfer.

This action sends an invitation email with a link to the member account. When the account administrator follows the link and accepts the invitation, the member account appears in the AWS accounts page. For more information, see Inviting an AWS account to join your organization in the AWS Organizations documentation.

AWS Control Tower administrator
Test applications and connectivity.

When the member account has been registered into the new organization, it appears in the OU within a root. It also appears in the AWS Control Tower console, flagged as not enrolled in accounts, because it hasn't yet been enrolled in the AWS Control Tower registered OU.

Verify the following:

  • Check the AWS Control Tower dashboard to see if there are any guardrail violations.

  • Check network network connectivity (VPN or AWS Direct Connect) to make sure it wasn't affected by the transfer.

  • (Application owners) Test the applications that are associated with this account to verify that they run as expected, and that dependencies weren't affected by the account transfer.

AWS Control Tower administrator, Member account administrator, Application owners
TaskDescriptionSkills required
Review guardrails and fix any violations.

Review the guardrails that are defined in the target OU, especially the preventive guardrails, and fix any violations. 

A number of mandatory, preventive guardrails are enabled by default when you set up your AWS Control Tower landing zone. These can't be disabled. You must review these mandatory guardrails and fix the member account (manually or by using a script) before you enroll the account.

Note: Preventive guardrails keep AWS Control Tower registered accounts compliant and prevent policy violations. Any violation of preventive guardrails might affect enrollment. Detective guardrail violations appear in the AWS Control Tower dashboard, if detected, after successful enrollment. They do not affect the enrollment process. For more information, see Guardrails in AWS Control Tower in the AWS documentation.

AWS Control Tower administrator, Member account administrator
Check for connectivity issues after fixing guardrail violations.

In some cases, you might have to close specific ports or disable services to fix guardrail violations. Make sure that applications that use those ports and services are remediated before you enroll the account.

Application owner
TaskDescriptionSkills required
Sign in to the AWS Control Tower console.

Use the administrator account to sign in to AWS Control Tower. Do not use root user (management account) credentials to enroll an AWS Organizations account. This will display an error message.

AWS Control Tower administrator
Enroll the account.
  1. From the Account Factory page in AWS Control Tower, choose Enroll account.

  2. Fill in the details, including the email address associated with the account you want to enroll, the display name that will appear in AWS Control Tower, the IAM Identity Center email address, the first and last name of the account owner, and the OU in which you would like to enroll the account. The IAM Identity Center email address is your preferred user email address. You can use the same email address as the account email.

  3. Choose Enroll account.

For more information, see Enroll an existing account in the AWS Control Tower documentation.

AWS Control Tower administrator
TaskDescriptionSkills required
Verify the account.

From AWS Control Tower, choose Accounts. The account that you just enrolled has an initial state of Enrolling. When enrollment is complete, its state changes to Enrolled.

AWS Control Tower administrator, Member account administrator
Check for guardrail violations.

Guardrails defined in the OU will automatically apply to the enrolled member account. Monitor the AWS Control Tower dashboard for violations and fix them accordingly. For more information, see Guardrails in AWS Control Tower in the AWS documentation.

AWS Control Tower administrator, Member account administrator

Related resources

Documentation

Tutorials and videos 

Additional information

Troubleshooting

Here are two errors you might encounter in AWS Control Tower and their resolutions:

  • An unknown error occurred. Try again later, or contact AWS Support. This error occurs when you use root user credentials (management account) in AWS Control Tower to enroll a new account. AWS Service Catalog can't map the Account Factory Portfolio or product to the root user, which results in the error message. To remediate this error, use non-root, full-access user (administrator) credentials to enroll the new account. For more information about how to create an administrator user, see  Create an IAM user in the AWS Control Tower documentation.

  • The AWS Control Tower Activities page displays a Get Catastrophic Drift action. This action reflects a drift check of the service and does not indicate any issues with the AWS Control Tower setup. No action is required.