To enrol the existing AWS account in AWS Control Tower as a managed account, the account must have the AWSControlTowerExecution this role created.

The AWSControlTowerExecution role allows AWS Control Tower to manage your individual accounts and report information about them to your audit and logging accounts.

The AWSControlTowerExecution role and its associated policy gives you flexible control of security and compliance across your entire organisation.  See how Control Tower works here.

Below are the steps to create the AWSControlTowerExecution in AWS Account which is going to be part of Control Tower as a managed account(child).

1. Login to the AWS account (as a Admin user or with user/role having full IAM access) which needs to be added to Control Tower.
2. Go to IAM console and click on Create Role. Select Another AWS account. Copy the account ID of master account where the Control Tower is installed. Insert the ID in text box and click Next.

3. Select AdministratorAccess policy from the list. Click Next, give Tags if you need.
4. In Role Name enter AWSControlTowerExecution and click on Create role.

Now this is role is used by Control Tower master account to deploy necessary services in this account to include it under the governance.

Now follow the next steps as mentioned in this document.

Navigate to the AWS Control Tower Account Factory page and select Enroll account.

To enroll an individual account in AWS Control Tower

• Specify the current email address of the existing account you’d like to enroll in AWS Control Tower.
• Specify the first and last name of the account owner.
• Specify the organizational unit (OU) in which you’d like to enroll the account.
• Choose Enroll account.