How to create AWSControlTowerExecution IAM role in AWS account

How to find if the windows server is in an Active Directory domain via PowerShell?
May 10, 2020
Control Tower
How to install AWS Control Tower in existing AWS Organization
May 19, 2020

How to create AWSControlTowerExecution IAM role in AWS account

Control Tower

To enrol the existing AWS account in AWS Control Tower as a managed account, the account must have the AWSControlTowerExecution this role created.

The AWSControlTowerExecution role allows AWS Control Tower to manage your individual accounts and report information about them to your audit and logging accounts.

Usage of AWSControlTowerExecution in Control Tower setup

  • AWSControlTowerExecution allows auditing by the AWS Control Tower audit account.
  • AWSControlTowerExecution helps you configure your organisation’s logging, so that all the logs for every account are sent to the logging account.
  • AWSControlTowerExecution ensures that your selected AWS Control Tower guardrails apply automatically to every individual account in your organisation

The AWSControlTowerExecution role and its associated policy gives you flexible control of security and compliance across your entire organisation.  See how Control Tower works here.

Below are the steps to create the AWSControlTowerExecution in AWS Account which is going to be part of Control Tower as a managed account(child).

  1. Login to the AWS account (as a Admin user or with user/role having full IAM access) which needs to be added to Control Tower.
  2. Go to IAM console and click on Create Role. Select Another AWS account. Copy the account ID of master account where the Control Tower is installed. Insert the ID in text box and click Next.
Add Role AWSControlTowerExecution
  1. Select AdministratorAccess policy from the list. Click Next, give Tags if you need.
  2. In Role Name enter AWSControlTowerExecution and click on Create role.

Now this is role is used by Control Tower master account to deploy necessary services in this account to include it under the governance.

Now follow the next steps as mentioned in this document.

Below are the main steps mentioned. Login to Master Account(Control Tower) and follow below steps.

Navigate to the AWS Control Tower Account Factory page and select Enroll account.

To enroll an individual account in AWS Control Tower

  • Specify the current email address of the existing account you’d like to enroll in AWS Control Tower.
  • Specify the first and last name of the account owner.
  • Specify the organizational unit (OU) in which you’d like to enroll the account.
  • Choose Enroll account.