To enrol the existing AWS account in AWS Control Tower as a managed account, the account must have the
AWSControlTowerExecution this role created.
AWSControlTowerExecution role allows AWS Control Tower to manage your individual accounts and report information about them to your audit and logging accounts.
Usage of AWSControlTowerExecution in Control Tower setup
AWSControlTowerExecutionallows auditing by the AWS Control Tower audit account.
AWSControlTowerExecutionhelps you configure your organisation’s logging, so that all the logs for every account are sent to the logging account.
AWSControlTowerExecutionensures that your selected AWS Control Tower guardrails apply automatically to every individual account in your organisation
AWSControlTowerExecution role and its associated policy gives you flexible control of security and compliance across your entire organisation. See how Control Tower works here.
Below are the steps to create the AWSControlTowerExecution in AWS Account which is going to be part of Control Tower as a managed account(child).
AWSControlTowerExecutionand click on Create role.
Now this is role is used by Control Tower master account to deploy necessary services in this account to include it under the governance.
Now follow the next steps as mentioned in this document.
Below are the main steps mentioned. Login to Master Account(Control Tower) and follow below steps.
Navigate to the AWS Control Tower Account Factory page and select Enroll account.
To enroll an individual account in AWS Control Tower