To enrol the existing AWS account in AWS Control Tower as a managed account, the account must have the AWSControlTowerExecution
this role created.
The AWSControlTowerExecution
role allows AWS Control Tower to manage your individual accounts and report information about them to your audit and logging accounts.
Usage of AWSControlTowerExecution in Control Tower setup
AWSControlTowerExecution
allows auditing by the AWS Control Tower audit account.AWSControlTowerExecution
helps you configure your organisation’s logging, so that all the logs for every account are sent to the logging account.AWSControlTowerExecution
ensures that your selected AWS Control Tower guardrails apply automatically to every individual account in your organisationThe AWSControlTowerExecution
role and its associated policy gives you flexible control of security and compliance across your entire organisation. See how Control Tower works here.
Below are the steps to create the AWSControlTowerExecution in AWS Account which is going to be part of Control Tower as a managed account(child).
AWSControlTowerExecution
and click on Create role.Now this is role is used by Control Tower master account to deploy necessary services in this account to include it under the governance.
Now follow the next steps as mentioned in this document.
Below are the main steps mentioned. Login to Master Account(Control Tower) and follow below steps.
Navigate to the AWS Control Tower Account Factory page and select Enroll account.
To enroll an individual account in AWS Control Tower