How to install AWS Control Tower in existing AWS Organization

Control Tower
How to create AWSControlTowerExecution IAM role in AWS account
May 11, 2020
AWS Config
How to register delegated admin account for AWS Config
September 30, 2020

How to install AWS Control Tower in existing AWS Organization

Control Tower

AWS Control Tower provides the easy and efficient way to set up and govern secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of customers around the globe. 

Ideally AWS Control Tower is setup in green field environment where you will start a fresh to create new AWS accounts and setup governance around it.

Now AWS Control Tower can be installed(setting up landing zone) in existing AWS Organization Master account and enrol all the linked accounts in to it.

Here are some basics about setting up Control Tower landing zone in existing Organization

  1. Only one landing zone i.e. Control Tower can be set per AWS Organizations organization.
  2. AWS Control Tower setup in existing master account of Organization. No new master account needed. It also creates 2 new accounts – Log and Audit.
  3. AWS Control Tower manages governance via Guardrails. There are two types of Guardrails 1. Preventive – Implemented via Service Control Policies 2. Detective – Implemented via AWS Config Rules
  4. Once landing zone is set up, the mandatory guardrails will be applied automatically to Organization Unit(OU) which is created by Control Tower.
  5. New accounts created outside such OU will not have these guardrails applied. You specifically need to Enrol the particular account in to Control Tower.
  6. AWS Control Tower installs the Preventive Guardrails in the form of Service Control Policies in all the regions of Organizations but installs Detective guardrails only in the Control Tower supported regions.
  7. At the moment of writing this blog, you can not add custom guardrails to Control Tower. You can add such policies via SCPs on Organization Units or via Config rules in AWS Config. These SCPs or Config rules will not be visible in Control Tower dashboard.

Prerequisites:

  1. Administrator access to Master account of AWS Organization.
  2. You have enough service limits to create 2 new accounts(Log and Audit). If not create the support ticket to get it raised.
  3. All child accounts must have IAM role named AWSControlTowerExecution already created. See the post How to create AWSControlTowerExecution IAM role in AWS account for the role creation.
  4. AWS Config from the child accounts shall be deleted. Please refer Delete the configuration-recorder and delivery channel.
  5. Start with Test account first, so that you will get the judgement of upcoming issues before enrolling production accounts.
  6. (Optional)You can install AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack to check what resources needs to be adjusted to be complaint when moved under Control Tower. In this way you can predict, what resources might go non-compliant when the account is enrolled.
  7. Enable trust access with AWS Organizations for AWS CloudFormation StackSets in Master account.
  8. AWS Security Token Service (STS) regions must be enabled in the master account for all AWS Regions in which AWS Control Tower is supported. Check & Activate from IAM > Account Settings > Region > Actions.

Steps to Install the Control Tower in existing AWS Organization setup

Phase I – Install Control Tower in master account

  1. Make sure you have read above pre-requisites and already compliant with them.
  2. Get two new email ids which are needed to be allocated for Log and Audit accounts.
  3. Login with Administrator access to AWS Organization master account.
  4. Switch the Region where you want to install the Control Tower. Go to Control Tower console by searching in service search box.
  5. Click on ‘Setup Landing Zone‘ button and enter the email IDs for Log and Audit account. Click on create Landing zone.
  6. This process will take approximately 60 minutes to complete, wait until it get finishes.
  7. If you get any errors, please check the Troubleshooting page.
  8. If everything went well, you will see a Control Tower dashboard and if you go to Organization Units menu, you will see console something like below. Note: For example I have DEV/TEST/PROD OUs in my setup. You will see your own OUs.
Control Tower – Organizational Units view
  1. You can see, the Organization Units which were pre-existed in Organization before installing the Control Tower is shown as Unregistered.
  2. At this point we have installed Control Tower on master account. Next step is to enrol all the child/linked accounts of Organization into Control Tower so that, you can govern them centrally.
  3. Important – When you deployed the Control Tower in master account, you should have received an invite from AWS SSO. Please check the email of master account and accept the invitation. You will be prompted to set password for SSO login. Once you Log in, you will see below screen.
  4. Now onwards, you will need to login via SSO user to complete the below steps i.e. enrolling child accounts.
AWS Control Tower SSO Login screen

Phase II – Enrol child accounts in to Control Tower

  • The account that you wish to enrol must exist in the same AWS Organizations organization as the AWS Control Tower master account. You can not move child account from other Organization.

Steps to Enrol the child accounts

  1. Identify the first child account you want to Enrol and login into it with Administrator access.(Please choose Sandbox or Test account.)
  2. As a pre-requisite, AWSControlTowerExecution IAM role must be created in to child accounts. If it doesn’t exists, Refer How to create AWSControlTowerExecution IAM role in AWS account to create it.
  3. Also make sure the AWS config is disabled and Delivery channel and configuration-recorder shall be deleted as mentioned in Prerequisites section.
  4. Once above steps are done, you can logout form the child account.
  5. Login to Master account – From above SSO screen, you can login to each account by clicking on the ‘Management console’ link in front of respective role. But for the purpose of this use case click on ‘Management console’ link in front of AWSAdministartorAccess role under Master account.
  6. In order to enrol existing account, you need to create new Organization Unit via Control Tower console. Ideally you need New OUs respective to your existing OUs(Unregistered) so that you will move your account from existing OU to new OU.
  7. Please go to Control Tower console > Organizational units. Here you can create(‘Add an OU’) a new OU where you will add the Existing account. For example, I created a new OU called ‘Development’. In a next steps you will select this OU.
  8. Click back to Account Factory again and click on ‘Enroll account‘ button. To get the email ID of the child account to be enrolled, open the AWS Organization console in other tab and copy the email.
  9. Fill in the details as shown below. Paste the email of existing child account to be enrolled and enter in ‘Account email’ field and rest details as directed. Notice the selection of Organizational Unit which was created in earlier step.
  10. AWS SSO Email might be same as account email or you can enter any existing email ID of SSO user. Once done, click on ‘Enroll Account’.
Control Tower Enroll Account screen
  1. This will trigger the Enrolment process. Goto the Service Catalog console > ‘Provisioned Product list’. There you will see the Account Factory product deployment running. Click on it to monitor its progress. It will show something like below.
Account Factory Service Catalog product creation
  1. Please observe the ‘Status’ field above. The account enrolment will take approximately 20-30 minutes.
  2. When account enrolment is complete the Status will be Succeeded. Please go to Control Tower > Accounts and check if the account is visible there. You will see the Account in Control Tower as below with State Enrolled.
AWS Control Tower Accounts

You can repeat this process for all existing child accounts you want to enrol into Control Tower.

The main purpose of this article is to make you familiar with the process of enrolling existing account in Control Tower or Deploying Control Tower in existing multi-account/Organization setup. If you want to enrol the accounts programatically you can refer this Enroll existing AWS accounts into AWS Control Tower blog from AWS.


Bitnami