AWS Control Tower provides the easy and efficient way to set up and govern secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of customers around the globe.
Ideally AWS Control Tower is setup in green field environment where you will start a fresh to create new AWS accounts and setup governance around it.
Now AWS Control Tower can be installed(setting up landing zone) in existing AWS Organization Master account and enrol all the linked accounts in to it.
Here are some basics about setting up Control Tower landing zone in existing Organization
AWSControlTowerExecutionalready created. See the post How to create AWSControlTowerExecution IAM role in AWS account for the role creation.
Steps to Enrol the child accounts
AWSControlTowerExecutionIAM role must be created in to child accounts. If it doesn’t exists, Refer How to create AWSControlTowerExecution IAM role in AWS account to create it.
You can repeat this process for all existing child accounts you want to enrol into Control Tower.
The main purpose of this article is to make you familiar with the process of enrolling existing account in Control Tower or Deploying Control Tower in existing multi-account/Organization setup. If you want to enrol the accounts programatically you can refer this Enroll existing AWS accounts into AWS Control Tower blog from AWS.