Tasks in Control Tower


In this lab, we will walk through some of the day-to-day Control Tower administrative tasks and see how they are done using Control Tower created resources. We will cover:

  • Accessing multiple accounts in the AWS Control Tower environment.
  • Creating the Auditor user in AWS SSO to provide read-only access to all AWS accounts in the Control Tower environment.
  • Deep dive into the AWS Control Tower console.
  • Drift Detection and Resolution
  • Consolidated Billing

Please note that we will not be able to cover the advanced topics like customizations, or account migration-related tasks in this lab. All advanced topics will be included as separate labs as and when the features are supported.

Things to know

AWS Control Tower management operations like create/delete OUs, enable/disable guardrails, and create AWS account are single threaded. You will not be able to start a second operation, until the current operation completes.

1. Accessing multiple accounts in the AWS Control Tower environment

By default, the AWS Control Tower Admin user will have the AWSAdministratorAccess permission set applied to all the Control Tower Shared accounts (Management, Log archive, and Audit).

However, for new AWS accounts created using the Account factory, only the AWSOrganizationsFullAccess permission set is granted to the AWS Control Tower Admin user.

In this section, we will see how to access accounts using AWS SSO. Then we will jump to other accounts within the AWS Control Tower environment using switch-role functionality.

We will review the steps involved in performing these operations both from the AWS Console and AWS CLI.


  • This lab assumes you have successfully created a new AWS account in your Control Tower environment using the Account factory. If you have not done that yet then please see complete that step first using Account factory.

  • You will need the AWS CLI version 2 installed on your local system.

AWS Console

  1. Log into the AWS SSO User portal as the AWS Control Tower Admin user.

  2. Click on the management account to expand. Select Management console next to AWSAdministratorAccess to login to the AWS console of the management account.

  3. Select the service Control Tower under Management & Governance to open the AWS Control Tower console.

  4. Click on the Accounts tab on the left and new AWS account you created.

  5. Copy the Account ID to your clipboard.

Switch Roles

  1. Click on your username on the top right corner next to the region and select Switch Role. Since you are using a Federated Login into this AWS account via AWS SSO, your username will begin with AWSReservedSSO_AWSAdministratorAccess

  2. Click on Switch Role and enter the following information:

    Field Value
    Account Paste in the Account ID you copied to the clipboard
    Role AWSControlTowerExecution
    Display Name Optional - select any alias you wish
    Color Optional - select any color you wish
  3. Click on Switch Role again and this opens up the AWS Control Tower console in the user account with Administrator privileges.

  4. When you have completed your work in the new account you can end the Switch Role session by clicking your username and selecting the Back to AWSReservedSSO_AWSAdministratorAccess option.


  1. Log into the AWS SSO User portal as the AWS Control Tower Admin user.

  2. Click on the management account to expand. Select Command line or programmatic access next to AWSAdministratorAccess.

  3. Select the tab for the environment you are working on: macOS and Linux, Windows, or Powershell

  4. Select which option you would like:

    • Option 1: Set AWS environment variables
    • Option 2: Add a profile to your AWS credentials file.
  5. Copy the commands to your clipboard and paste them on your terminal or putty session.

  6. Now let’s run some sample AWS CLI commands:

You should see the AWS Control Tower management account number returned by executing the command below:

aws sts get-caller-identity --query 'Account' --output text 

Run the following command to list out all the CloudFormation StackSets present on the management account:

aws cloudformation list-stacks --query 'StackSummaries[?StackStatus==`CREATE_COMPLETE`].StackName' 

Switch Roles (using AWS CLI)

For simplicity of the lab we will be using the AWS CLI to demonstrate how to switch roles between accounts. Keep in mind that this can be done using SDKs as well. This operation is similar to what we did in preceeding section using the AWS Console.

  1. Obtain a temporary token and export the environment keys to the user account by executing below commands.
  export ACC=[[USER-ACCOUNT-NO]] # replace USER-ACCOUNT-NO with your user account Id.
  export temp_role=$(aws sts assume-role --role-arn "arn:aws:iam::$ACC:role/AWSControlTowerExecution" --role-session-name "userAct-$ACC")
  export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq .Credentials.AccessKeyId | xargs)
  export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq .Credentials.SecretAccessKey | xargs)
  export AWS_SESSION_TOKEN=$(echo $temp_role | jq .Credentials.SessionToken | xargs)
  1. You are ready to execute the commands on user account with Administrator privileges
aws sts get-caller-identity --query 'Account' --output text

2. Create the Auditor user

As part of initial AWS Control Tower setup, AWS SSO is configured with some pre-defined groups and permission sets to simplify the delegation of certain common operational tasks to other users or teams. In this section, we will create the Auditor user with read-only permissions to all of the AWS Control Tower accounts.

  1. Log into AWS Control Tower as the admin user, select Users and access from the left panel, and choose View in AWS Single Sign-on to open the AWS SSO console.
  2. In the AWS SSO console, select Users from the left panel and choose Add User.
  3. Fill out the form and select Generate a one-time password that you can share with the user to skip verification through email.
  4. Choose Next: Groups.
  5. Select AWSSecurityAuditors group and click on Add User
  6. Click on Copy details and share the information with the person who will be your auditor.
  7. Using User Portal URL, Email and One-time password from the shared information, the auditor can log in to AWS environment.
  8. On first login, the auditor will be prompted to reset the password
  9. The auditor user account has now been granted read-only access to all the accounts in Control Tower and can access them from the AWS SSO user portal.

For more information regarding AWS SSO groups and permission sets see DeepDive section.

3. AWS Control Tower console

In this lab we will explore the AWS Control Tower console and demonstrate how-to perform common tasks not previously covered in other labs.

Panel Option Actions
Dashboard View summary of the Control Tower environment
Organizational units Add/Delete/Register/Re-Register an OU
Accounts View account details and state
Account factory Edit Network configuration for new accounts and Enroll/Invite accounts
Guardrails View details of each Guardrail
Users and access View basic details for the AWS SSO integration
Shared accounts Details for the shared accounts: Management, Log archive, and Audit
Landing zone settings Version information for the Control Tower service
Activities Log of all activity within the Control Tower environment

AWS Control Tower Dashboard

The AWS Control Tower dashboard provides a single pane of glass view for your AWS environment. It gives you all the information about your accounts and their compliance status at OU, Account and Resource level. You could choose the name of the OU, to view the details of specific OU. Choose the name of the account, guardrails to view specific details. All the Non-compliant resources are listed on the dashboard and resources causing the violation can be browsed through directly from the dashboard.

In this section, we will walk through the components of the dashboard.

Section Description
Recommended actions Provides the overview of actions you could do on the dashboard
Environment summary Summary of OUs and Accounts
Enabled guardrail summary Summary of active guardrails in the environment
Noncompliant resources Summary of current noncompliant resources
Registered organizational units Summary of OUs in your AWS environment and their current compliance status
Enrolled accounts Summary of enrolled accounts and their current compliance status
Guardrails Summary of all enabled guardrails

Organizational units

Creating an OU was also covered in the Account factory lab. The steps to create a new OU are:

  1. Click on Add an OU button.
  2. Provide a Name of OU (for this lab we will call it as DEVENV) and click on Add button. Wait for the green Success notification on the banner at the top of the screen.

Deleting an OU

  1. Select the radio button next to the OU name and choose the Delete button.
  2. This opens a pop-up screen with a warning message. You need to confirm the deletion operation as it cannot be undone. Click on Delete. The dashboard will not let you delete an OU if it contains any child accounts.

Register OU

If you created an OU outside of Control Tower using AWS Organizations it will show up with a State of Unregistered. You can select the radio button next to the OU name and click on Register OU to import the OU into Control Tower.

There are a few instances where this can occur including installing Control Tower after AWS Organizations has already been implemented in the account or in the case where an OU was created outside of Control Tower for other reasons.


If any accounts show a State of Update available then you will need to Re-Register the OU to deploy the latest Control Updates to the OU and related accounts.

  1. Click on the Account name.
  2. Click on Go to OU
  3. Click on Re-Register OU

Account Factory

This was covered in depth during the Account factory lab including Network configuration and Enroll account.


Enabling a Strongly recommended guardrail was covered in the Account factory lab.

Enabling a guardrail is performed on an OU level. Mandatory guardrails, as the name implies, are enabled by default on the respective OUs and they cannot be modified. This operation may take a minute or two to complete and the status can be seen on the banner at the top of the screen.

To Disable a Strongly recommended Guardrail on a new OU:

  1. Click on Guardrails on the left sidebar and search for Disallow internet connection through SSH and click on it.
  2. Scroll down to the Organizational units enabled section and select the OU Name you want to disable guardrail on.
  3. Click on Disable guardrail and it opens a window. Then click on Disable.
  4. Wait for green Success notification on top of the page.

Please note that every time you enable or disable a guardrail, the CloudFormation StackSet will update the stacks belongs to that OU. Depending on number of AWS accounts you have in each OU, it may take few minutes for the process to complete. You could check the status of the operation by looking in to the StackSet instances of the individual guardrails. Please refer to AWS CloudFormation Stacks Updates if you need additional help.

4. Drift Detection and Resolution

When you create your landing zone, the landing zone and all the OUs, accounts, and resources are compliant with all the governance rules enforced by your chosen guardrails. As you and your users use the landing zone, changes in this compliance status may occur. Some changes may be accidental, and some may be made intentionally to respond to time-sensitive operational events.

Regardless, changes can complicate your compliance story. You can use drift detection to identify resources that need changes or configuration updates to resolve the drift. Resolving drift helps to ensure your compliance with governance regulations, and is a regular operations task for your Management account administrators.

Since the corrective operations are manual and could be time consuming, we are not going to have any scenarios in this lab at this point. Please refer to https://docs.aws.amazon.com/controltower/latest/userguide/drift.html?icmpid=docs_ctower_console for updated information on type of events that could cause drift and how to take corrective operations.

5. Consolidated Billing

In this section, we’ll outline how to check per account costs from the management account.

AWS Cost Explorer

  1. Log in to the Control Tower management account with role AWSAdministratorAccess.
  2. From AWS Services menu, select AWS Cost Explorer under AWS Cost Management. For new Control Tower environments, it will take a minimum of 24 hours before you see any cost or billing data in the Cost Explorer console.
  3. On the AWS Cost Explorer, choose the Explore costs link under Daily unblended costs ($.md”%}}). This opens Explore Cost & Usage. AWS
  4. Select the Linked Account filter under Group by. This gives the breakdown charges for each individual account. AWS


Copyright 2021, Amazon Web Services, All Rights Reserved.