Account Factory - Existing Accounts

In this lab, we’ll look at bringing an account created outside of the AWS Control Tower Account Factory but is already a member of our organization under AWS Control Tower management and inviting a standalone account into our AWS Control Tower managed organization.

Terminologies

  • An unregistered organizational unit (OU) is created through AWS Organizations. AWS Control Tower does not manage this OU.
  • An unenrolled account is an existing AWS account that was created outside of AWS Control Tower. It is not managed by AWS Control Tower.
  • A registered organizational unit (OU) is an OU that was created in the AWS Control Tower service. It is managed by AWS Control Tower.
  • When an OU is registered with AWS Control Tower, it means that specific baselines and guardrails are applied to that OU and all of its accounts.

Create a Non-Account Factory organizations member Account

  • in the AWS Console go to the AWS Organizations service
  • click Add account
  • click Create account
    • AWS account name : Existing01
    • Email : <alias>+existing01@<realm>
    • IAM role name : <leave blank>
    • Click Create
  • on the top ribbon, click on Organize accounts
  • in the lefthand panel click on Root
  • in the center panel click + New organizational unit
  • Create organizational unit

    • Name of organizational unit : Existing Accounts
    • click Create organizational unit
  • at the bottom of the centre pane, select the account Existing01

  • click Move

  • Move 1 account

    • click on Existing Accounts
    • click Move

Review the OU and Account in AWS Control Tower

  • in the AWS Console go to the Control Tower service
  • in the left-hand panel, click on Organizational units
  • in the main panel you will see Core and Custom marked as Registered but Existing Accounts as Unregistered
  • in the left-hand panel, click on Accounts
  • in the center panel you will not see the account named Existing01

Prepare the Account for Enrollment

Move the Account to the Organization’s Root

  • in the AWS Console go to the AWS Organizations service
  • on the top ribbon, click on Organize accounts
  • in the left-hand panel click on Existing Accounts
  • at the bottom of the center pane, select the account Existing01
  • click Move
  • Move 1 account
    • click on Root
    • click Move

Configure Access to the Existing Account via AWS SSO

  • in the AWS Console (master account) go to the AWS Single Sign-On service
  • in the lefthand panel, click on AWS Accounts
  • in the center pane, click on new account - Existing01
  • In the center pane, click Assign users
  • Select the SSO user of your choice. Let us select AWS Control Tower Admin for this lab.
  • click Next: Permission set
  • select the AWSAdministratorAccess permission set
  • click Finish

Give Control Tower Administrator Rights

To allow AWS Control Tower to manage our existing account, we need to give it access.

  • log into the Existing01 as an SSO user with AdministratorAccess role
  • in the AWS Console go to the Identity and Access Management (IAM) service
  • on the left panel, click Roles
  • click Create role
  • select Another AWS account
  • Specify accounts that can use this role
    • Account ID : <master account number>
    • click Next: Permissions
  • Attach permissions policies
    • select the AdministratorAccess policy
    • click Next: Tags
  • Add tags (optional)
    • click Next: Review
  • Review
    • Role name : AWSControlTowerExecution
    • Role description : <leave blank>
    • click Create role

Enroll the account in Control Tower

When enrolling an existing account into AWS Control Tower, we need to be doubly careful we don’t miskey the email address of the account. Since if we do, the Account Factory will create a new account based on this email address.

  • log into the Control Tower Master
  • in the AWS Console go to the Control Tower service
  • in the lefthand panel, click on Account factory
  • click on Enroll account
  • Enroll account
    • Account email : <email address for Existing01>
    • Display name : Existing01
    • AWS SSO email : <your preferred SSO user email address>
    • AWS SSO username
      • First name : <First name>
      • Last name : <Last name>
    • Organizational unit : Custom
    • Click Enroll Account

Review the OU and Account in Control Tower

  • in the AWS Console go to the Control Tower service
  • in the lefthand panel, click on Organizational units
  • in the main panel you will see the OU Custom listed as Registered
  • click on Custom
  • in the Details pane, you will Custom is listed as Compliant
  • in the Accounts pane, you will see the account named Existing01 listed as enrolled

References

https://aws.amazon.com/blogs/field-notes/enroll-existing-aws-accounts-into-aws-control-tower/

Copyright 2020, Amazon Web Services, All Rights Reserved.