In this lab, we’ll look at bringing in existing AWS Account(s) created outside of the AWS Control Tower under the AWS Control Tower’s governance. The account(s) should already be a member of the organization under AWS Control Tower management. We’ll walk through the following two options as in this lab:
Option 1: Enroll a single account into AWS Control Tower using Account Factory.
Option 2: Register an entire organizational unit into AWS Control Tower using extend governance option.
For this lab, you choose between one of the options above and proceed with respective steps.
In this section we’ll create an AWS Account and an Organizational Unit directly from AWS Organiations to simulate an existing account/ou scenerio.
Create organizational unit
at the bottom of the centre pane, select the account Lab3
Move any AWS accounts one at a time to this OU
If the account was not created in AWS Organizations or invited into AWS organizations follow these instructions:
This step is done to facilitate Give AWS Control Tower Administrator Rights.
To allow AWS Control Tower to manage our existing account, we need to create a cross account access role.
<management account number>
Please proceed to enroll the pre-existing account using the Account Factory making sure to use the same email address defined in the pre-existing account. Entering an incorrect email address will result in creating a new account based on this email address.
<email address for LAb3>
<your preferred SSO user email address>
Congratulations, you successfully enrolled an existing account within your organization into AWS Control Tower. This account now has the baselines and guardrails and is managed by AWS Control Tower.
You can extend governance to an entire organizational unit (OU). When this process is followed you can bring multiple, existing AWS accounts into AWS Control Tower. To enable AWS Control Tower governance over an existing OU that was created with AWS Organizations, and its accounts, register the OU with AWS Control Tower.
All the Accounts within the Organizational unit should meet the prerequisites to enroll them into AWS Control Tower. If the account does not have the AWSOrganizations roles or AWSControlTowerExecution, follow this procedure in each account to grant AWS Control Tower access to the account.
When you register an OU, its member accounts are enrolled into AWS Control Tower.
StackSetExecutionrole is added to all accounts with status Not enrolled.
AWSControlTowerExecutionrole is added to the accounts within the OU.
To register an existing OU: 1. in the AWS Console go to the Control Tower service 2. in the left-hand panel, click on Organizational units 3. On the Organizational units page, select the radio button next to the OU you want to register. 4. At the upper right, select Register OU. 5. Agree to terms and click Register OU 6. Wait for the progress bar to finish
This process takes a minimum of 10 minutes to extend governance to the OU, and up to 2 additional minutes for each additional account.
Copyright 2021, Amazon Web Services, All Rights Reserved.