Skip to content

Enabling Control Tower

Prerequisites

You will need 2-3 emails 1 for the main account (If you already have a management/main account you do not need this) 1 for the log-archive account 1 for the new audit account

If you already have a management account with an existing AWS Orginaztion, sign into that account. If this is a brand new account and Organizations has not been set up, sign in and decide what region will be your Home region. Be sure to use a role with the proper permissions. Link

Walkthrough

Step 1: After sigining in, navigate to the Control Tower page.

  • Click Set up landing zone.

CT 1

Step 2: Review the next section.

  • Select your Home Region.
  • Add any additional regions that will be in use.
  • Click Next.

CT 2

CT 3

Step 3: Configure the Organizational Units (OUs)

  • For the Foundational OU, if you leave this blank it will default with Security.
    • If an OU already exists with the name Security, then Change the OU name here.
  • For the Additional OU, select to either create or opt out of the additional OU.
    • The default OU name is Sandbox.
  • Click Next.

CT 4

Step 4: Configure the shared accounts

  • Add an email for the Log Archive account.
  • Add an email for the Audit account.
  • Click Next.

CT 5

Step 5: Review the landing zone

  • Verify the Home Region is correct.
  • Verify any additional Regions is correct.
  • Ensure the names selected for the OUs meet your naming scheme.
  • Review the names and emails for the new accounts are correct.
  • Review the Service permissions.
  • Check the box and click Set up landing zone.

CT 6

Final Notes

  • This process will take around an hour to complete.
  • Once complete you can review what was completed on the Control Tower Dashboard.
  • AWS Control Tower has set up the following:
    • 2 organization units, one for your shared accounts and one for accounts that will be provisioned by your users.
    • 3 shared accounts, which are the management account and isolated accounts for log archive and security audit.
    • A native cloud firectory with preconfigured groups and single sign-on access.
    • 20 preventive guardrails to enforce policies and 2 detective guardrails to detect configuration violations.

CT 7

CT 8

CT 9

CT 10

Next Steps

Enrolling Existing AWS Accounts Delegating Admin for AWS Services