How do I add a member account to the AWS Control tower managed Organization?

Greetings,

There are some considerations to inviting an already existing account to your AWS Control Tower managed Organization. The account will need to leave the previous AWS Organization and any pre-existing Config Recorder and Channels need to be deleted prior to enrollment. There is a known 4-step script process you can run that will search for any pre-existing configs and channels to delete theme. You can run your own script as well and it should find and delete it.

I have included the documentation below [1] that describes some of the requirements prior to enrolling the account. The next page in the link "Single Account" and "Resolving Failures" should help to assist. What may occur after disenrolling the account from the previous AWS Organization and AWS Control Tower OU is that the account may not have the OrganizationAccountAccessRole and you will need to manually add this role to successfully enroll the account. The AWSControlTowerExecution role will need to be manually added as well [2]. I have included the steps to fulfill the remaining prerequisites below [3].

OrganizationAccountAccessRole - Allows access to member accounts in your organization to manage services and assign roles. AWSControlTowerExecution - Baselines member account with Control Tower and allows you to manage the account.

I hope this information helps! Please let me know if you have any questions and I will be happy to assist!

---References---

[1] - Enrolling Existing AWS Accounts https://catalog.workshops.aws/control-tower/en-US/enrolling-existing

[2] - Creating the OrganizationAccountAccessRole in an invited member account https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html

[3] - Steps to fulfill the remaining prerequisites: https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html