- Newest
- Most votes
- Most comments
You are correct in your understanding of the account creation process for AWS GovCloud (US) when using the Landing Zone Accelerator (LZA) on AWS. The process you described is indeed the recommended approach for creating new accounts in the LZA GovCloud environment.
AWS Control Tower Account Factory, AFC, and AFT are not available in GovCloud, necessitating this manual approach to account creation and enrollment.
[+] AWS Control Tower User Guide: https://docs.aws.amazon.com/controltower/latest/userguide/region-how.html
It is my understanding that if the account is not created by the organization then the invite and acceptance must be done manually because there is a role that is used to accept the invitation which is not automatically created for invited accounts. Here is a doc covering the difference between created and invitied accounts --> https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_create-cross-account-role
Hope this helps!
Relevant content
- asked a year ago
- asked 4 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago