By using AWS re:Post, you agree to the Terms of Use
/Enrolling existing AWS accounts in new OU/

Enrolling existing AWS accounts in new OU


Hi ,

I have created new AWS account and set up Control tower, a landing zone, account factory and a new OU, with the intention of enrolling a number of our existing AWS accounts into a the new OU. (these accounts had previously been enrolled in another OU in a different AWS account but they were removed from that account prior to begining this process).

In my new account, the accounts are added to the relevant OU, but when I try to enroll them in control tower by re-registering the OU I get the following error :

AWS Control Tower is unable to assume the AWSControlTowerExecution role in the account. Be sure the role is present in the account, or add it.

I had to log onto each account and update the AWSControlTowerExecution to allow access from the new Management account ( the role was there,but it was only allowing access to the previous management account). Once that was done, I removed the constraints, products, users and deleted the portfolio for the landing zone provisioned product in the service catalouge. As recommened in this article :

I then tried to re enroll these accounts again , but I am still having issues. I got the error

AWS Control Tower can't create your account due to potential drift in your landing zone. Check your landing zone and try using the advanced account provisioning method to create your account

so I tried repairing the landing zone - this didn't work.

I have also tried to remove the account and re add it to the OU & re - register the OU, but I am getting the following error :

Pre-check location OU or account ID OU or account name Pre-check type Landing Zone "xxxxx" Landing zone Add the IAM user to the AWS Service Catalog portfolio before registering your OU.

But I don't know what IAM user to add to the service catalog profolio.

I would be greatfull for any advice / guidence, thanks

2 Answers

Hi, There's multiple things I'd like to check on here, and hopefully we can get this working for you.

To successfully use the Service Catalog Account Factory, you will need to add the User or Role you login as (for the Organization Management account), to the Portfolio permissions. That's likely what its asking for in the "Add the IAM user" part of the error message. This will allow you to correctly enroll accounts. In future there should be no need to change/delete the Account Factory Portfolio or Product itself, just Terminate the Provisioned Product if you run into issues with an account enrollment.

The repair you did may have removed this configuration and placed the Service Catalog Portfolio and Product back to the default configuration.

Now for the account enrollment there's a few things to confirm for existing AWS Accounts:

  • The account must be part of the Organization already
  • The account has the AWSControlTowerExecution IAM Role, and it trusts the Organization management account ID
  • Does the Account has AWS Config already setup?. This can cause enrollment problems. You can solve this 1 of 2 ways. Delete the config recorder and delivery channels (as Control Tower will configure new ones), or use this process to enroll existing AWS Config resources

These prerequisites are covered HERE

Once those prereqs are covered you should be able to enroll an account. Either directly by putting the account details into the Account Factory, or by registering/re-registering the OU that contains the account.

answered 3 months ago

Hi Jimmy_m, Thanks for your very helpful information. This worked for one of the accounts I need to enroll, so appreciate the help.

However, for the second account I need to enroll, I am still having a problem. It issue is that the account I am trying to enroll has an AWSControlTowerExecution IAM Role which gives trusts a different AWS account ID (it was previously enrolled in another account & organisation).

I have tried to update this role to turst the correct account ID but I keep getting told my IAM user does not have the correct permissions. The account I am using has full Admin access, and I even added full IAM access to see if this would help. It didn't. I also got the root user to log on and try the same, but even the root user did not have permissions to update the trust policy. The error message was :

USER arn:aws:iam:xx : root is not authorixed to perform: iam:UpdateAssumeRolePolicy on resource: role AWSControlTowerExecution with explict deny

Do you know how I can get around this ?

Kind Regards, Roisin

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions