Disabling AWS Config before moving account to Organization with ControlTower set up

Question

We are currently in the process of migrating old accounts to a new AWS Organization. The new Organization is set up with Control Tower, which means all accounts in the Organization automatically have a Config recorder configured from the top down. The old accounts have their own Config recorders configured on a per-account basis.

Should the Config records in the accounts to be migrated be deleted before migrating the account to the new Organization?

Accepted Answer

If you plan to bring existing AWS accounts into AWS Control Tower as Audit and Log archive accounts, and if those accounts have existing AWS Config resources, you must delete the existing AWS Config resources completely, before you can enroll these accounts into AWS Control Tower for this purpose. For accounts that are not intended to become Audit and Log archive accounts, you can modify the existing Config resources.

This blog covers the process of enrolling accounts with existing config resources - https://docs.aws.amazon.com/controltower/latest/userguide/existing-config-resources.html

This blog covers the process of enrolling accounts with existing config resources - [https://docs.aws.amazon.com/controltower/latest/userguide/existing-config-resources.html]()

Answer

It is recommended that the existing accounts being enrolled does not have an AWS Config configuration recorder or delivery channel. These may be deleted or modified through the AWS CLI before you can enroll an account.
Please refer for more details: https://docs.aws.amazon.com/controltower/latest/userguide/enrollment-prerequisites.html

Disabling AWS Config before moving account to Organization with ControlTower set up

Relevant content