Hi, unfortunately there seems to be a disparity in the documentation. While the Security Reference Architecture describes the Security Tooling account under the Security OU. Control Towers functionality does not allow the provisioning of an Account into it's default created OU, which happens to be called Security, as this is the location for core accounts that Control Tower creates. The field advice I give customers on this currently, and often help them deploy, is to create a new OU for the Security Tooling account. There are also mandatory guardrails applied to that default OU, that may limit your usage, and it's best to keep accounts that you create in their own OU's to allow full flexibility in deployment and configuration.
Thanks for the explanation, Jimmy. I've passed on this feedback via the SRA page so hopefully this will be picked up.
Relevant questions
Control Tower - Unable to add new account to the Security OU?
Accepted Answerasked 5 months agoEnabling AWS Configuration on Control Tower Main Account
asked 8 months agoUnable to recovery from enrollment of existing account to control tower
asked 16 days agoScripted Removal of AWS Control Tower Managed Accounts
Accepted Answerasked a month agoMultiple AWS Control Tower(Landing Zone) in single management account
Accepted Answerasked 7 days agoIssue building Control tower landing zone on a new account - AWS Control Tower setup failed. Be sure your account is subscribed to the AWS EC2 service, then try again
Accepted Answerasked 7 months agoControl Tower that the parent organizational unit is not enrolled in AWS Control Tower, when it is
asked 7 months agoUnable to Launch AWS Control tower
asked 4 months agoControl Tower dependency to other regions?
Accepted Answerasked 3 years agoAWS Control Tower - Deployment Error
asked a year ago