By using AWS re:Post, you agree to the Terms of Use

Control Tower - Unable to add new account to the Security OU?



I'm setting up a new Control Tower managed organization using as a reference. This suggests creating a Security Tooling account under the Security OU for services such as GuardDuty, Security Hub, etc.

When I try to create this account in the Service Catalogue, the Security OU isn't available to select for the ManagedOrganiszationalUnit preference (all other OU are though). How can I add a CT managed account to the Security OU?


2 Answers
Accepted Answer

Hi, unfortunately there seems to be a disparity in the documentation. While the Security Reference Architecture describes the Security Tooling account under the Security OU. Control Towers functionality does not allow the provisioning of an Account into it's default created OU, which happens to be called Security, as this is the location for core accounts that Control Tower creates. The field advice I give customers on this currently, and often help them deploy, is to create a new OU for the Security Tooling account. There are also mandatory guardrails applied to that default OU, that may limit your usage, and it's best to keep accounts that you create in their own OU's to allow full flexibility in deployment and configuration.

answered 5 months ago

Thanks for the explanation, Jimmy. I've passed on this feedback via the SRA page so hopefully this will be picked up.

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions