Account enrollment failed.


Hi, I am trying to enrol an existing account into my Control Tower Landing zone. The account was originally a member of a different AWS Organization, it was removed from that organization and joined to the same organization as the CT management account. I had already added the AWSControlTowerExecution role to the account and successfully joined it to the new AWS Organization. When I tried to enrol the account in CT the enrolment failed. I then discovered that I had the wrong account number in the trust relationship for the role. I corrected this, removed the account from the organization and removed the stack from Service Catalogue and tried again. The account has joined the AWS organization successfully and is in the Root OU, as before, however when I go to CT to enrol the account the state is Enrolment failed, I had expected it to say Not enrolled as I have not yet tried to enrol the account this time. It is almost like the enrolment hasn't cleared from the first failed attempt.

Any suggestions would be appreciated,

Thanks in advance, D

asked 3 months ago191 views
2 Answers
Accepted Answer

Hi There


In this case, you must take two recovery steps before you can proceed with enrolling your existing account. First, you must terminate the Account Factory provisioned product through the AWS Service Catalog console. Next, you must use the AWS Organizations console to manually move the account out of the OU and back to the root. After that is done, create the AWSControlTowerExecution role in the account, and then fill in the Enroll account form again.

Since you already have the account in the root, try to create a new temporary OU outside of Control Tower through Organizations, move the failed account into that OU, then register the OU with CT to perform the enrollment. That will start the enrollment process again.

profile picture
answered 3 months ago
  • Hi Matt, thanks for your reply. How do I then get the account into the OU where I want it to live? Can I move it to another OU whichis already registered in CT?

    Thanks, D


Hi Matt, I was able to create a new OU and move the failed account to this OU in AWS organizations. In CT I then registered the OU, the account enrolled successfully. I then moved it to the correct OU, in AWS Organizations and then updated the account via CT. It was enrolled successfully in correct OU.

Thanks for your help. Declan

answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions