AWS Management Tools

Managing AWS Organizations and Accounts with AWS Control Tower

4 min read
Updated June 23, 2025
4,582 characters

A Guide to Managing AWS Organizations with AWS Control Tower

AWS Control Tower provides a streamlined and user-friendly interface for setting up and governing a secure, multi-account AWS environment. While it uses AWS Organizations, IAM Identity Center, and AWS Config under the hood, Control Tower acts as a management layer that simplifies common administrative tasks, from provisioning new accounts to applying governance policies.

This guide explains the key tasks involved in managing your AWS Organization through the AWS Control Tower dashboard.

Integrating Control Tower with an Existing AWS Organization

You can deploy an AWS Control Tower landing zone on top of an existing AWS Organization. This extends its governance to your existing setup.

  • Management Account: Control Tower uses your organization's existing management account; no new management account is created.

  • Shared Accounts: During setup, Control Tower will create two new critical AWS accounts and place them in a new Security OU:

    • Log Archive Account: A centralized, immutable repository for all logs from AWS CloudTrail and AWS Config for every account in your organization.

    • Audit Account: A restricted, read-only account designed for your security and compliance teams to audit all other accounts.

  • Unregistered OUs and Accounts: Any existing Organizational Units (OUs) and accounts that were created outside of Control Tower will initially be "unregistered." You must register them within the Control Tower console to bring them under its governance.

Managing Organizational Units (OUs)

OUs are containers for your AWS accounts, allowing you to group them and apply policies collectively.

  • Creating OUs: It is a best practice to create new OUs directly from the AWS Control Tower dashboard. This ensures that the OU is automatically registered and that you can immediately begin applying guardrails to it.

  • Registering OUs: If you have existing OUs, you can register them one by one in the Control Tower console to bring them under management.

  • Structure: Control Tower sets up a default structure with a Security OU (for the shared accounts) and a Sandbox OU (as a default destination for new vended accounts), which you can rename during setup. You can create additional OUs to match your business needs (e.g., Prod, Dev, Infra).

Managing AWS Accounts with Account Factory

The Account Factory is the central feature in Control Tower for provisioning and managing AWS accounts.

Provisioning New Accounts (Vending)

This is the recommended way to create new accounts, as it ensures they are automatically configured with your organization's baseline and guardrails.

  1. Navigate to the Account Factory page in the Control Tower console.

  2. Click Create account.

  3. Fill in the required details, such as the account email address (which must be unique), display name, and the IAM Identity Center user information for the account's initial administrative user.

  4. Select the Organizational Unit (OU) where the new account will be placed.

  5. Click Create account to begin the provisioning process.

Enrolling Existing Accounts

You can also use the Account Factory to bring an existing AWS account under the governance of Control Tower.

  1. Navigate to the Account Factory page and select the Enroll account tab.

  2. Select the existing account you wish to enroll and the OU you want to move it into.

  3. Control Tower will then run a series of checks and apply the necessary baseline configurations and guardrails to the account.

Applying Guardrails (Controls)

Guardrails are the high-level governance policies that Control Tower applies to your OUs.

  1. Navigate to the All controls page in the Control Tower dashboard to see a complete list of available preventive, detective, and proactive guardrails.

  2. Select the guardrail you wish to apply.

  3. On the guardrail's detail page, click the Enable control on OU button.

  4. Select the target OU(s) where you want the guardrail to be enforced.

When you enable the first detective guardrail, Control Tower will automatically enable AWS Security Hub and the "Service-Managed Standard: AWS Control Tower" to begin detecting non-compliance.

By using the Control Tower dashboard as your primary interface for these tasks, you ensure that all actions are properly registered and that the governance framework remains consistent across your entire organization.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All