Amazon Control Tower and Amazon Organizations - Amazon Organizations
Service-linked rolesService principalsEnable trusted accessDisable trusted access
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Control Tower and Amazon Organizations

Amazon Control Tower offers a straightforward way to set up and govern an Amazon multi-account environment, following prescriptive best practices. Amazon Control Tower orchestration extends the capabilities of Amazon Organizations. Amazon Control Tower applies preventive and detective controls (guardrails) to help keep your organizations and accounts from divergence from best practices (drift).

Amazon Control Tower orchestration extends the capabilities of Amazon Organizations.

For more information, see the Amazon Control Tower user guide.

Use the following information to help you integrate Amazon Control Tower with Amazon Organizations.

Roles needed for integration

The AWSControlTowerExecution role must be present in all enrolled accounts. It allows Amazon Control Tower to manage your individual accounts and report information about them to your Audit and Log Archive accounts.

To learn more about roles used by Amazon Control Tower, see How Amazon Control Tower works with roles to create and manage accounts and Using Identity-Based Policies (IAM Policies) for Amazon Control Tower.

Service principals used by Amazon Control Tower

Amazon Control Tower uses the controltower.amazonaws.com service principal.

Enabling trusted access with Amazon Control Tower

Amazon Control Tower uses trusted access to detect drift for preventive controls, and to track account and OU changes that cause drift.

For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.

You can enable trusted access using only the Organizations tools.

To enable trusted access from the Organizations console, choose Enable access next to Amazon Control Tower.

You can enable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon CLI, Amazon API
To enable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to enable trusted service access:

  • Amazon CLI: enable-aws-service-access

    You can run the following command to enable Amazon Control Tower as a trusted service with Organizations.

    $ aws organizations enable-aws-service-access \
    --service-principal controltower.amazonaws.com

    This command produces no output when successful.

  • Amazon API: EnableAWSServiceAccess

Disabling trusted access with Amazon Control Tower

For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.

You can disable trusted access using only the Organizations tools.

Important

Disabling Amazon Control Tower's trusted access causes drift in your Amazon Control Tower Landing Zone. The only way to fix the drift is to use Amazon Control Tower's Landing Zone repair. Re-enabling trusted access in Organizations does not fix the drift. Learn more about drift in the Amazon Control Tower user guide.

You can disable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

Amazon CLI, Amazon API
To disable trusted service access using the Organizations CLI/SDK

You can use the following Amazon CLI commands or API operations to disable trusted service access:

  • Amazon CLI: disable-aws-service-access

    You can run the following command to disable Amazon Control Tower as a trusted service with Organizations.

    $ aws organizations disable-aws-service-access \
    --service-principal controltower.amazonaws.com

    This command produces no output when successful.

  • Amazon API: DisableAWSServiceAccess