Amazon Control Tower and Amazon Organizations
Amazon Control Tower offers a straightforward way to set up and govern an Amazon multi-account environment, following prescriptive best practices. Amazon Control Tower orchestration extends the capabilities of Amazon Organizations. Amazon Control Tower applies preventive and detective controls (guardrails) to help keep your organizations and accounts from divergence from best practices (drift).
Amazon Control Tower orchestration extends the capabilities of Amazon Organizations.
For more information, see the Amazon Control Tower user guide.
Use the following information to help you integrate Amazon Control Tower with Amazon Organizations.
Roles needed for integration
The AWSControlTowerExecution
role must be present in all enrolled accounts. It allows Amazon Control Tower to manage your individual accounts and report
information about them to your Audit and Log Archive accounts.
To learn more about roles used by Amazon Control Tower, see How Amazon Control Tower works with roles to create and manage accounts and Using Identity-Based Policies (IAM Policies) for Amazon Control Tower.
Service principals used by Amazon Control Tower
Amazon Control Tower uses the controltower.amazonaws.com
service principal.
Enabling trusted access with Amazon Control Tower
Amazon Control Tower uses trusted access to detect drift for preventive controls, and to track account and OU changes that cause drift.
For information about the permissions needed to enable trusted access, see Permissions required to enable trusted access.
You can enable trusted access using only the Organizations tools.
To enable trusted access from the Organizations console, choose Enable access
next to Amazon Control Tower.
You can enable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.
Disabling trusted access with Amazon Control Tower
For information about the permissions needed to disable trusted access, see Permissions required to disable trusted access.
You can disable trusted access using only the Organizations tools.
Important
Disabling Amazon Control Tower's trusted access causes drift in your Amazon Control Tower Landing Zone. The only way to fix the drift is to use Amazon Control Tower's Landing Zone repair. Re-enabling trusted access in Organizations does not fix the drift. Learn more about drift in the Amazon Control Tower user guide.
You can disable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.