# Amazon Control Tower and Amazon Organizations
<a name="services-that-can-integrate-CTower"></a>

Amazon Control Tower offers a straightforward way to set up and govern an Amazon multi-account environment, following prescriptive best practices. Amazon Control Tower orchestration extends the capabilities of Amazon Organizations. Amazon Control Tower applies preventive and detective controls (guardrails) to help keep your organizations and accounts from divergence from best practices (drift).

Amazon Control Tower orchestration extends the capabilities of Amazon Organizations. 

For more information, see [the *Amazon Control Tower user guide*](https://docs.amazonaws.cn/controltower/latest/userguide/). 

Use the following information to help you integrate Amazon Control Tower with Amazon Organizations.



## Roles needed for integration
<a name="integrate-enable-roles-CTower"></a>

The `AWSControlTowerExecution` role must be present in all enrolled accounts. It allows Amazon Control Tower to manage your individual accounts and report information about them to your Audit and Log Archive accounts. 

To learn more about roles used by Amazon Control Tower, see [How Amazon Control Tower works with roles to create and manage accounts](https://docs.amazonaws.cn/controltower/latest/userguide/roles-how) and [Using Identity-Based Policies (IAM Policies) for Amazon Control Tower](https://docs.amazonaws.cn/controltower/latest/userguide/access-control-managing-permissions.html). 

## Service principals used by Amazon Control Tower
<a name="integrate-enable-svcprin-CTower"></a>

Amazon Control Tower uses the `controltower.amazonaws.com` service principal.

## Enabling trusted access with Amazon Control Tower
<a name="integrate-enable-ta-CTower"></a>

Amazon Control Tower uses trusted access to detect drift for preventive controls, and to track account and OU changes that cause drift.

For information about the permissions needed to enable trusted access, see [Permissions required to enable trusted access](orgs_integrate_services.md#orgs_trusted_access_perms).

You can only enable trusted access using the Organizations tools.

To enable trusted access from the Organizations console, choose **Enable access** next to **Amazon Control Tower**.

You can enable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

------
#### [ Amazon CLI, Amazon API ]

**To enable trusted service access using the Organizations CLI/SDK**  
Use the following Amazon CLI commands or API operations to enable trusted service access:
+ Amazon CLI: [enable-aws-service-access](https://docs.amazonaws.cn/cli/latest/reference/organizations/enable-aws-service-access.html)

  Run the following command to enable Amazon Control Tower as a trusted service with Organizations.

  ```
  $ aws organizations enable-aws-service-access \
      --service-principal controltower.amazonaws.com
  ```

  This command produces no output when successful.
+ Amazon API: [EnableAWSServiceAccess](https://docs.amazonaws.cn/organizations/latest/APIReference/API_EnableAWSServiceAccess.html)

------

## Disabling trusted access with Amazon Control Tower
<a name="integrate-disable-ta-CTower"></a>

For information about the permissions needed to disable trusted access, see [Permissions required to disable trusted access](orgs_integrate_services.md#orgs_trusted_access_disable_perms).

You can only disable trusted access using the Organizations tools.

**Important**  
Disabling Amazon Control Tower's trusted access causes drift in your Amazon Control Tower Landing Zone. The only way to fix the drift is to use Amazon Control Tower's Landing Zone repair. Re-enabling trusted access in Organizations does not fix the drift. [Learn more about drift](https://docs.amazonaws.cn/controltower/latest/userguide/drift.html) in the *Amazon Control Tower user guide*.

You can disable trusted access by running a Organizations Amazon CLI command, or by calling an Organizations API operation in one of the Amazon SDKs.

------
#### [ Amazon CLI, Amazon API ]

**To disable trusted service access using the Organizations CLI/SDK**  
Use the following Amazon CLI commands or API operations to disable trusted service access:
+ Amazon CLI: [disable-aws-service-access](https://docs.amazonaws.cn/cli/latest/reference/organizations/disable-aws-service-access.html)

  Run the following command to disable Amazon Control Tower as a trusted service with Organizations.

  ```
  $ aws organizations disable-aws-service-access \
      --service-principal controltower.amazonaws.com
  ```

  This command produces no output when successful.
+ Amazon API: [DisableAWSServiceAccess](https://docs.amazonaws.cn/organizations/latest/APIReference/API_DisableAWSServiceAccess.html)

------