AWS Control Tower: Baby Steps

Terris Linenbach
2 min readFeb 6, 2024

--

AWS Control Tower is your friend. Maybe,

The next time you create an AWS account whether for an existing organization or a new one, try AWS Control Tower. Control Tower is like a helping hand nudging users on the path of “best” cloud infrastructure practices that most of us don’t have time to learn. However, unless you perform some under-documented chores during your journey, you will experience the joy of errors instead.

First error:

AWS Control Tower failed to set up your landing zone completely: AWSControlTower could not complete the operation, because it could not assume the “AWSControlTowerAdmin” role

  1. Log in to AWS using the organization’s root account
  2. Go to Organizations. For example:
    https://console.aws.amazon.com/organizations
  3. Click Policies
  4. Click Service control policies
  5. Check the box next to FullAWSAccess
  6. Click Create Policy

Second error:

There are several.

No launch paths found for resource:

The landing zone has drifted

Account enrollment failed

The CSV file associated with the last error contains a clue:

Add the IAM user to the AWS Service Catalog portfolio before registering your OU

Here’s a solution:

  1. Create an IAM user (yes, a real IAM user) in your organization
  2. Assign the AdministratorAccess policy to it
  3. Go to Service Catalog
  4. Click Portfolios
  5. Click AWS Control Tower Account Factory Portfolio
  6. Click the Access tab
  7. Click Grant access
  8. Click the Users tab
  9. Check the box next the user you created in step 1
  10. Click Grant access
  11. Log out
  12. Log in as the user you created in step 1

Don’t log in to the AWS console with the organization’s root account ever again!

It’s probably never a good idea to use Control Tower with any user besides the one you created in step 1 above. AWS needs to straighten this out because even AWS recommends using IAM Identity Center users instead of IAM Users (not at all confusing 🙄).

You’re Ready to Rock the Tower!

When enabling AWS Control Tower, you’ll be asked whether to create accounts for security and audit. I recommend doing so — specify two email addresses.

If you don’t have your own email provider and would like all of the emails to land in the same inbox, try the + trick! me+logs@gmail.com and me+audit@gmail.com. No guarantees — although this is part of the web email “specification”, AWS might prohibit entering + signs in email addresses.

--

--