The Ops Community

Cover image for AWS Control Tower can finally use your existing core accounts!
Mike Graff
Mike Graff

Posted on

AWS Control Tower can finally use your existing core accounts!

Recently (May 16th, 2022), AWS made a small announcement related to AWS Control Tower that will be huge for my AWS environment and probably for many others as well. Namely, that you can now use customer provided core accounts when implementing Control Tower.

Background

AWS Control Tower is a great solution if you are setting up a greenfield environment, and it has some great capabilities I'd like to use such as the automated Account Factory. However, if you were deploying into an existing AWS multi-account environment, the story was not so great.

Previously, if you deployed AWS Control Tower in your environment, it would automatically setup a "Landing Zone" that included a new Security account, a new Central Logging account, OU Structure etc. However, if you had already setup a multi-account environment to AWS best practices on your own and thus you already had a Security operations account and a central logging account, you had no way to tell Control Tower to use those existing accounts. Instead, the former AWS guidance was to setup the new Landing Zone environment "on the side" and migrate your logging and security functions over to this new account.

When the AWS Solutions Architect told me that this was the approach, I let him know that there was no way I was going to revisit my hundreds of AWS accounts to modify the logging configuration or move all my security workloads from the existing Security Operations account to a new one. Instead, I told him to add my name to the PFR for making Control Tower ingest existing core accounts and come back when it was ready.

Solution

Well, that day has finally come with the announcement that I mentioned at the top of this post. I haven't tried this myself yet, but I was so excited I had to share the news. The AWS Control Tower User Guide gets into the details of prerequisites and how to enroll existing accounts.

Knowing AWS, I'm sure there will still be some gotchas and limitations of this new feature, but I'm definitely looking forward to checking it out once I get some free time to work on it. Hopefully I'll be able to do some more blog posts on this topic in the future.

Have you already tried out this new feature? I'd love to hear about your experience...leave a comment and let me know.

Discussion (0)