Which default organizational units does AWS control tower create in AWS organizations when the landing zone is first established?

• For more information about organizations and OUs, see AWS Organizations terminology and concepts. If you're new to AWS Control Tower, that terminology is a good place to begin.

  Índice Show

  • Extend governance to an existing organization
  • Considerations for IAM Identity Center and existing organizations
  • Access to other AWS services
  • Enable a Landing Zone in existing AWS Organizations

•  AWS Organizations is an AWS service that helps you centrally govern your environment as you grow and scale your workloads on AWS. AWS Control Tower relies on AWS Organizations to create accounts, to enforce preventive guardrails at the OU level, and to provide centralized billing.

• An AWS Account Factory account is an AWS account provisioned using Account Factory in AWS Control Tower. Sometimes, Account Factory is referred to informally as a “vending machine” for accounts.

• Your AWS Control Tower home Region is the AWS Region in which your AWS Control Tower landing zone was deployed. You can view your home Region in your landing zone settings.

• AWS Service Catalog allows you to manage commonly deployed IT services, centrally. In the context of this document, Account Factory uses AWS Service Catalog to provision new AWS accounts.

• AWS CloudFormation StackSets  are a type of resource that extends the functionality of stacks so that you can create, update, or delete stacks across multiple accounts and Regions with a single operation and a single CloudFormation template.

• A  stack instance is a reference to a stack in a target account within a Region.

• A stack is a collection of AWS resources that you can manage as a single unit.

• An aggregator is an AWS Config resource type that collects AWS Config configuration and compliance data from multiple accounts and Regions within the organization, allowing you to view and query this compliance data within a single account.

• A conformance pack is a collection of AWS Config rules and remediation actions that can be deployed as a single entity in an account and a Region, or across an organization in AWS Organizations. You can use a conformance pack to help customize your AWS Control Tower environment. For technical blogs that provide more details, see Related information.

• Baseline: To baseline an account is to set up its blueprints and guardrails. The baselining process also sets up the centralized logging and security audit roles on the account, as part of deploying the blueprints. AWS Control Tower baselines are contained in the roles that you apply to every enrolled account.

• Drift: A change in a resource installed by and configured by AWS Control Tower. Resources without drift enable AWS Control Tower to function properly.

• Non-compliant resource: A resource that is in violation of an AWS Config rule that defines a particular detective guardrail.

• Shared account: One of the three accounts that AWS Control Tower creates automatically when you set up your landing zone: the manangement account, the log archive account, and the audit account. You can choose customized names for the log archive account and the audit account, during setup.

• Member account: A member account belongs to the AWS Control Tower organization. The member account can be enrolled or unenrolled in AWS Control Tower. When a registered OU contains a mix of enrolled and unenrolled accounts:

  • Preventive guardrails enabled on the OU apply to all accounts within it, including unenrolled ones. This is true because preventive guardrails are enforced with SCPs at the OU level, not the account level. For more information, see Inheritance for service control policies in the AWS Organizations documentation.

  • Detective guardrails enabled on the OU do not apply to unenrolled accounts.

  An account can be a member of only one organization at a time, and its charges are billed to the management account for that organization. A member account can be moved to the root container of an organization.

• AWS account: An AWS account acts as a resource container and resource isolation boundary. An AWS account can be associated with billing and payment. An AWS account is different than a user account (sometimes called an IAM account) in AWS Control Tower. Accounts created through the Account Factory provisioning process are AWS accounts. AWS accounts also can be added to AWS Control Tower by means of the account enrollment or OU registration process.

• Guardrail: A guardrail is a high-level rule that provides ongoing governance for your overall AWS Control Tower environment. Each guardrail enforces a single rule. Preventive guardrails are implemented with SCPs. Detective guardrails are implemented with AAWS Config rules. For more information, see How Guardrails Work.

• Landing zone: A landing zone is a cloud environment that offers a recommended starting point, including default accounts, account structure, network and security layouts, and so forth. From a landing zone, you can deploy workloads that utilize your solutions and applications.

• Nested OU: A nested OU in AWS Control Tower is an OU contained within another OU. A nested OU can have exactly one parent OU, and each account can be a member of exactly one OU. Nested OUs create a hierarchy. When you attach a policy to one of the OUs in the hierarchy, it flows down and affects all the OUs and accounts beneath it. A nested OU hierarchy in AWS Control Tower can be a maximum of five levels deep.

• Parent OU: The OU immediately above the current OU in the hierarchy. Each OU can have exactly one parent OU.

• Child OU: Any OU below the current OU in the hierarchy. An OU can have many child OUs.

• OU hierarchy: In AWS Control Tower, the hierarchy of nested OUs can have up to five levels. The order of nesting is referred to as Levels. The top of the hierarchy is designated as Level 1.

• Top-level OU: A top-level OU is any OU that's directly under the Root, not the Root itself. The Root is not considered an OU.

AWS Organizations is an account management service that lets you consolidate multiple AWS accounts into an organization that you create and centrally manage. With Organizations, you can create member accounts and invite existing accounts to join your organization. You can organize those accounts into groups and attach policy-based controls. For more information, see AWS Organizations User Guide.

In AWS Control Tower, Organizations helps centrally manage billing; control access, compliance, and security; and share resources across your member AWS accounts. Accounts are grouped into logical groups, called organizational units (OUs). For more information on Organizations, see AWS Organizations User Guide.

AWS Control Tower uses the following OUs:

• Root – The parent container for all accounts and all other OUs in your landing zone.

• Security – This OU contains the log archive account, the audit account, and the resources they own.

• Sandbox – This OU is created when you set up your landing zone. It and other child OUs in your landing zone contain your member accounts. These are the accounts that your end users access to perform work on AWS resources.

You can add additional OUs in your landing zone through the AWS Control Tower console on the Organizational units page.

OUs created through AWS Control Tower can have guardrails applied to them. OUs created outside of AWS Control Tower cannot, by default. You can, however, register such OUs. Once you have registered an OU, you can apply guardrails to it and its accounts. For information on registering an OU, see Register an existing organizational unit with AWS Control Tower.

All organizational units (OUs) and accounts that you create in AWS Control Tower are governed automatically by AWS Control Tower. Also, if you have existing OUs and accounts that were created outside of AWS Control Tower, you can bring them into AWS Control Tower governance.

For existing AWS Organizations and AWS accounts, most customers prefer to enroll groups of accounts by registering the entire organizational unit (OU) that contains the accounts. You also can enroll accounts individually. For more information on enrolling individual accounts, see Enroll an existing AWS account.

Terminology

• When you bring an existing organization into AWS Control Tower, it's called registering the organization, or extending governance to the organization.

• When you bring an AWS account into AWS Control Tower, it's called enrolling the account.

View your OUs and accounts

On the AWS Control Tower Organization page, you can view all the OUs in your AWS Organizations, including OUs that are registered with AWS Control Tower and those that are not registered. You can view nested OUs as part of the hierarchy. An easy way to view your organizational units on the Organization page is to select Organizational units only from the dropdown at the upper right.

The Organization page lists all accounts in your organization, regardless of OU or enrollment status in AWS Control Tower. An easy way to view your accounts on the Organization page is to select Accounts only from the dropdown at the upper right. You can view, update, and enroll accounts individually within the OUs, if the accounts meet the prerequisites for enrollment.

Extend governance to an existing organization

You can add AWS Control Tower governance to an existing organization by setting up a landing zone (LZ) as outlined in the AWS Control Tower User Guide at Getting Started, Step 2.

Here's what to expect when you set up your AWS Control Tower landing zone in an existing organization.

• You can have one landing zone per AWS Organizations organization.

• AWS Control Tower uses the management account from your existing AWS Organizations organization as its management account. No new management account is needed.

• AWS Control Tower sets up two new accounts in a registered OU: an audit account and a logging account.

• Your organization's service limits must allow for the creation of these two additional accounts.

• After you've launched your landing zone or registered an OU, AWS Control Tower guardrails apply automatically to all enrolled accounts in that OU.

• You can Enroll additional existing AWS accounts into an OU that's governed by AWS Control Tower, so that guardrails apply to those accounts.

• You can add more OUs in AWS Control Tower and you can Register existing OUs.

To check other prerequisites for registration and enrollment, see Getting Started with AWS Control Tower.

Here's more detail about how AWS Control Tower guardrails do not apply to your OUs in AWS organizations that don't have AWS Control Tower landing zones set up:

• New accounts created outside of AWS Control Tower Account Factory are not bound by the registered OU's guardrails.

• New accounts created in OUs that are not registered with AWS Control Tower are not bound by guardrails, unless you specifically Enroll those accounts into AWS Control Tower. See Enroll an existing AWS account for more information about enrolling accounts.

• Additional existing organizations, existing accounts, and any new OUs or any accounts that you create outside of AWS Control Tower, are not bound by AWS Control Tower guardrails, unless you separately register the OU or enroll the account.

For more information about how to apply AWS Control Tower to existing OUs and accounts, see Register an existing organizational unit with AWS Control Tower.

For an overview of the process of setting up an AWS Control Tower landing zone in your existing organization, see the video in the next section.

During set up, AWS Control Tower performs pre-checks to avoid common issues. However, if you are currently using the AWS Landing Zone solution for AWS Organizations, check with your AWS solutions architect before you try to enable AWS Control Tower in your organization to determine if AWS Control Tower may interfere with your current landing zone deployment. Also, see What if the account does not meet the prerequisites? for information about moving accounts from one landing zone to another.

Considerations for IAM Identity Center and existing organizations

• If AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) is already set up, the AWS Control Tower home Region must be the same as the IAM Identity Center Region.

• AWS Control Tower does not delete an existing configuration.

• If IAM Identity Center is already enabled, and if you are using IAM Identity Center Directory, AWS Control Tower adds resources such as permission sets, groups, and so forth, and proceeds as usual.

• If another directory (external, AD, Managed AD) is set up, AWS Control Tower does not change the existing configuration. For more details, see Considerations for AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) customers.

Access to other AWS services

After you bring your organization into AWS Control Tower governance, you still have access to any AWS services that are available through AWS Organizations, by means of the AWS Organizations console and APIs. For more information, see Related AWS services.

Enable a Landing Zone in existing AWS Organizations

This video (7:48), getting started with AWS Control Tower for AWS Organizations, describes how to set up and enable an AWS Control Tower landing zone in existing AWS Organizations. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.