Tags
Engineering notes
Updated at
Aug 10, 2022 6:39 PM
Published at
August 10, 2022
Hopefully, this page gets indexed on Google for the next person.
This is for people enabling AWS Control Tower on an existing AWS Organization.
AWS provides documentation on how to enroll existing AWS accounts. They mention that the old AWS accounts need an AWSControlTowerExecution
role. And then never tells you how to create one.
So here is how:
- Log into the account that needs to be enrolled.
- IAM βRoles β Create Role
- Select trusted entity: AWS Account β Another AWS account. Enter the Management AWS Account ID β Next
- Add permissions: AdministratorAccess (
arn:aws:iam::aws:policy/AdministratorAccess
) β Next - Name, review, and create:
- Role name: AWSControlTowerExecution
- Create role
Simple in retrospect