Enrolling existing AWS Account in ControlTower - AWSControlTowerExecution IAM role

Engineering notes
Updated at
Aug 10, 2022 6:39 PM
Published at
August 10, 2022

Hopefully, this page gets indexed on Google for the next person.

This is for people enabling AWS Control Tower on an existing AWS Organization.

AWS provides documentation on how to enroll existing AWS accounts. They mention that the old AWS accounts need an AWSControlTowerExecution role. And then never tells you how to create one.

So here is how:

  • Log into the account that needs to be enrolled.
  • IAM β†’Roles β†’ Create Role
  • Select trusted entity: AWS Account β†’ Another AWS account. Enter the Management AWS Account ID β†’ Next
  • Add permissions: AdministratorAccess ( arn:aws:iam::aws:policy/AdministratorAccess ) β†’ Next
  • Name, review, and create:
    • Role name: AWSControlTowerExecution
    • Create role

Simple in retrospect