Add Account
This Standard Operating Procedure (SOP) provides a guide on how to add a new or existing account to AWS Control Tower.
Create a new Account
https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html
- Log in to the Management Account and navigate to Control Tower (CT). Ensure you are in the correct region.
- Click on Account Factory in the left-hand menu, then select Create Account.
- Fill in all the required details:
- Ensure the email address exists and is unique. Use “plus aliasing” (e.g.,
[email protected]
) if you need to create multiple accounts with the same email domain. - Place the account under the
Workloads
OU.
- Check your email inbox. You will receive two emails, one of which contains the invitation link for the specified SSO user.
- Follow the invitation link and choose a password for the SSO user.
- Log in with the SSO user and set up MFA:
- Select Authenticator app and click Next.
- Use your preferred authenticator app to scan the QR code or manually enter the key and complete the process.
- You should now be able to log in to the account using the SSO user.
- Make a note of the new account ID. Add the account to the
workloads
OU in the CDK construct. Assign the account type:
DlzAccountType.DEVELOP
- Accounts with fewer security restrictions, designed to enhance the developer experience.DlzAccountType.PRODUCTION
- Accounts requiring tight security measures, used for hosting production workloads.
- Run the
bootstrapAll
script or manually bootstrap the account using the AWS CDK. Refer to Scripts and Commands for detailed instructions.
Additional References:
Enroll an existing Account
To enroll an existing account into Control Tower, follow the steps outlined in the official AWS documentation.
Additional Account Setup
See the Account Setup SOP for additional details on setting up one-time AWS Services and integrations required for certain features to work in the Data Landing Zone.