A little while back I wrote a blog series on AWS Multi-Account architectures and ways to deploy them. My post on Control Tower came during the relative infancy of the service. Since then, Control Tower has benefited from a number of updates, including some very recent ones that mark a fairly large leap in service maturity.
You can view the updates to the Control Tower User Guide to get an idea of the update history, but the big news is that Control Tower can now be deployed for existing organizations. This is huge for customers who may have interest in Control Tower, but created landing zones within AWS prior to Control Tower being available. Prior to this, Control Tower required a brand new account to be used for deployment, and migrating pre-existing landing zones over to a new Control Tower build was probably too much lift for not enough value. Today though, Control Tower can be enabled for existing organizations within AWS.
There are certainly some “gotchas” that you want to be aware of, but the video in the link above does a pretty good job in stepping through all of this at a high level. One big thing to keep in mind actually covers another one of the cool new features, which is the ability to enroll existing accounts into Control Tower. From the time of my previous post, Control Tower could only govern accounts that were deployed from within the Account Factory. Existing accounts (again, read the fine print for details) can now be imported into Control Tower, which means Guard Rails and all the other governance features provided by the service can be available to previously created accounts within the same organization.
When it comes to enabling Control Tower for your existing organization, the end state will “convert” your existing master billing account into the Control Tower master and provision your log archive and audit accounts. Any existing accounts will be appear as unregistered and need to enrolled into Control Tower to be able to apply governance.
The process to enroll existing accounts is not trivial, there is not currently an easy button and there are certainly many caveats spelled out in the link above that you must be aware of and prepared for. The general overview looks like this:
A python script is required to run from an EC2 instance within your master account. AWS does a nice job of laying out all the pre-reqs and the process to step through. There are also Cloud Formation templates available to deploy the resources for you, so you should be able to have the proper tools at your disposal rather easily.
It is great to see this key functionality now available for Control Tower. There are still a number of features that would be great to see moving forward. Low hanging fruit would be the ability to create custom Guard Rails and to have nested OUs within a Control Tower organization. It is obvious that AWS is working to level up Control Tower as THE de facto landing zone option within AWS and these recent updates go a long way towards that. Hopefully there will be more to come for this service in the near future as many organizations are still looking for the path of least resistance to organizational governance in the Cloud.