Using Existing Logging and Security Accounts with AWS Control Tower

More Info

AWS Control Tower simplifies the establishment and governance of your AWS environment, or landing zone, by adhering to AWS’s prescriptive best practices. It integrates various AWS services—such as AWS Organizations, AWS CloudFormation StackSets, Amazon Simple Storage Service (S3), AWS Single Sign-On (SSO), AWS Config, and AWS CloudTrail—to set up a landing zone in less than 30 minutes. Additionally, it applies preventive and detective controls (guardrails) to ensure best practices are consistently followed.

Upon deploying AWS Control Tower, two shared accounts are automatically created: an audit account and a log archive account. The log archive account grants your team access to all logging information from your enrolled accounts within the designated Organizational Units (OUs) of your landing zone. The audit account allows access to audit information provided by AWS Control Tower and can also serve as an access point for third-party tools performing programmatic audits for compliance purposes.

To create these accounts, customers must provide unique email addresses. After the initial setup, customers can either create new AWS accounts or incorporate existing accounts into AWS Control Tower Management. For more information, see About AWS accounts in AWS Control Tower.

Many customers with pre-existing custom landing zones have expressed interest in reusing their established log archive and security accounts. By leveraging existing logging accounts, they can consolidate logs and configuration aggregators into a single account. This post illustrates how to effectively reuse existing core or security AWS accounts while deploying AWS Control Tower, saving time and effort in modifying AWS-native or third-party integrations already in place.

Use Case Overview

A few scenarios where utilizing existing AWS accounts as AWS Control Tower’s log archive and audit accounts would be beneficial include:

1. AWS CloudTrail Integration: If you’re using AWS CloudTrail to log events for your management account and all member accounts, you would want to maintain the same account for logging AWS CloudTrail and AWS Config alongside AWS Control Tower—especially if you have existing third-party integrations for post-log processing.
2. Delegated Administration: If one of your existing accounts serves as a delegated admin for various AWS services like AWS Security Hub or AWS GuardDuty, you may wish to use the same account as AWS Control Tower’s audit account.

Considerations

Before proceeding, consider the following:

• Review the section on Considerations for bringing existing security and logging accounts.
• AWS Control Tower will relocate these accounts to the newly created OU as part of the deployment.
• AWS Control Tower will establish its own Config Aggregator alongside any existing Config aggregator you may have.
• If AWS Config is deployed in other accounts that you wish to enroll with AWS Control Tower, and you intend to retain the same AWS Config recorder and Delivery Channel, follow the necessary steps before deploying AWS Control Tower.

Prerequisites

Ensure you meet the following prerequisites before proceeding:

• Familiarity with the prerequisites for deploying AWS Control Tower.
• Existing core or shared accounts must already be part of your organization.
• Delete the AWS Config recorder and AWS Config Delivery Channel from the accounts intended for this feature, which should be done for each region you wish to govern with AWS Control Tower.

Steps to Deploy Control Tower with Existing Accounts

Follow these steps to deploy Control Tower utilizing existing accounts:

1. Access AWS Control Tower in your AWS management console.
2. Select “Set up landing zone.”
3. Review pricing and select regions.
4. Configure Organizational Units (OUs).
5. Choose “Use existing account” (see the screenshots below).

Here, input the Log Archive account ID.



Now, enter the Audit account ID.



6. Select “Next.”
7. Review the Service permissions, and when ready, acknowledge the permissions that AWS Control Tower will utilize for resource administration and rule enforcement.
8. To finalize and initiate the setup, select “Set up landing zone.”

Upon full deployment of AWS Control Tower, the accounts specified in the previous steps will be registered and displayed as “Enrolled” on the AWS Control Tower dashboard.