Plan your landing zone

• Note You can have one landing zone per organization.

• Note If you already have an AWS Organizations landing zone, you can extend AWS Control Tower governance from the existing landing zone to some or all of your existing OUs and accounts within an organization. See .

• Important Special consideration: If you currently are using the for AWS Organizations, check with your AWS solutions architect before you try to enable AWS Control Tower in your organization. AWS Control Tower cannot perform pre-checks that determine whether AWS Control Tower may interfere with your current landing zone deployment. For more information, see . Also, for information about moving accounts from one landing zone to another, see

• Note To set up AWS Control Tower on an existing organization, your service limits must allow for the creation of at least two additional accounts.

• Important Launching your AWS Control Tower landing zone in an existing AWS Organizations organization does not enable you to extend AWS Control Tower governance from that organization to other OUs or accounts that are not registered with AWS Control Tower.

Best practices: Set up an AWS multi-account landing zone

• Note An AWS account is not the same as a user account, which is set up through Federation or AWS Identity and Access Management (IAM).

• Note The names given in the examples follow the suggested AWS naming conventions for setting up a multi-account AWS environment. You can rename your OUs after you've set up your landing zone, by selecting Edit on the OU detail page.

Account Factory guidance

• Note Up to five accounts can be provisioned at a time.

Configuration update management

• Note The AWS Control Tower console indicates when your landing zone needs to be updated. If you don't see an option to update, your landing zone is already up to date.