Organizations
Last updated
Was this helpful?
Last updated
Was this helpful?
Note During set up, AWS Control Tower performs pre-checks to avoid common issues. However, if you are currently using the AWS Landing Zone solution for AWS Organizations, check with your AWS solutions architect before you try to enable AWS Control Tower in your organization to determine if AWS Control Tower may interfere with your current landing zone deployment. Also, see for information about moving accounts from one landing zone to another.
Tip You can make use of control inheritance to help stay within an OU's SCP quota. For example, you can enable a control at the top-level OU of an OU hierarchy, instead of enabling directly for a nested OU.
Note The status Inherited indicates that the control was applied to an OU higher in the tree, and it is enforced on this OU, but it was not added directly to this OU.
Note If you don't already have an AWS Control Tower landing zone, start by setting up a landing zone, either in a new organization created by AWS Control Tower, or in an existing AWS Organizations organization. For more details about how to set up a landing zone, see .
Tip When you re-register an OU, or when you're updating your landing zone version and multiple member accounts, you may see a failure message mentioning the StackSet-AWSControlTowerExecutionRole. This StackSet in the management account can fail because the AWSControlTowerExecution IAM role already exists in all enrolled member accounts. This error message is expected behavior, and it can be disregarded.