# About AWS accounts in AWS Control Tower
<a name="accounts"></a>

An AWS account is the container for all your owned resources. These resources include the AWS Identity and Access Management (IAM) identities accepted by the account, which determine who has access to that account. IAM identities can include users, groups, roles, and more. For more information about working with IAM, users, roles, and policies in AWS Control Tower, see [Identity and access management in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/auth-access.html).

**Resources and account creation time**

When AWS Control Tower creates or enrolls an account, it deploys the minimum necessary resource configuration for the account. For example, it may include resources in the form of [Account Factory templates](https://docs.aws.amazon.com//controltower/latest/userguide/account-factory-considerations.html) and other resources in your landing zone, such as IAM roles, AWS CloudTrail trails, [Service Catalog provisioned products](https://docs.aws.amazon.com/servicecatalog/latest/userguide/enduser-dashboard.html), and IAM Identity Center users. AWS Control Tower also deploys resources, as required by the control configuration, for the organizational unit (OU) in which the new account is destined to become a member account.

AWS Control Tower orchestrates the deployment of these resources on your behalf. It may require several minutes per resource to complete the deployment, so consider the total time before you create or enroll an account. For more information about managing resources in your accounts, see [Guidance for creating and modifying AWS Control Tower resources](getting-started-guidance.md).

## What happens when AWS Control Tower creates an account
<a name="what-happens-in-account-creation"></a>

New accounts in AWS Control Tower are created and then provisioned by an interaction among AWS Control Tower, AWS Organizations, and AWS Service Catalog. You can create accounts and enroll existing accounts from the AWS Control Tower console. For detailed steps to enroll an existing AWS account using the AWS Control Tower console, see [Enroll an existing account from the AWS Control Tower console](quick-account-provisioning.md).

**Behind the scenes of account creation**

1. You initiate the request, for example, from the AWS Control Tower Account Factory page, or directly from the AWS Service Catalog console, or by calling the Service Catalog `ProvisionProduct` API.

1. AWS Service Catalog calls AWS Control Tower.

1. AWS Control Tower begins a workflow, which as a first step calls the AWS Organizations `CreateAccount` API.

1. After AWS Organizations creates the account, AWS Control Tower completes the provisioning process by applying blueprints and controls.

1. Service Catalog continues to poll AWS Control Tower to check for completion of the provisioning process.

1. When the workflow in AWS Control Tower is complete, Service Catalog finalizes the account's state and informs you (the requester) of the result.

## Considerations for bringing existing security or logging accounts
<a name="considerations-for-existing-shared-accounts"></a>

Before accepting an AWS account as a security (default name: **Audit**) or logging (default name: **Log archive**) account, AWS Control Tower checks the account for resources that conflict with AWS Control Tower requirements. For example, you may have a logging bucket with the same name that AWS Control Tower requires. Also, AWS Control Tower validates that the account can provision resources; for example, by ensuring that AWS Security Token Service (AWS STS) is enabled, that the account is not suspended, and that AWS Control Tower has permission to provision resources within the account.

AWS Control Tower does not remove any existing resources in the logging and security accounts that you provide. However, if you choose to enable it, the AWS Control Tower Region deny control prevents access to resources in denied Regions.

**Security for your accounts**  
You can find guidance about best practices to protect the security of your AWS Control Tower management account and member accounts in the AWS Organizations documentation.  
[Best practices for the management account](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_best-practices_mgmt-acct.html)
[Best practices for member accounts](https://docs.aws.amazon.com/organizations/latest/userguide/best-practices_member-acct.html)

# About the shared accounts
<a name="special-accounts"></a>

Three special AWS accounts are associated with AWS Control Tower; the management account, the **audit** account, and the **log archive** account. These accounts usually are referred to as *shared accounts*, or sometimes as *core accounts*.
+  You can select customized names for the audit and log archive accounts when you're setting up your landing zone. For information about changing an account name, see [Externally changing AWS Control Tower resource names](https://docs.aws.amazon.com/controltower/latest/userguide/external-resources.html#changing-names). 
+ You also can specify an existing AWS account as an AWS Control Tower security or logging account, during the initial landing zone setup process. This option eliminates the need for AWS Control Tower to create new, shared accounts. (This is a one-time selection.)

For more information about the shared accounts and their associated resources, see [Resources created in the shared accounts](shared-account-resources.md).

## Management account
<a name="mgmt-account"></a>

This AWS account launches AWS Control Tower. By default, the root user for this account and the IAM user or IAM administrator user for this account have full access to all resources within your landing zone.

**Note**  
As a best practice, we recommend signing in as an IAM Identity Center user with **Administrator** privileges when performing administrative functions within the AWS Control Tower console, instead of the signing in as the root user or IAM administrator user for this account.

For more information about the roles and resources available in the management account, see [Resources created in the shared accounts](shared-account-resources.md).

## Log archive account
<a name="log-archive-account"></a>

The log archive shared account is set up automatically when you create your landing zone, if you do not specifically bring another AWS account.

This account contains a central Amazon S3 bucket for storing a copy of all AWS CloudTrail and AWS Config log files for all other accounts in your landing zone. As a best practice, we recommend restricting log archive account access to teams responsible for compliance and investigations, and their related security or audit tools. This account can be used for automated security audits, or to host custom AWS Config Rules, such as Lambda functions, to perform remediation actions.

**Amazon S3 bucket policy**  
For AWS Control Tower landing zone version 3.3 and later, accounts must meet an `aws:SourceOrgID` condition for any write permissions to your Audit bucket. This condition ensures that CloudTrail only can write logs on behalf of accounts within your organization to your S3 bucket; it prevents CloudTrail logs outside your organization from writing to your AWS Control Tower S3 bucket. For more information, see [AWS Control Tower landing zone version 3.3](2023-all.md#lz-3-3).

For more information about the roles and resources available in the log archive account, see [Log archive account resources](shared-account-resources.md#log-archive-resources)

**Note**  
These logs cannot be changed. All logs are stored for the purposes of audit and compliance investigations related to account activity.

## Audit account
<a name="audit-account"></a>

This shared account is set up automatically when you create your landing zone, if you do not specifically bring another account. 

The audit account should be restricted to security and compliance teams with auditor (read-only) and administrator (full-access) cross-account roles to all accounts in the landing zone. These roles are intended to be used by security and compliance teams to:
+ Perform audits through AWS mechanisms, such as hosting custom AWS Config rule Lambda functions.
+ Perform automated security operations, such as remediation actions.

The audit account also receives notifications through the Amazon Simple Notification Service (Amazon SNS) service. Three categories of notification can be received:
+ **All Configuration Events** – This topic aggregates all CloudTrail and AWS Config notifications from all accounts in your landing zone.
+ **Aggregate Security Notifications** – This topic aggregates all security notifications from specific CloudWatch events, AWS Config Rules compliance status change events, and GuardDuty findings.
+ **Drift Notifications** – This topic aggregates all the drift warnings discovered across all accounts, users, OUs, and SCPs in your landing zone. For more information on drift, see [Detect and resolve drift in AWS Control Tower](drift.md).

Audit notifications that are triggered within a member account also can send alerts to a local Amazon SNS topic. This functionality allows account administrators to subscribe to audit notifications that are specific to an individual member account. As a result, administrators can resolve issues that affect an individual account, while still aggregating all account notifications to your centralized audit account. For more information, see [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/).

For more information about the roles and resources available in the audit account, see [Audit account resources](shared-account-resources.md#audit-account-resources).

For more information about programmatic auditing, see [Programmatic roles and trust relationships for the AWS Control Tower audit account](https://docs.aws.amazon.com//controltower/latest/userguide/roles-how.html#stacksets-and-roles).

**Important**  
The email address you provide for the audit account receives **AWS Notification - Subscription Confirmation** emails from every AWS Region supported by AWS Control Tower. To receive compliance emails in your audit account, you must choose the **Confirm subscription** link within each email from each AWS Region supported by AWS Control Tower. 

# Resources created in the shared accounts
<a name="shared-account-resources"></a>

This section shows the resources that AWS Control Tower creates in the shared accounts, when you set up your landing zone.

For information about member account resources, see [Resource Considerations for Account Factory](account-factory-considerations.md).

## Management account resources
<a name="mgmt-account-resouces"></a>

When you set up your landing zone, the following AWS resources are created within your management account.


| AWS service | Resource type | Resource name | 
| --- | --- | --- | 
| AWS Organizations | Accounts | audit log archive | 
| AWS Organizations | OUs | Security Sandbox | 
| AWS Organizations | Service Control Policies | aws-guardrails-\$1  | 
| AWS CloudFormation | Stacks | AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER AWSControlTowerBP-BASELINE-CONFIG-MASTER (in version 2.6 and later) | 
| AWS CloudFormation | StackSets |  AWSControlTowerBP-BASELINE-CLOUDTRAIL (Not deployed in 3.0 and later) AWSControlTowerBP\$1BASELINE\$1SERVICE\$1LINKED\$1ROLE (Deployed in 3.2 and later) AWSControlTowerBP-BASELINE-CLOUDWATCH AWSControlTowerBP-BASELINE-CONFIG AWSControlTowerBP-BASELINE-ROLES AWSControlTowerBP-BASELINE-SERVICE-ROLES AWSControlTowerBP-SECURITY-TOPICS AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED AWSControlTowerLoggingResources AWSControlTowerSecurityResources AWSControlTowerExecutionRole  | 
| AWS Service Catalog | Product | AWS Control Tower Account Factory | 
| AWS Config | Aggregator | aws-controltower-ConfigAggregatorForOrganizations | 
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Logs | aws-controltower/CloudTrailLogs | 
| AWS Identity and Access Management | Roles | AWSControlTowerAdmin AWSControlTowerStackSetRole AWSControlTowerCloudTrailRolePolicy | 
| AWS Identity and Access Management | Policies | AWSControlTowerServiceRolePolicy AWSControlTowerAdminPolicy AWSControlTowerCloudTrailRolePolicy AWSControlTowerStackSetRolePolicy | 
| AWS IAM Identity Center | Directory groups | AWSAccountFactory AWSAuditAccountAdmins AWSControlTowerAdmins AWSLogArchiveAdmins AWSLogArchiveViewers AWSSecurityAuditors AWSSecurityAuditPowerUsers AWSServiceCatalogAdmins  | 
| AWS IAM Identity Center | Permission Sets | AWSAdministratorAccess AWSPowerUserAccess AWSServiceCatalogAdminFullAccess AWSServiceCatalogEndUserAccess AWSReadOnlyAccess AWSOrganizationsFullAccess  | 

**Note**  
The CloudFormation StackSet `BP_BASELINE_CLOUDTRAIL` is not deployed in landing zone versions 3.0 or later. However, it continues to exist in earlier versions of the landing zone, until you update your landing zone.

## Log archive account resources
<a name="log-archive-resources"></a>

When you set up your landing zone, the following AWS resources are created within your log archive account.


| AWS service | Resource type | Resource Name | 
| --- | --- | --- | 
| AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerLoggingResources- | 
| AWS Config | AWS Config Rules | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBIT | 
| AWS CloudTrail | Trails | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Event Rules | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole AWSControlTowerExecution | 
| AWS Identity and Access Management | Policies | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | Topics | aws-controltower-SecurityNotifications | 
| AWS Lambda | Applications | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\$1 | 
| AWS Lambda | Functions | aws-controltower-NotificationForwarder | 
| Amazon Simple Storage Service | Buckets | aws-controltower-logs-\$1 aws-controltower-s3-access-logs-\$1 | 

## Audit account resources
<a name="audit-account-resources"></a>

When you set up your landing zone, the following AWS resources are created within your audit account.


| AWS service | Resource type | Resource name | 
| --- | --- | --- | 
| AWS CloudFormation | Stacks | StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED- StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED- StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH- StackSet-AWSControlTowerBP-BASELINE-CONFIG- StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL- StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES- StackSet-AWSControlTowerBP-BASELINE-SERVICE-LINKED-ROLE-(In 3.2 and later) StackSet-AWSControlTowerBP-SECURITY-TOPICS- StackSet-AWSControlTowerBP-BASELINE-ROLES- StackSet-AWSControlTowerSecurityResources-\$1 | 
| AWS Config | Aggregator | aws-controltower-GuardrailsComplianceAggregator | 
| AWS Config | AWS Config Rules | AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1READ\$1PROHIBITED AWSControlTower\$1AWS-GR\$1AUDIT\$1BUCKET\$1PUBLIC\$1WRITE\$1PROHIBITED | 
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Event Rules | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Logs | /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole aws-controltower-AuditAdministratorRole aws-controltower-AuditReadOnlyRole AWSControlTowerExecution | 
| AWS Identity and Access Management | Policies | AWSControlTowerServiceRolePolicy | 
| Amazon Simple Notification Service | Topics | aws-controltower-AggregateSecurityNotifications aws-controltower-AllConfigNotifications aws-controltower-SecurityNotifications | 
| AWS Lambda | Functions | aws-controltower-NotificationForwarder | 

# About member accounts
<a name="member-accounts"></a>

Member accounts are the accounts through which your users perform their AWS workloads. AWS Control Tower member accounts can be created and customized by various methods, including automated methods. In some cases, you can bring existing AWS accounts into AWS Control Tower. When member accounts are created or enrolled, they must exist inside an organizational unit (OU) that was created in the AWS Control Tower console, or registered with AWS Control Tower. For more information, see these related topics:
+ [Methods of provisioning](https://docs.aws.amazon.com//controltower/latest/userguide/methods-of-provisioning.html)
+ [Provision and manage accounts with Account Factory](account-factory.md)
+ [Automate tasks in AWS Control Tower](automating-tasks.md)
+ [Move and enroll accounts with auto-enrollment](account-auto-enrollment.md)
+ [Provision accounts with AWS Control Tower Account Factory for Terraform (AFT)](taf-account-provisioning.md)
+ [AWS Organizations Terminology and Concepts](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_getting-started_concepts.html) in the *AWS Organizations User Guide*.

**Accounts and controls**  
Member accounts can be *enrolled* in AWS Control Tower, or they can be *unenrolled*. Controls apply differently to enrolled and unenrolled accounts, and controls may apply to accounts in nested OUs based on inheritance.

For information about member account resources that AWS Control Tower allocates, see [Resource Considerations for Account Factory](account-factory-considerations.md).

# Interact with AWS Control Tower accounts from AWS Service Catalog
<a name="handle-accounts-with-service-catalog"></a>

This section tells how to handle your AWS Control Tower accounts with the capabilities of AWS Service Catalog.

**Topics**
+ [Provision accounts in the Service Catalog console, with Account Factory](provision-as-end-user.md)
+ [Automate Account Provisioning in AWS Control Tower by Service Catalog APIs](automated-provisioning-walkthrough.md)
+ [Update the provisioned product in Service Catalog](update-provisioned-product.md)
+ [Unenroll an account in Service Catalog](unenroll-with-sc.md)

# Provision accounts in the Service Catalog console, with Account Factory
<a name="provision-as-end-user"></a>

 The following procedure describes how to create and provision accounts as a user in IAM Identity Center through AWS Service Catalog. This procedure also is referred to as *advanced account provisioning*, or *manual account provisioning*. Optionally, you may be able to provision AWS Control Tower accounts programmatically, with the AWS CLI, with Service Catalog APIs, or with AWS Control Tower Account Factory for Terraform (AFT). You may be able to provision customized accounts in the console if you've previously set up custom blueprints. For more information about customization, see [Customize accounts with Account Factory Customization (AFC)](af-customization-page.md).

**Note**  
If you have disabled IAM Identity Center in your landing zone settings, the SSO user parameters (`SSOUserEmail`, `SSOUserFirstName`, and `SSOUserLastName`) are not used during account provisioning. If desired, you can provide placeholder values for these required parameters and modify them later by following the instructions in [Update the provisioned product in Service Catalog](update-provisioned-product.md).

**To provision accounts individually in Account Factory, as a user**

1. Sign in from your user portal URL.

1. From **Your applications**, choose **AWS Account**.

1. From the list of accounts, choose the account ID for your management account. This ID may also have a label, for example, **(Management)**. 

1. From **AWSServiceCatalogEndUserAccess**, choose **Management console**. This opens the AWS Management Console for this user in this account.

1. Ensure that you've selected the correct AWS Region for provisioning accounts, which should be your AWS Control Tower Region.

1. Search for and choose **Service Catalog** to open the Service Catalog console.

1. In the navigation pane, choose **Products**.

1. Select **AWS Control Tower Account Factory**, then choose the **Launch product** button. This selection starts the wizard to provision a new account.

1. Fill in the information, and keep the following in mind:
   + The **SSOUserEmail** can be a new email address, or the email address associated with an existing IAM Identity Center user. Whichever you choose, this user will have administrative access to the account you're provisioning.
   + The **AccountEmail** must be an email address that isn't already associated with an AWS account. If you used a new email address in **SSOUserEmail**, you can use that email address here.

1. Don't define **TagOptions** and don't enable **Notifications**, otherwise the account can fail to be provisioned. When you're finished, choose **Launch product**.

1. Review your account settings, and then choose **Launch**. Don't create a resource plan, otherwise the account will fail to be provisioned.

1. Your account is now being provisioned. It can take a few minutes to complete. You can refresh the page to update the displayed status information.
**Note**  
Up to five accounts can be provisioned at a time.

# Automate Account Provisioning in AWS Control Tower by Service Catalog APIs
<a name="automated-provisioning-walkthrough"></a>

AWS Control Tower is integrated with several other AWS services, such as AWS Service Catalog. You can use the APIs to create and provision your member accounts in AWS Control Tower, or to enroll existing member accounts.

**Note**  
If you have disabled IAM Identity Center in your landing zone settings, the SSO user parameters (`SSOUserEmail`, `SSOUserFirstName`, and `SSOUserLastName`) are not used during account provisioning. If desired, you can provide placeholder values for these required parameters and modify them later by following the instructions in [Update the provisioned product in Service Catalog](update-provisioned-product.md).

The video shows you how to provision accounts in an automated, batch fashion, by calling the AWS Service Catalog APIs. For provisioning, you'll call the [https://docs.aws.amazon.com//servicecatalog/latest/dg/API_ProvisionProduct.html](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_ProvisionProduct.html) API from the AWS command line interface (CLI), and you'll specify a JSON file that contains the parameters for each account you'd like to set up. The video illustrates installing and using the [AWS Cloud9](https://docs.aws.amazon.com//cloud9/latest/user-guide/welcome.html) development environment to perform this work. The CLI commands would be the same if you use AWS Cloudshell instead of AWS Cloud9.

**Note**  
You also can adapt this approach for automating account updates, by calling the [https://docs.aws.amazon.com//servicecatalog/latest/dg/API_UpdateProvisionedProduct.html](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_UpdateProvisionedProduct.html) API of AWS Service Catalog for each account. You can write a script to update the accounts, one by one.

As a completely different automation method, if you are familiar with Terraform, you can [provision accounts with AWS Control Tower Account Factory for Terraform (AFT)](taf-account-provisioning.md).

**Sample automation administration role**

Here is a sample template you can use to help configure your automation administration role in the management account. You would configure this role in your management account so it can perform the automation with Administrator access in the target accounts.

```
AWSTemplateFormatVersion: 2010-09-09
Description: Configure the SampleAutoAdminRole

Resources:
  AdministrationRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: SampleAutoAdminRole
      AssumeRolePolicyDocument:
        Version: 2012-10-17		 	 	 
        Statement:
          - Effect: Allow
            Principal:
              Service: cloudformation.amazonaws.com
            Action:
              - sts:AssumeRole
      Path: /
      Policies:
        - PolicyName: AssumeSampleAutoAdminRole
          PolicyDocument:
            Version: 2012-10-17		 	 	 
            Statement:
              - Effect: Allow
                Action:
                  - sts:AssumeRole
                Resource:
                  - "arn:aws:iam::*:role/SampleAutomationExecutionRole"
```

**Sample automation execution role**

Here is a sample template you can use to help you set up your automation execution role. You would configure this role in the target accounts.

```
AWSTemplateFormatVersion: "2010-09-09"
Description: "Create automation execution role for creating Sample Additional Role."

Parameters:
  AdminAccountId:
    Type: "String"
    Description: "Account ID for the administrator account (typically management, security or shared services)."
  AdminRoleName:
    Type: "String"
    Description: "Role name for automation administrator access."
    Default: "SampleAutomationAdministrationRole"
  ExecutionRoleName:
    Type: "String"
    Description: "Role name for automation execution."
    Default: "SampleAutomationExecutionRole"
  SessionDurationInSecs:
    Type: "Number"
    Description: "Maximum session duration in seconds."
    Default: 14400

Resources:
  # This needs to run after AdminRoleName exists.
  ExecutionRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: !Ref ExecutionRoleName
      MaxSessionDuration: !Ref SessionDurationInSecs
      AssumeRolePolicyDocument:
        Version: "2012-10-17"		 	 	 
        Statement:
          - Effect: "Allow"
            Principal:
              AWS:
                - !Sub "arn:aws:iam::${AdminAccountId}:role/${AdminRoleName}"
            Action:
              - "sts:AssumeRole"
      Path: "/"
      ManagedPolicyArns:
        - "arn:aws:iam::aws:policy/AdministratorAccess"
```

After configuring these roles, you call the AWS Service Catalog APIs to perform the automated tasks. The CLI commands are given in the video.

## Sample provisioning input for Service Catalog API
<a name="sample-sc-api-input"></a>

Here is a sample of the input you can give to the Service Catalog `ProvisionProduct` API if you're using the API to provision new AWS Control Tower accounts or to enroll existing member accounts:

**Note**  
To enroll an existing member account using the `ProvisionProduct` API, the `AWSControlTowerExecution` IAM role must exist on the target account before you call the API. You can use the same input parameters shown in the following example for both new account provisioning and existing account enrollment.

```
{
  pathId: "lpv2-7n2o3nudljh4e",
  productId: "prod-y422ydgjge2rs",
  provisionedProductName: "Example product 1",
  provisioningArtifactId: "pa-2mmz36cfpj2p4",
  provisioningParameters: [
    {
      key: "AccountEmail",
      value: "abc@amazon.com"
    },
    {
      key: "AccountName",
      value: "ABC"
    },
    {
      key: "ManagedOrganizationalUnit",
      value: "Custom (ou-xfe5-a8hb8ml8)"
    },
    {
      key: "SSOUserEmail",
      value: "abc@amazon.com"
    },
    {
      key: "SSOUserFirstName",
      value: "John"
    },
    {
      key: "SSOUserLastName",
      value: "Smith"
    }
  ],
  provisionToken: "c3c795a1-9824-4fb2-a4c2-4b1841be4068"
}
```

For more information, see the [API reference for Service Catalog](https://docs.aws.amazon.com//servicecatalog/latest/dg/API_ProvisionProduct.html).

**Note**  
Notice that the format of the input string for the value of `ManagedOrganizationalUnit` has changed from `OU_NAME` to `OU_NAME (OU_ID)`. The video that follows does not mention this change.

## Video Walkthrough
<a name="automated-provisioning-video"></a>

This video (6:58) describes how to automate account deployments in AWS Control Tower. For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.

[![AWS Videos](http://img.youtube.com/vi/LxxQTPdSFgw/0.jpg)](http://www.youtube.com/watch?v=LxxQTPdSFgw)


# Update the provisioned product in Service Catalog
<a name="update-provisioned-product"></a>

The following procedure guides you through how to update your account in Account Factory or move it to a new OU, by updating the account's provisioned product in Service Catalog.

**Note**  
If you have disabled IAM Identity Center in your landing zone settings, the SSO user parameters (`SSOUserEmail`, `SSOUserFirstName`, and `SSOUserLastName`) are not used during account provisioning. If desired, you can provide placeholder values for these required parameters and modify them later by following the instructions in this section.

**To update an Account Factory account or change its OU through Service Catalog**

1. Sign in to the AWS Management Console, and open the AWS Service Catalog console at [https://console.aws.amazon.com/servicecatalog/](https://console.aws.amazon.com/servicecatalog/). 
**Note**  
You must sign in as a user with permissions to provision new products in Service Catalog (for example, an IAM Identity Center user in `AWSAccountFactory` or `AWSServiceCatalogAdmins` groups).

1. In the navigation pane, choose **Provisioning**, and then choose **Provisioned products**.

1.  For each of the member accounts listed, perform the following steps to update all member accounts:

   1. Select a member account. You're directed to the *Provisioned product details* page for that account.

   1. On the *Provisioned product details* page, choose the **Events** tab.

   1. Make a note of the following parameters:
      +  **SSOUserEmail** (Available in provisioned product details)
      +  **AccountEmail** (Available in provisioned product details)
      +  **SSOUserFirstName** (Available in IAM Identity Center) 
      +  **SSOUSerLastName** (Available in IAM Identity Center) 
      +  **AccountName** (Available in IAM Identity Center) 

   1. From **Actions**, choose **Update**.

   1. Choose the button next to the **Version** of the product you want to update, and choose **Next**.

   1. Provide the parameter values that were mentioned previously.
      + If you want to keep the existing OU, for **ManagedOrganizationalUnit**, choose the OU that the account was already in.
      + If you want to migrate the account to a new OU, for **ManagedOrganizationalUnit**, choose the new OU for the account.

       A central cloud administrator can find this information in the AWS Control Tower console, on the **Organization** page.

   1. Choose **Next**.

   1. Review your changes, and then choose **Update**. This process can take a few minutes per account.

# Unenroll an account in Service Catalog
<a name="unenroll-with-sc"></a>

 Unenrolling an account can be done in the Service Catalog console by an IAM Identity Center user in the `AWSAccountFactory` group, by terminating the Provisioned Product. For more information on IAM Identity Center users or groups, see [Manage users and access through AWS IAM Identity Center](https://docs.aws.amazon.com/controltower/latest/userguide/unmanage-account.html). The following procedure describes how to unenroll a member account in Service Catalog.

**To unenroll an enrolled account through Service Catalog**

1. Open the Service Catalog console in your web browser at [https://console.aws.amazon.com/servicecatalog](https://console.aws.amazon.com/servicecatalog).

1. In the left navigation pane, choose **Provisioned products list**.

1. From the list of provisioned accounts, choose the name of the account that you want AWS Control Tower no longer to manage.

1. On the **Provisioned product details** page, from the **Actions** menu, choose **Terminate**.

1. From the dialog box that appears, choose **Terminate**.
**Important**  
The word *terminate* is specific to Service Catalog. When you terminate an account in Service Catalog Account Factory, the account is not closed. This action removes the account from its OU and your landing zone.

1.  When the account has been unenrolled, its status changes to **Not Enrolled**.

1. If you no longer need the account, close it. For more information about closing AWS accounts, see [Closing an account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) in the *AWS Billing User Guide*

**Note**  
Wait for the account's status to show **Not enrolled**.