Account Factory is one of the most powerful features of Control Tower — it lets you provision new AWS accounts in seconds with full governance baseline applied automatically. But I’ve seen plenty of teams struggle when Account Factory stops working. You submit a new account request, the provisioning gets stuck at “UNDER_CHANGE” or fails immediately, and you’re left scratching your head. In this post, I’ll show you how to diagnose and fix Account Factory failures.

The Problem

Account Factory uses AWS Service Catalog under the hood to provision accounts via AWS Organizations. When provisioning fails, it’s usually because of one of these blockers:

Error Type Description
Account creation failed Email already exists in AWS
Name validation error Account name contains special characters
Quota exceeded AWS Organizations account limit reached
Product version outdated Service Catalog product needs update after Control Tower upgrade
Rate limited Account creation rate limit (1 per 5–10 minutes)

Why Does This Happen?

  • Root email already exists as an AWS account — AWS emails are globally unique. If the email you’re using was previously used to create an account (even one that’s been closed), AWS reserves that email for 90 days. Account Factory cannot create a new account with that email.
  • Account name contains special characters or spaces — Account Factory validates the account name. Names can only contain alphanumeric characters, hyphens, and underscores. Spaces, periods, or other special characters will cause validation to fail.
  • AWS Organizations account limit reached — By default, AWS Organizations allows 10 accounts per organization. If you’ve hit this limit, you need to request a quota increase from AWS Support before creating more accounts.
  • Service Catalog product version is outdated — After a Control Tower upgrade, the Account Factory Service Catalog product version might be outdated. The product needs updating to match the new Control Tower version.
  • AWS account creation rate limit — AWS limits account creation to approximately 1 account per 5–10 minutes in rapid succession. If you’re trying to create multiple accounts too quickly, later requests will fail.

The Fix

Diagnose the specific failure and apply the appropriate fix.

Step 1: Check Active Provisioned Products

List all provisioned products in your Service Catalog:

aws servicecatalog list-provisioned-products \
  --access-level Account \
  --output table

Look for any products in “UNDER_CHANGE” or “ERROR” state. If you find one, click into it in the Service Catalog console to see the provisioning error details.

Step 2: Check Organizations Account Quota

Check how many accounts your organization currently has and the limit:

aws organizations list-accounts \
  --output text | wc -l

aws service-quotas get-service-quota \
  --service-code organizations \
  --quota-code L-29A0C5DF \
  --output text

If you’re near the limit, request a quota increase in the Service Quotas console:

Service Quotas → AWS Organizations → [Account Quota] → Request quota increase

Step 3: Verify the Account Factory Product Version

In the Service Catalog console:

Service Catalog → Products → AWS Control Tower Account Factory

Check the product version. It should match your Control Tower version. If it’s outdated, you need to update it. This is usually done by Control Tower automatically during an update, but you can force a product update by manually uploading a new version from the AWS documentation templates.

Step 4: Use Email Aliases

Rather than creating new email addresses, use email aliases. Most email systems support aliases (like Gmail’s + syntax):

aws-account-prod@company.com     (original)
aws-account-prod+team1@company.com  (alias — goes to same mailbox)
aws-account-prod+team2@company.com  (alias — goes to same mailbox)

To AWS, these are three different emails. To your email system, they’re all the same mailbox. This solves the “email already exists” problem.

Step 5: Validate Account Names

Ensure the account name follows the naming convention:

  • Alphanumeric characters only
  • Hyphens and underscores allowed
  • No spaces or special characters
  • Example: prod-app-account-01 (valid) vs. Prod App Account 01 (invalid)

Step 6: Space Out Account Requests

If you’re creating multiple accounts, wait 5–10 minutes between requests. Don’t try to create 5 accounts in rapid succession. Create the first one, wait for it to complete, then create the second.

How to Run This

  1. Open the Service Catalog console in your management account.
  2. Go to Provisioned Products and look for any in “UNDER_CHANGE” state.
  3. Click into them and review the provisioning error message.
  4. Run the list-accounts and get-service-quota commands to check account limits.
  5. If near the limit, request a quota increase.
  6. If creating multiple accounts, wait 5–10 minutes between requests.
  7. Use email aliases to avoid “email already exists” errors.
  8. Resubmit the account request using a valid email and account name.
  9. Monitor the provisioning status — it should complete successfully.

Is This Safe?

Yes. Account Factory is built to be safe. It automatically applies the full Control Tower baseline to new accounts, including CloudTrail, Config, guardrails, and landing zone guardrails. Failed provisioning attempts don’t create accounts or leave orphaned resources.

Key Takeaway

Account Factory failures are usually caused by email conflicts, invalid names, hitting account quotas, or hitting rate limits. Use email aliases, follow naming conventions, request quota increases if needed, and space out account creation requests.

Have questions or ran into a different Control Tower issue? Connect with me on LinkedIn or X.