I’ve spent countless hours helping teams troubleshoot Control Tower enrollment failures, and I’ve seen the same errors pop up again and again. You’re trying to enroll an existing AWS account into Control Tower via Account Factory, you submit the request, and it fails with a cryptic pre-check error or a mid-enrollment failure. The status shows “FAILED” but the error message doesn’t tell you much. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
When enrolling an existing account into Control Tower, the Account Factory performs a series of pre-flight checks before and during enrollment. If any of these checks fail, the entire enrollment fails and the account remains unenrolled. The error messages you might see include:
| Error Type | Description |
|---|---|
| Pre-check failure | Config recorder or delivery channel already exists |
| Enrollment stuck | CloudTrail conflicts with Control Tower managed trail |
| Email validation error | Account email contains capital letters (known issue) |
| Account state error | Account is suspended in AWS Organizations |
| SCP conflict | Existing SCPs block Control Tower baseline actions |
Why Does This Happen?
- Pre-existing Config recorder or delivery channel — Control Tower manages AWS Config at the account level. If Config is already running, the enrollment process cannot take over management, and it fails rather than modify your existing setup.
- CloudTrail conflicts — Control Tower deploys a managed CloudTrail across the organization. If an existing trail in the account has the same name or conflicts with organizational trails, enrollment fails.
- Email format issues — AWS account emails are case-sensitive internally. Capital letters in the email address sometimes cause validation errors during enrollment (this is a known issue in certain Control Tower versions).
- Suspended or closed accounts — If the account is in any state other than “ACTIVE” in AWS Organizations, Control Tower cannot enroll it. This includes suspended accounts awaiting re-activation.
- Service Control Policies (SCPs) blocking baseline actions — If SCPs on the account or parent OU deny the IAM actions that Control Tower’s baseline policies need, enrollment fails during the CloudFormation stack deployment.
The Fix
Run the pre-enrollment checklist before attempting to enroll. This is the most reliable way to identify and remove blockers.
Step 1: Check and Remove Existing Config Recorders
First, check if a Config recorder already exists in the account (in the same region where you’re deploying Control Tower):
aws configservice describe-configuration-recorders \
--region us-east-1
If a recorder exists, stop and delete it:
aws configservice stop-configuration-recorder \
--configuration-recorder-name default \
--region us-east-1
aws configservice delete-configuration-recorder \
--configuration-recorder-name default \
--region us-east-1
aws configservice delete-delivery-channel \
--delivery-channel-name default \
--region us-east-1
Step 2: Check for Conflicting CloudTrail
List all trails in the account:
aws cloudtrail describe-trails \
--region us-east-1 \
--output table
If you see a trail that conflicts with Control Tower (typically any multi-account or organization trail), delete it:
aws cloudtrail delete-trail \
--name my-existing-trail \
--region us-east-1
Step 3: Verify Account Email and Status
Confirm the account email is all lowercase and the account status is ACTIVE:
aws organizations describe-account \
--account-id 123456789012
If the account is suspended, contact AWS Support to re-activate it before proceeding.
Step 4: Review SCPs
Go to the AWS Organizations console and check the parent OU for restrictive SCPs that might block Control Tower’s baseline actions. Control Tower needs permissions for CloudTrail, Config, CloudWatch Logs, and SNS. If SCPs are denying these, either adjust the policies or temporarily disable them during enrollment.
How to Run This
- Open the AWS Management Console in the target account (the one you want to enroll).
- Run the
describe-configuration-recorderscommand to check for Config. - If found, delete the recorder and delivery channel using the provided commands.
- Run
describe-trailsto check for conflicting CloudTrail. - Delete any conflicting trails. Keep only personal, non-organizational trails.
- Return to Control Tower Account Factory and submit the enrollment request again.
- Monitor the enrollment status in the console — it should now complete successfully.
Is This Safe?
Yes. Deleting Config recorders and CloudTrail trails that conflict with Control Tower is safe and expected. Control Tower will deploy its own managed versions once the account is enrolled. You won’t lose any historical data — the logs already written are preserved.
Key Takeaway
Control Tower enrollment failures are almost always caused by pre-existing AWS Config recorders, CloudTrail trails, or SCP conflicts. Run the pre-enrollment checklist, clean up blockers, and re-submit. The enrollment will succeed.
Have questions or ran into a different Control Tower issue? Connect with me on LinkedIn or X.