← All How-to Guides
AWS Control Tower Landing Zone Organizations

How to Set Up AWS Control Tower in a New Organization

A complete walkthrough for deploying AWS Control Tower, configuring your landing zone, and enrolling your first member accounts.

Intermediate ⏱ 60 min

Prerequisites

  • A dedicated management AWS account (do not use an existing account with workloads)
  • AWS Organizations not yet enabled (Control Tower will enable it)
  • An email address for the Log Archive account (e.g. aws-logs@yourdomain.com)
  • An email address for the Audit account (e.g. aws-audit@yourdomain.com)
  • IAM user or role with AdministratorAccess in the management account

AWS Control Tower is the recommended way to set up and govern a multi-account AWS environment. It automates the creation of a landing zone — a well-architected, multi-account baseline — so you don’t have to wire together Organizations, Config, CloudTrail, and IAM Identity Center by hand.

In this guide I’ll walk you through standing up Control Tower from scratch, from first launch to your first enrolled member account.

Choose Your Home Region

Control Tower operates from a single home region — this is where the CloudTrail logs, Config recordings, and audit data will live. You can extend to other regions later, but you can’t change the home region after setup.

Pick the region closest to your primary operations. For most UK/EU customers that’s eu-west-1 (Ireland) or eu-west-2 (London). For US, us-east-1 is the default.

Note: Some Control Tower features (like the Account Factory Customization pipeline) deploy CodePipeline resources in the home region, so make sure it’s a region where you plan to operate long-term.

Launch Control Tower

  1. Log into your management account as an admin user or role.
  2. Navigate to AWS Control Tower in the console (search for it).
  3. Click Set up landing zone.
  4. Review the pre-launch checks — Control Tower will warn you if Organizations, CloudTrail, or Config are already partially configured.

Configure the Landing Zone

On the configuration screen you’ll set:

Foundational OU names — Control Tower creates two OUs by default:

  • Security — for the Log Archive and Audit accounts
  • Sandbox — for your first workload accounts

You can rename Sandbox to anything (e.g. Workloads, Dev, Production). The Security OU name is fixed.

Log Archive account — Provide a unique email address. Control Tower creates a new AWS account for centralized CloudTrail and Config log storage.

Audit account — Provide a unique email address. This account receives Security Hub and GuardDuty findings aggregated from all accounts in your org.

# After setup, verify the accounts were created
aws organizations list-accounts \
  --query "Accounts[].{Name:Name,Email:Email,Status:Status}" \
  --output table

Enable AWS IAM Identity Center

Control Tower sets up IAM Identity Center (SSO) automatically in your home region. During setup, choose your identity source:

  • IAM Identity Center directory (default) — built-in directory, good for getting started
  • External IdP — connect Azure AD, Okta, etc. via SAML 2.0 or SCIM (you can change this after launch)

Review and Launch

Control Tower shows a summary of what it will create:

  • 2 new AWS accounts (Log Archive + Audit)
  • 2 OUs in Organizations
  • CloudTrail organization trail
  • AWS Config recorders in all regions
  • IAM Identity Center instance
  • ~20 preventive and detective guardrails

Click Set up landing zone. The process takes 30–60 minutes. Do not close the browser or interrupt it.

# Monitor landing zone status via CLI
aws controltower get-landing-zone \
  --landing-zone-identifier $(aws controltower list-landing-zones \
    --query "landingZones[0].arn" --output text) \
  --query "landingZone.status"

Enroll Your First Account

Once the landing zone is ready, enroll an existing AWS account (or create a new one):

  1. In Control Tower, go to Organization in the left nav.
  2. Click Enroll account (for existing accounts) or use Account Factory to create a new one.
  3. Select the target OU (e.g. Sandbox).
  4. For existing accounts: Control Tower runs pre-checks. If it flags a pre-existing Config recorder, see my post on fixing that error.
# Check enrollment status
aws controltower list-enabled-controls \
  --target-identifier arn:aws:organizations::ACCOUNT_ID:account/ACCOUNT_ID \
  --query "enabledControls[].{Control:controlIdentifier,Status:statusSummary.status}"

Verify the Setup

After enrollment, confirm these are working:

# 1. Check CloudTrail org trail is active
aws cloudtrail describe-trails \
  --include-shadow-trails false \
  --query "trailList[?IsOrganizationTrail==\`true\`].{Name:Name,S3:S3BucketName}"

# 2. Check Config is recording in all regions
aws configservice describe-configuration-recorders \
  --query "ConfigurationRecorders[].{Name:name,Recording:recordingGroup.allSupported}"

# 3. List guardrails applied to your OU
aws controltower list-enabled-controls \
  --target-identifier arn:aws:organizations::MGMT_ACCOUNT_ID:ou/ROOT_ID/OU_ID

Is This Safe?

Yes. Control Tower uses non-destructive defaults and all changes are auditable via CloudTrail. The only irreversible step is choosing the home region — that’s fixed after launch. The email addresses for Log Archive and Audit accounts must be globally unique and not already associated with an AWS account.

Key Takeaway

Control Tower handles the undifferentiated heavy lifting of multi-account governance. Start with a clean management account, pick your home region carefully, and let Control Tower deploy the baseline. From there, all new accounts can be enrolled through Account Factory rather than created manually.

Questions about your Control Tower setup? Connect with me on LinkedIn.