Posted On: May 16, 2022

Today, we are announcing new functionality in AWS Control Tower that provides you the flexibility to use your existing security and logging accounts, or to have AWS Control Tower create new accounts on your behalf when setting up Control Tower or extending Control Tower governance to your existing AWS environment. The Security account is used as a restricted account that’s designed to give your security and compliance teams read and write access to all accounts in your landing zone. The Logging account works as a repository, storing logs of API activities and resource configurations from all accounts in your landing zone. 

The use of your existing security and logging accounts makes it easier to extend Control Tower governance into your existing AWS Organizations, or to move to AWS Control Tower from an alternate landing zone. The option for you to use existing accounts is displayed during the initial landing zone setup. It includes checks during the setup process to ensure successful deployment. AWS Control Tower implements the necessary roles and controls on your existing accounts. It does not remove or merge any existing resources or data that is in these accounts.

AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment based on AWS best practices. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.