Skip to main content

Enable Control Tower

Enabling Control Tower is the first step in getting started with Gruntwork Landing Zone. It must be completed before infrastructure as code is generated for your infrastructure-live repository.


In order to enable AWS Control Tower you will need the resources described in Prerequisites.

Enable AWS Control Tower


This Guide should take about 1hr 15min to complete, most of that time will be spent waiting on Control Tower Operations at the conclusion of the setup flow.

Start Control Tower Setup

  1. Sign in to the AWS management console with your administrator user credentials.

  2. Navigate to the AWS Control Tower console.

  3. Verify that you are working in your desired home Region.


    Your home Region is the AWS Region in which you'll run most of your workloads or store most of your data. It cannot be changed after you've set up your AWS Control Tower landing zone. For more information about how to choose a home Region, see Administrative tips for landing zone setup.

  4. Click Set up landing zone.

Review pricing and select Regions

  1. Under Region deny setting select Enabled

    1. This ensures Control Tower policies and controls are unable to be bypassed by using a non-governed region
  2. Under Select additional Regions for governance select all regions where you plan to operate.


    Region SelectionsRegion Selections

  3. Click Next to continue

Configure Organizational Units (OUs)

  1. Rename the "Additional OU" to "Pre-prod"


    Configure Organizational UnitsConfigure Organizational Units

  2. Click Next to continue.

Configure shared accounts

  1. Under Logs archive account Enter an email address and rename the Logs Archive account to Logs

  2. Under Audit account Enter an email address and rename the Audit account to Security


    Account names cannot be changed after setting up the landing zone. Ensure the accounts are named appropriately.


    Configure Shared AccountsConfigure Shared Accounts

  3. Click Next to continue

Additional configurations

  1. Ensure your settings match the screenshot below (These are the defaults)


    Additional ConfigurationAdditional Configuration

  2. Under KMS Encryption Check the box for Enable and customize encryption settings

  3. Select the KMS Key you created following the guide in prerequisites

  4. Click Next to continue

Finish Control Tower Setup


Control Tower Creation will take around an hour to complete

  1. Review your choices and check the box accepting permissions at the bottom of the screen

  2. Choose Set up landing zone.

  3. Setting up the landing zone can take up to one hour. You will see a notification like the one below with the estimated time it will take for all the resources to be created.

    Landing Zone Setup StatusLanding Zone Setup Status


    You can safely close your browser tab once you see this notice. The setup process will proceed unaffected in the background.

  4. Emails will be sent out as the accounts are being created and the Root user will be invited to sign in using the AWS IAM Identity Center and designated the Control Tower Admin. Once the invite is accepted; the Root user will be able to access 3 accounts; Root, Logs, and Security using Identity Center's Access Portal URL contained in the email invite.

    Root User's Access PortalRoot User's Access Portal

Initial Configuration

Now that Control Tower is enabled in your root account, there are a few configuration changes that need to be made to prepare for Gruntwork Landing Zone.

  1. Navigate to the AWS Control Tower Organization Dashboard

  2. Turn off the default VPC created for new accounts. Gruntwork VPCs will be created for each account using terraform.

  3. Choose Create Resources and select Create organizational unit.

  4. Create a Prod OU. Select the Root OU as the Parent OU when prompted. Each OU registration takes a couple of minutes.

  5. Choose Create Resources again and select Create account

  6. Name the account Shared and set the Organizational Unit to Prod


    The shared account is meant to house resources shared with all other accounts. Examples might include KMS Keys, AMIs, or ECR repositories.

  7. Grant your IAM Identity Center user access to the Shared account

    1. Navigate to IAM Identity Center, then click AWS accounts under Multi-account permissions in the side menu

    2. Select the Shared account from the Prod OU dropdown and click Assign users or groups

    3. Switch to the Users tab, select your management user from the list and click Next

    4. Select AdministratorAccess from the list of Permission Sets, then click Next

    5. Click Submit to finish assigning access to your user

Next Steps

Control Tower is now configured! Next you should consider: