This page is a work in progress.
If the AWS Organization for which you are setting up Control Tower/Landing Zone contains legacy accounts that you wish to enroll to be managed by Control Tower, follow the steps below:
Before deploying Customizations for Control Tower, manually create the
AWSControlTowerExecutionrole by following the Step 2 in this guide. In a Control Tower-initialized account, this role is created by AWS automatically, and is required for Control Tower to manage any account. Legacy accounts do not have it.Add the legacy account configs to
accounts.yamlin the landing-zone repo, with values forAccountNameandAccountEmailthat match current account details.