amazon-web-servicesamazon-iamaws-organizationsaws-service-catalogaws-control-tower

AWS control tower moving account to new OU Fails

I used to have an OU lets call x with accounts prod and ss, then I created a new OU lets y call it y.

Now I am trying to move prod and ss from OU x to OU y. However this keeps failing. When I try to reregister OU y to be sure if this would fix it, I get the following error:

Check the external resources that apply to y
and its member accounts. Choose Register OU again after the external resources are repaired.

At somepoint I downloaded prechecks sheet that has the following info:

Add the IAM user to the AWS Service Catalog portfolio before registering your OU.

I went to service catalog and added myself as an IAM user yet problem still persist. How can I fix this?

Solution

  • I was getting the same error, and the end reason was that I was signed in as root in the AWS management account. This was preventing the OU to be registered in Control Tower, and the corresponding accounts to be enrolled.

    I signed out as root. And when I signed in again, this time using an AWS user account with Administrator Access, I was able to correctly register the OU.

    There are other reasons why this can be failing. The AWS documentation highlights the following "Common Causes for Failure of Enrollment" in the documentation.

    • Your IAM principal may lack the necessary permissions to provision an account. To enroll an existing account, the AWSControlTowerExecution role must be present in the account you're enrolling.
    • AWS Security Token Service (AWS STS) is disabled in your AWS account in your home region, or in any region supported by AWS Control Tower.
    • You may be signed in to an account that needs to be added to the Account Factory Portfolio in AWS Service Catalog. The account must be added before you'll have access to Account Factory so you can create or enroll an account in AWS Control Tower. If the appropriate user or role is not added to the Account Factory Portfolio, you’ll receive an error when you attempt to add an account.
    • You may be signed in as root.
    • The account you're trying to enroll may have AWS Config settings that are residual. In particular, the account must not have a configuration recorder or delivery channel, so these must be deleted through the AWS CLI before you can enroll an account.
    • If the account belongs to another OU with a management account, including another AWS Control Tower OU, you must terminate the account in its current OU before it can join another OU. Existing resources must be removed in the original OU. Otherwise, enrollment will fail.

    As I said, in my case it was the fourth reason: I was signed in as root.