

# Provision and manage accounts with Account Factory
Account Factory

**Note**  
Single account provision, update and customization must target an organizational unit (OU) with AWSControlTowerBaseline enabled. If an OU does not have the AWSControlTowerBaseline enabled, you can activate account auto-enrollment or use ResetEnabledBaseline and ResetEnabledControl APIs on EnabledBaselines and EnabledControls on that OU to enroll accounts. For details of AWSControlTowerBaseline, see: [Baseline types that apply at the OU level](types-of-baselines.md#ou-baseline-types). 

 This chapter includes an overview and procedures for provisioning new member accounts in an AWS Control Tower landing zone with Account Factory. 

## Permissions for configuring and provisioning accounts
Permissions

The AWS Control Tower Account Factory enables cloud administrators and users in AWS IAM Identity Center to provision accounts in your landing zone. By default, IAM Identity Center users that provision accounts must be in the `AWSAccountFactory` group or the management group. 

**Note**  
Exercise caution when working from the management account, as you would when using any account that has permissions across your organization.

The AWS Control Tower management account has a trust relationship with the `AWSControlTowerExecution` role, which allows account setup from the management account, including some automated account setup. For more information about the `AWSControlTowerExecution` role, see [Roles and accounts](https://docs.aws.amazon.com//controltower/latest/userguide/roles-how.html).

**Note**  
To enroll an existing AWS account into AWS Control Tower, that account must have the `AWSControlTowerExecution` role enabled. For more information about how to enroll an existing account, see [About enrolling existing accounts](enroll-account.md).

For more information about permissions, see [Permissions required for provisioning accounts](provision-and-manage-accounts.md#permissions).

## Considerations for managing accounts in Account Factory
Account considerations

 You can update, unenroll, and close accounts that you create and provision through Account Factory. You can recycle accounts by updating the user parameters in the accounts that you want to repurpose. You can also change an account's organizational unit (OU). 

**Note**  
 When updating a provisioned product that's associated with an account that Account Factory vends, if you specify a new user email address for AWS IAM Identity Center, AWS Control Tower creates a new user in IAM Identity Center. The previously created account isn't removed. For information about removing the previous IAM Identity Center user email address from IAM Identity Center, see [Disabling a User](https://docs.aws.amazon.com//singlesignon/latest/userguide/disableuser.html). 

# Update and move accounts with AWS Control Tower
Update and move accounts

The easiest way to update an enrolled account is through the AWS Control Tower console. Individual account updates are useful for resolving drift, such as [Moved member account](governance-drift.md#drift-account-moved). Account updates also are required as part of a full landing zone update.

## Update the account in the console


**To update an account in the AWS Control Tower console**

1. When signed in to AWS Control Tower, navigate to the **Organization** page.

1. In the list of OUs and accounts, select the name of the account you wish to update. Accounts that are available for updating show a status of **Update available**.

1. Next you'll see the **Account details** page for your selected account.

1. In the upper right, choose **Update account**.

If you move an account from one organizational unit (OU) to another, remember that the controls applied by the new OU may be different than the controls in the former OU. Be sure that the controls in the new OU meet your policy requirements for the account.

AWS Control Tower accounts are modified differently, depending on whether you have opted-in for auto-enrollment of accounts, or not. For more information about auto-enrollment, see [Optionally configure auto-enrollment for accounts](configure-auto-enroll.md).

**Control behavior when accounts are moved between  OUs, with auto-enroll enabled**

When you move an account into a new OU, AWS Control Tower applies the OU's enabled baselines and controls to the account. Controls and baselines from the previous OU are removed. If you move an account outside an OU that's registered, AWS Control Tower removes all deployed baselines and controls. 

**Control behavior when accounts are moved between  OUs, without auto-enroll**

When you move an account between OUs, the controls for the destination OU are applied to the  account. However, the controls that applied to the account from the former OU are not  removed. The exact behavior of the controls is specific to the implementation of the  controls that are active on the former OU and the destination OU.
+  *For controls implemented with AWS Config rules:* The controls from the previous OU  are not removed. These controls must be removed manually.
+ *For controls implemented with SCPs:* The SCP-based controls from the previous OU are  removed. The SCP-based controls for the destination OU go into effect on this account. 
+ *For controls implemented with CloudFormation hooks:* This behavior  depends on the status of controls in the new OU.
  + *If the destination OU has no hook-based controls active:* The old  controls remain active for the moved account, unless you remove them  manually.
  + *If the destination OU has hook controls active:* The old controls are  removed and the controls in the destination OU are applied to the  account.

# Change email address of an enrolled account


 To change the email address of an enrolled member account in AWS Control Tower, follow the procedure in this section. 

**Note**  
 The following procedure doesn't allow you to change the email address of a **management account**, **log archive account**, or **audit account**. For more information about that, see [How do I change the email address associated with my AWS account?](https://aws.amazon.com//premiumsupport/knowledge-center/change-email-address/) or contact AWS Support. 

**To change the email address of an account that AWS Control Tower creates**

1.  Recover the root user password for the account. You can follow the steps in the article [How do I recover a lost or forgotten AWS password?](https://aws.amazon.com//premiumsupport/knowledge-center/recover-aws-password/) 

1.  Sign in to the account with the root user password. 

1.  Change the email address as you would for any other AWS account, and wait for the change to reflect in AWS Organizations. You might experience a delay while the email address change finishes updating. 

1.  Update the provisioned product in Service Catalog using the email address that previously belonged to the account. The process for updating the provisioned product includes associating the new email address with the provisioned product. This way the email address change takes effect in AWS Control Tower. Use the new email address for updates to subsequently provisioned products. 

To change the password or email address of a member account that you created with AWS Organizations, see [Accessing a member account as the root user](https://docs.aws.amazon.com//organizations/latest/userguide/orgs_manage_accounts_access.html#orgs_manage_accounts_access-as-root) in the *AWS Organizations User Guide*. 

Alternatively, you can update the email address for an Account Factory or other member account from the AWS Organizations console without logging in as the root user. For more information, see [Updating the root user email address for a member account with AWS Organizations](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_update_primary_email.html) in the *AWS Organizations User Guide*.

# Change the name of an enrolled account


Follow the procedure in this section to change the name of an enrolled AWS Control Tower account.

**Note**  
To change the name of an AWS *administrator* account, you must have admin permissions and be logged in as the account's root user. 

**To change the name of an account created by AWS Control Tower, by using AWS Organizations console or APIs**
+ Follow the [instructions available](https://docs.aws.amazon.com//accounts/latest/reference/manage-acct-update-acct-name.html#update-account-name-orgs) in the *AWS Account Management Reference Guide*.

**Alternative method to change the name of an account created by AWS Control Tower**

1. Recover the root password for the account. You can follow the steps outlined in this article, [How do I recover a lost or forgotten AWS password?](https://aws.amazon.com//premiumsupport/knowledge-center/recover-aws-password/)

1. Sign in to the account with the root password.

1. In the AWS Billing console, navigate to the **Account settings** page.

1. Change the name in **Account settings**, as you would for any other AWS account.

1. AWS Control Tower automatically updates itself to reflect the name change. This update will not be reflected in the provisioned product in AWS Service Catalog.

# Configure Account Factory with Amazon Virtual Private Cloud settings
Configure Amazon VPC settings

Account Factory allows you to create pre-approved baselines and configuration options for accounts in your organization. You can configure and provision new accounts through AWS Service Catalog.

On the Account Factory page, you can see a list of organizational units (OUs) and their **allow list** status. By default, all OUs are on the allow list, which means that accounts can be provisioned under them. You can disable certain OUs for account provisioning through AWS Service Catalog.

You can view the Amazon VPC configuration options available to your end users when they provision new accounts. 

**To configure Amazon VPC settings in Account Factory**

1. As a central cloud administrator, sign into the AWS Control Tower console with administrator permissions in the management account.

1. From the left side of the dashboard, select **Account Factory** to navigate to the Account Factory network configuration page. There you can see the default network settings displayed. To edit, select **Edit** and view the editable version of your Account Factory network configuration settings. 

1. You can modify each field of the default settings as needed. Choose the VPC configuration options you'd like to establish for all new Account Factory accounts that your end users may create, and enter your settings into the fields. 
+ Choose **disabled** or **enabled** to create a public subnet in Amazon VPC. By default, the internet-accessible subnet is disallowed.
**Note**  
If you set the account factory VPC configuration so that public subnets are **enabled** when provisioning a new account, account factory configures Amazon VPC to create a [NAT Gateway](https://docs.aws.amazon.com//vpc/latest/userguide/vpc-nat-gateway.html). You will be billed for your usage by Amazon VPC. See [VPC Pricing](https://aws.amazon.com//vpc/pricing/) for more information. 
+ Choose the maximum number of private subnets in Amazon VPC from the list. By default, 1 is selected. The maximum number of private subnets allowed is 2 per availability zone.
+  Enter the range of IP addresses for creating your account VPCs. The value must be in the form of a classless inter-domain routing (CIDR) block (for example, the default is `172.31.0.0/16`). This CIDR block provides the overall range of subnet IP addresses for the VPC that Account Factory creates for your account. Within your VPC, subnets are assigned automatically from the range you specify, and they are equal in size. By default, subnets within your VPC do not overlap. However, subnet IP address ranges in the VPCs of all your provisioned accounts could overlap.
+ Choose a region or all the regions for creating a VPC when an account is provisioned. By default all available regions are selected.
+ From the list, choose the number of Availability Zones to configure subnets for in each VPC. The default and recommended number is 3.
+ Choose **Save**.

 You can set up these configuration options to create new accounts that don't include a VPC. See the [walkthrough](https://docs.aws.amazon.com//controltower/latest/userguide/configure-without-vpc.html).

# Unenroll an account
Unenroll an account

If you created an account in Account Factory or enrolled an AWS account, and you no longer want the account to be managed by AWS Control Tower in a landing zone, you can *unenroll* the account from the AWS Control Tower console. 

When you unenroll an AWS Control Tower account, all resources provisioned by AWS Control Tower are removed, including any controls and blueprints. The account is moved out of any AWS Control Tower OU and into the **Root** area. The account is no longer part of a registered OU, and it is no longer subject to AWS Control Tower SCPs. You can close the account through AWS Organizations.

**To unenroll an enrolled account from the AWS Control Tower console**

1. Open the AWS Control Tower console in your web browser at [https://console.aws.amazon.com/controltower](https://console.aws.amazon.com/controltower)

1. In the left navigation pane, choose **Organization**.

1. In the **Organization** page, expand the OU that contains the account, by selecting the **\$1** button near the OU.

1. Select the account and then choose **Unmanage**.

**Note**  
Wait for the account's status to show **Not enrolled**.

If you no longer need the account, close it. For more information about closing AWS accounts, see [Closing an account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) in the *AWS Billing User Guide*

**Unenroll an account when auto-enroll is active**  
If the auto-enroll capability is active in your **Settings** page, you also can unenroll an account by moving it into an OU that is not registered in AWS Control Tower. All AWS Control Tower resources are removed. Be aware that you do not unenroll the account accidentally in this manner. However, you can re-enroll the account by returning it to the OU.

When you unenroll a customized account, AWS Control Tower removes the resources that the landing zone has deployed, as well as any other resources that AWS Control Tower created within the account. AWS Control Tower also removes the **AWSControlTowerExecution** role, even if it was added manually. Removing this role aligns with the principle of least privilege, because a service execution role should not stay in an unmanaged account.

After you unenroll the account, you can close the account through AWS Organizations.

**Note**  
An unenrolled account is not closed or deleted. When the account has been unenrolled, the IAM Identity Center user that you selected when you created the account in Account Factory still has administrative access to the account. If you do not want this user to have administrative access, you must change this setting in IAM Identity Center by updating the account in Account Factory and changing the IAM Identity Center user email address for the account. For more information, see [Update and move accounts with AWS Control Tower](updating-account-factory-accounts.md).

## Video walkthrough


This video (3:25) describes how to remove an account from AWS Control Tower, gain root access to the account, and finally close the AWS account. You also can close an account with [an AWS Organizations API](https://docs.aws.amazon.com//controltower/latest/userguide/delete-account.html). For better viewing, select the icon at the lower right corner of the video to enlarge it to full screen. Captioning is available.

[![AWS Videos](http://img.youtube.com/vi/n3eALEKZaHc/0.jpg)](http://www.youtube.com/watch?v=n3eALEKZaHc)


You can view a list of AWS [YouTube videos](https://www.youtube.com/playlist?list=PLhr1KZpdzukdS9skEXbY0z67F-wrcpbjm) that explain common tasks in AWS Control Tower.

# Close an account created in Account Factory
Close an account

Accounts created in Account Factory are AWS accounts. For information about closing AWS accounts, see [Closing an account](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/close-account.html) in the [https://docs.aws.amazon.com//accounts/latest/reference/manage-acct-closing.html ](https://docs.aws.amazon.com//accounts/latest/reference/manage-acct-closing.html ).

**Note**  
 Closing an AWS account is not the same as unenrolling an account from AWS Control Tower—these are separate actions. You must unenroll the account before you close it.

## Close an AWS Control Tower member account through AWS Organizations


You can close your AWS Control Tower member accounts from your organization’s management account without a requirement to sign in to each member account individually with root credentials, by means of AWS Organizations. You cannot close your management account in this way, however. 

When you call the AWS Organizations [CloseAccount API](https://docs.aws.amazon.com//organizations/latest/APIReference/API_CloseAccount.html), or close an account in the AWS Organizations console, the member account is isolated for 90 days, as any AWS account would be. The account shows a **Suspended** status in AWS Control Tower and AWS Organizations. If you attempt to work with the account during that 90 days, AWS Control Tower gives an error message.

**Note**  
If an OU has suspended accounts, EnabledControl operations will fail for regional controls on the target.

Before the 90 days expire, you can restore the member account, as you can do with any AWS account. After that 90-day time, the account’s records are removed.

We recommend, as a best practice, to unenroll a member account before you close that account. If you close a member account without first unmanaging it, AWS Control Tower shows the account’s status as **Suspended**, but also as **Enrolled**. As a result, if you attempt to **Re-register** the account's OU during that 90-day time, AWS Control Tower produces an error message. The suspended account essentially blocks the re-registering actions with a pre-check failure. If you remove the account from the OU, you can **Re-register** the OU, but AWS may produce an error regarding a missing method of payment for the account. To work around this constraint, create another OU, and move the account to that OU before you try to re-register. We recommend naming this OU the **Suspended** OU.

**Note**  
If you do not unenroll the account before you close it, you must delete the account's provisioned product in AWS Service Catalog after those 90 days are finished.

For more information, see the AWS Organizations documentation about the [CloseAccount API](https://docs.aws.amazon.com//organizations/latest/APIReference/API_CloseAccount.html).

# Resource Considerations for Account Factory
Account Factory resources

When an account is provisioned with Account Factory, the following AWS resources are created within the account.


| AWS service | Resource type | Resource name | 
| --- | --- | --- | 
| AWS CloudFormation | Stacks |  StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-\$1 StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\$1 StackSet-AWSControlTowerBP-BASELINE-CONFIG-\$1 StackSet-AWSControlTowerBP-BASELINE-ROLES-\$1 StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-\$1  | 
| AWS CloudTrail | Trail | aws-controltower-BaselineCloudTrail | 
| Amazon CloudWatch | CloudWatch Event Rules | aws-controltower-ConfigComplianceChangeEventRule | 
| Amazon CloudWatch | CloudWatch Logs | aws-controltower/CloudTrailLogs /aws/lambda/aws-controltower-NotificationForwarder | 
| AWS Identity and Access Management | Roles | aws-controltower-AdministratorExecutionRole aws-controltower-CloudWatchLogsRole aws-controltower-ConfigRecorderRole aws-controltower-ForwardSnsNotificationRole aws-controltower-ReadOnlyExecutionRole  AWSControlTowerExecution | 
| AWS Identity and Access Management | Policies | AWSControlTowerServiceRolePolicy  | 
| Amazon Simple Notification Service | Topics | aws-controltower-SecurityNotifications | 
| AWS Lambda | Applications | StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-\$1 | 
| AWS Lambda | Functions | aws-controltower-NotificationForwarder | 
| Amazon EventBridge | Rule | AWSControlTowerManagedRule | 
| Amazon EventBridge | Rule | aws-controltower-ConfigComplianceChangeEventRule |