The AWSControlTowerExecution role is required in the target account for the Control Tower management account to perform various activities. In the above case the item which failed was a service-linked role creation. I have reviewed AWSControlTowerExecution in my test environment for the default logging account and see it has the AdministratorAccess managed policy atached and the following trust relationship: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::< Control Tower management account ID >:root" }, "Action": "sts:AssumeRole" } ] } In one of the accounts which enrolled correctly please review the AWSControlTowerExecution role and compare with the role in the account which failed to enroll to confirm they are aligned and have the same permissions. - More Information - From the Control Tower documentation - please see resources [1] and [2] Before you can enroll an existing AWS account into AWS Control Tower you must give permission for AWS Control Tower to manage, or govern, the account. AWS Control Tower requires permission to establish trusted access between AWS CloudFormation and AWS Organizations on your behalf, with this trusted access, the AWSControlTowerExecution role conducts activites required to manage each account. To enroll an existing account - these prerequisites are required before you can enroll an account in AWS Control Tower: 1. The AWSControlTowerExecution role must be present in the account you're enrolling. 2. We recommend that the account should not have an AWS Config configuration recorder or delivery channel. These may be deleted or modified through the AWS CLI before you can enroll an account. If you do have a Config Recorder with data which cannot be deleted you can 3. The account that you wish to enroll must exist in the same AWS Organizations organization as the AWS Control Tower management account. The account that exists can be enrolled only into the same organization as the AWS Control Tower management account, in an OU that already is registered with AWS Control Tower. 4. Before you can enroll an existing account in AWS Control Tower, the account must have the following roles, permissions, and trust relationships in place. Otherwise, enrollment will fail. - Role Name: AWSControlTowerExecution - Role Permission: AdministratorAccess (AWS managed policy) - Role Trust Relationship - as above
