Skip to main content

1. How to upgrade AWS Control Tower accounts

· 3 min read

Has your AWS Landing Zone in Control Tower been updated recently, and now you need have a prompt in your Organizational Units that some OU's need updating? Personally, I found the answers that I needed for this a bit unclear - when you update an OU or Account, the documentation looks as though it will create a compeletly fresh account. I wanted to write this blog to show you what happens.

When you update the main landing zone, you also need to update your accounts that are in your OU, you can do this quite easily by re-enrolling your OU, this will update all accounts in that organisational unit & if have a production and nonprod account under a single organisational unit, this might seem dangerous to re-enroll both at the same time without testing it. I found this to be a daunting so only use the OU re-enrollment process for one OU, but its a very simple and easy upgrade with no issues.

Before re-enrolling your OU, you should check that all of your Guard Rails are in place without any issues, i.e. they're all compliant. If some aren't compliant this may cause issues when re-enrolling the OU.



Upgrade Organisational Unit / re-enroll

To begin updating an OU, please check that your accounts have Updates Available for them:

Updates Available for your Orgnisational Unit:

Update Available

From Control Tower, navigate to:

  1. Organisational Units ->
    1. OU with Accounts to Update
    2. OU Upgrade
    3. Hit reregister OU in the top right.
    4. Confirm if prompted
    5. Wait for a few minutes whilst the account re-enrolls, check the stack progress in the CloudFormation console.
    6. Enjoy your new updated account. Check CloudTrail to ensure services are still working and user access is alos working for your own sanity.

Upgrade Single Account

To update a single account, this takes a bit more work and the it feels a bit more worrying doing it this way. This post is assuming that you are using the Service Catalog Account Factory in order to provision Control Tower.

  1. Go to Service Catalog
  2. Provisoned Products
  3. Change the filter from "User" to "Account":
    1. Account Switch
  4. Select your account via the radio button on the left, and press "Actions" in the top right.
    1. Action
  5. Press "Update"
  6. You'll be prompted to enter information into the box like below. This means you can change account login details, name etc. however for this demo we're going to keep it the same as it was previously, as we want the account to stay the same, just upgrade the landing zone version. If you read above it says "Provisons a new account". Don't be scared of this, you will be able to login and use your account exactly the same way after the update and even whilst the update is happening.
    1. SSO
  7. Enjoy your newly updated account after about 10-15 minutes.