A programmatic way to create an account in AWS Control Tower

June 7, 2022

One of the biggest challenges companies face today is managing multiple teams with different workloads, ensuring they follow the best security practices. 

AWS Control Tower is a multi-account structure that can manage multiple accounts in different organizational units under a single root account, helping organizations meet the unique needs of each application, team, or business group.


The automation cloud is an ideal alternative for companies that need to create accounts for multiple teams with all the security guardrails and configurations. The following AWS tools can help you achieve that objective:

  • Account Factory for Terraform
  • Account vending through Amazon Lex ChatBot

We will explain how to create an account using AWS CLI and AWS API.


Before you start, bear in mind the following aspects:

  • The AWS control tower setup should be available.
  • The AWS control tower account factory template should be available with the required CIDR and subnet configuration.
  • The AWS control tower service catalog products should be created and active.
  • You will need an access key and a secret key of an in-place admin user.

Creating an account on AWS CLI

Firstly, you need to install AWS CLI to proceed with the account creation. You can follow these steps if you are using Linux OS:

  • Setup environment variable with the access key and secret key.
  • Retrieve master account value and Define value for admin ARN.
KCeApQYu3ziVDqdorSRDR8HpBzf8uMBkDoVd9q7hauiIC hAPdKMwMynUBTVoVrXvlISziKUH5t8ugSCRV4aWQXxo6EfvK9FwB

Retrieve the product ID for the account factory product in the region specified earlier.

NmsTl51DeInO7fonva3eTe5UeTUEbuJyurR0S8JxJTBOq6besnTQK1c6OHUPlClovce1nnmFJ7xTv0iOhYiSL2YMOmNpgpzHvCayIUJ4xjE t

Retrieve the provisioning artifact for the account factory.


Create a param.json file with the required parameters, as shown in the following screenshots:

AQuqQ2rNXYzx5lYpDLoKk5ZSuJXN5zatQ ax8KQGDEgg2yH 6XBJICGgeUt7s7JWk0hij gOqkOvTAPn qYQHvTez9emNF82yVXk4L8FrBpItfFCoLo9cvmbm iCz6FqOVtdi jOi 9f1P73ow

Derive the catalog name and email id from params.json. Catalog names can be anything unique. It can be the same as an account name. Here we are adding the prefix “CatalogFor” to the account name.

sb0J8bK1QgYS6op ICTa64T6bBapNW8G0FbiP9VRD4nSZa08DDHvh9PMZm Eis515MbeoDSDlRrE68e83EDbAPsD5rWRwdTgCZ bfXMKgPrknksSRR4M IVBImohgNvfHRY22aVy5MM4Sktpdw

To create a new account programmatically, you need to write this command:

Fu2GeZk2u6C9J6NL MxC0WDik51iX4pOAbc Oe1dsVmCwGWkXESdrGBjf5fWO0mCMK4on6Sb3SFeD2eQm77P1VmBmfUKTckxm08GCOhlveP 1U79PoQawVkbBbVVHRE062YL7mnKIaM2vCjg


Another way to create AWS Control Tower account is through AWS SDK.

For more details, refer to the AWS document.


onqoKgU5UjCEDHKBUvHCzDd953yD0Emnr8lFpGgowS3aZBM1 3gBx LfEHSvKI 5ujKtcLuATVLdyp9ZJt xHalpT RcOO QBG1nfgAP f8PCUfXIq6OyRm3SknMdvkdkBwFDUU


Account Status

Now you can view the status of the account created in the AWS Control Tower console. 

ixxa9w7BClvPH0 9jsyCYdaWousl7gcER5TAkeffamKdn180lARYeG9nUc64ZUrJ8nratbM7oluItfzRWKMFCO1EGu6t5WXz 38jWjE7 cP8BIgb 4i NY6q2B0NefLBmUKli

Then you will receive an email to create the account.

OkCNrWxm JmK484xJZMeU6lJITD9zPhVkh4RI9aetp ehWQgOh07W00auqmouuIIPoSavQp683Llagaw2SqOntAuCLTrjW32fdNn0QjUHuDsjJhSfJ0ZgAQg4lr3QD6QWo 5lEZerBVlfvB8VA

Steps to access AWS Control Tower Account

Go to the AWS Management Console and sign in.

gt7bpLfJJsC6vllEDyiBtypNmu1JlOqopbsj6ahuGQ10z4ZiTRFGCEofnUGnQgRgMBQKC5HumfHBuTyukjTJuAz3O1ZXNCVLh1jtpuYtXg1iFh59QxcJlACzzgHj SlSboQn1gmCBZFj6rrmog

Select root user and then enter the root user email address. Then complete the security check.

3tGbDFg4Urt9 7HWqlrasMRjG5sYcX

Now click forgot password on the emerging window, enter the captcha and email. You will get the link on the root email to reset the password.

ufAYGpS2bl1jtfMK2ohg GSz Io9KRreZfHBlEYgIL8H6890

Change the password and log in.

BsaBxm QUdpefFwGiaa84Xg8h24bbgpAEoOk6NE58zi91OC5hHb2kCRFmfdviVzKq8zZ PI 4G8m3gWUmjp7IU6aeZZr2fimYpP7xcS5bp

By following the steps, you will create an account with all the mandatory guardrails and SCPs (Service Control Policies). There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will incur costs for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS Single Sign-On (SSO) come at no additional charge, you will pay for services such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (SNS), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (VPC), based on your usage of these services. You only have to pay for what you use.

Using an AWS Control Tower provides organizations with the flexibility and speed required to manage multiple accounts on a single dashboard. As a result, companies have more control and visibility on their digital environment. Get to know more about our cybersecurity practices here.

Subscribe to our newsletter

Receive the latests news, curated posts and highlights from us. We’ll never spam, we promise.

More From

The Cybersecurity Studio focuses on reducing our clients’ cybersecurity risks. To help businesses adapt, we established a Digital Cybersecurity Framework founded by our key practices. Our value proposition considers an active participation in the software development process and a proactive view on cybersecurity solutions that include regular vulnerability tests and threat intelligence.