Upgrading To AWS Control Tower in Sydney Region

2 min read

On March the 5th AWS announced that AWS Control Tower finally is available to Sydney region 🙂

I’ve been going on a journey with my master and all my aws accounts.

The general rhetoric from AWS is that you should bring a clean fresh new master to the table.

I haven’t been 😀


I can confirm it is entirely possible to re-use a master with control tower.

Even one that has been used with the landing zone solution.

The key is.. Stripping it clean. Primarilly of:

  • Default VPCs
  • AWS Config Recorders

Config recorders are only able to be cleaned manually via the CLI.

I had an existing set of accounts which had been previously built using landing zone (in point of fact the master existed before this).

I had to clean the master prior to the landing zone deployment a year ago so had learnt about the config recorder constraint.

This time around I’ve had to decomission the entire landing zone from my accounts and then disestablish my orgnanisation and create a new one with Contol Tower.

Fortunately this wasn’t too hard for me because I hadn’t gone crazy deploying stuff with Landing Zone.

So my primary tasks were to remove each account from the organisation which I had to then go and set up the billing payment, contact details etc to satisfy the AWS requirements for member removal from the org.

Delete my organisation.

Delete my AWS Config recorder

Enable STS in us-east-1, us-east-2, eu-west-1, ap-southeast-2

An then deploy my Control Tower. Well to be fair, I tried deploying the control tower and it failed 3 times so the above represents some of the things I had to do to resolve this.

A really important point about deploying the control tower is that you need to respond to the emails in a timely fashion also for SSO and SNS subs.

However, I am pleased to say that I have been able to re-use my master and now have a functional Control Tower deployed in ap-southeast-2.

I have re-invited my old accounts and will work on integrating them with control tower if and when that becomes possible. For now it is enough for me that they are still part of my Org and managed by AWS Orgs & SSO access controls.

Happy days!