Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
2.2.2.2. Standardizing & Automating Account Provisioning (Organizations, Control Tower)
2.2.2.2. Standardizing & Automating Account Provisioning (Organizations, Control Tower)
Manual account creation doesn't scale. At 50+ accounts, you need automated provisioning that applies consistent baselines from day one.
AWS Control Tower automates multi-account setup:
- Landing zone: Pre-configured environment with security and logging accounts
- Account Factory: Self-service account provisioning with guardrails pre-applied
- Guardrails: Preventive (SCPs that block actions) and detective (Config rules that detect violations)
- Dashboard: Central view of compliance status across all accounts
Customizations for Control Tower (CfCT) extends Account Factory with custom CloudFormation templates applied to new accounts — baseline IAM roles, VPC configurations, security services.
# Programmatic account creation via Organizations API
orgs = boto3.client('organizations')
response = orgs.create_account(
Email='prod-app1@company.com',
AccountName='prod-app1',
RoleName='OrganizationAccountAccessRole'
)
orgs.move_account(
AccountId=response['CreateAccountStatus']['AccountId'],
SourceParentId='r-root',
DestinationParentId='ou-prod-xxxxx'
)
Account baseline automation (applied to every new account):
- Enable CloudTrail → send logs to central log archive
- Enable GuardDuty → delegate to security account
- Enable AWS Config → aggregate to security account
- Deploy VPC via StackSet → standard networking
- Configure SSO → assign role-based access groups
Exam Trap: Control Tower's Account Factory creates accounts asynchronously. The CreateAccount API returns immediately with a status — you must poll or use EventBridge to detect completion. Automation that assumes the account exists immediately will fail.

Written byAlvin Varughese•Founder•15 professional certifications