I had an existing AWS Organizations account structure already configured, with a number of OUs in place and also Service Control Policies, together with SSO configured to Azure AD.
In the console, select the Control Tower option in the region that you want to deploy Control Tower in (this becomes the “home region”, where all configuration is held for the governance services, i.e. S3 buckets for logging):
I get the following error popping up:
Having fixed that, I can now move on:
When the above completed I tried registering an existing OU into the Control Tower:
However it failed, as I was using Nested OU’s in the original account structure of AWS Organizations.
As of November 2021 Nested OU’s are now supported by Control Tower – see https://aws.amazon.com/about-aws/whats-new/2021/11/aws-control-tower-supports-nested-organizational-units/
Once I fixed that it went through and provisioned the Control Tower environment and after about an hour it was ready to go.