AWS Control Tower Required Email Addresses
| Account Type | Email Address Example | Required/Optional | Email Type | Purpose | Notes |
|---|---|---|---|---|---|
| Management Account | rraws@gmail.com |
Required | DISTINCT | Root account that manages the entire AWS Organization | Use shared/admin email, not personal |
| Audit Account | rraws-audit@gmail.com |
Required | DISTINCT | Security and compliance monitoring | Auto-created by Control Tower |
| Log Archive Account | rraws-logs@gmail.com |
Required | DISTINCT | Centralized logging storage | Auto-created by Control Tower |
| Production Account | rraws-prod@gmail.com |
Required | Alias OK | Production environment workloads | Can use rraws+prod@gmail.com |
| Test Account | rraws-test@gmail.com |
Required | Alias OK | Testing/staging environment | Can use rraws+test@gmail.com |
| Development Account | rraws-dev@gmail.com |
Required | Alias OK | Development environment | Can use rraws+dev@gmail.com |
| Shared Services Account | rraws-shared@gmail.com |
Optional | Alias OK | Shared resources (CI/CD, monitoring, etc.) | Can use rraws+shared@gmail.com |
Summary
- Distinct Gmail accounts required: 3 (Management, Audit, Log Archive)
- Can use aliases: 3-4 (Production, Test, Development, Shared Services)
- Total minimum required: 6 email addresses
- Recommended: 7 email addresses (including Shared Services)
Practical Setup for "rraws"
IMPORTANT Must create separate Gmail accounts:
rraws@gmail.comrraws-audit@gmail.comrraws-logs@gmail.com
NOTE Can use aliases from main account:
rraws+prod@gmail.comrraws+test@gmail.comrraws+dev@gmail.comrraws+shared@gmail.com
Next steps
Here are the essential steps after AWS Control Tower creation:
Immediate Security Steps (Day 1)
1. Secure All Root Users
- Enable MFA on all 6 root user accounts
- Store root credentials securely (password manager, secure vault)
- Document which email goes with which account
2. Set Up AWS IAM Identity Center (SSO)
- Enable Identity Center in the Management Account
- Create permission sets (e.g., AdministratorAccess, ReadOnlyAccess, DeveloperAccess)
- Create user groups (Admins, Developers, ReadOnly Users)
- Add your actual users (not root users) to Identity Center
3. Configure Access
- Assign permission sets to users/groups for each account
- Test SSO login to each account
- Verify you can access Prod/Test/Dev accounts without using root
Account Setup Steps
4. Configure Each Workload Account
For each account (Prod/Test/Dev):
- Set up billing alerts and budgets
- Configure VPCs and networking
- Set up CloudTrail (if not already done by Control Tower)
- Configure account-specific IAM policies
5. Implement Governance
- Review Control Tower guardrails (SCPs)
- Customize additional guardrails as needed
- Set up AWS Config rules for compliance
- Configure CloudWatch monitoring
6. Operational Setup
- Set up CI/CD pipelines across accounts
- Configure cross-account roles for deployments
- Set up centralized logging review
- Document account purposes and access procedures
The key is: never use root users again after this initial setup - everything should go through Identity Center!