Skip to main content

Overview

If your AWS Organization uses AWS Control Tower, you can skip manual role deployment entirely. Control Tower automatically provisions the AWSControlTowerExecution role in every enrolled account, granting broad administrative permissions to the management account.
The IAM Audit tool only uses IAM and CloudTrail read permissions from this role — it never performs write operations.

Benefits of Using Control Tower

1

Zero deployment overhead

No CloudFormation StackSets or manual role creation required. The AWSControlTowerExecution role exists in all Control Tower-managed accounts.
2

Automatic new account inclusion

When new accounts are enrolled in Control Tower, they automatically receive the execution role — your audit coverage scales instantly.
3

Consistent permissions

Control Tower maintains the role’s permissions across all accounts. No drift or configuration skew.
4

Audit trail included

All role assumptions are logged in Control Tower’s aggregated CloudTrail lake.

How It Works

AWSControlTowerExecution Role

Control Tower creates this role in every enrolled account with:
  • Trust relationship to the management account
  • AdministratorAccess managed policy (includes IAM and CloudTrail read)
  • Automatic updates managed by Control Tower

Permissions Used by IAM Audit

While the role has full admin access, the audit tool only calls:
ServiceActions Used
IAMListUsers, ListAccessKeys, GetAccessKeyLastUsed, ListMFADevices, GetLoginProfile
CloudTrailLookupEvents
STSAssumeRole (from management account)
The AWSControlTowerExecution role has AdministratorAccess. While the audit tool itself is read-only, using this role grants broader permissions than a least-privilege custom role. Consider this in your security model.

Running Audits with Control Tower

No additional setup required. Simply specify the Control Tower execution role when running the audit: 
python iam_audit.py --profile mgmt-profile --role AWSControlTowerExecution

Example Command

cd ~/workspace/source
python iam_audit.py --profile control-tower-mgmt --role AWSControlTowerExecution

Output

Auditando cuenta: Production (123456789012)
Auditando cuenta: Development (234567890123)
Auditando cuenta: Security (345678901234)

Total de Access Keys encontradas: 47
Reporte exportado: iam_audit_report_20260305_153022.csv
Reporte de eventos CloudTrail exportado: cloudtrail_events_20260305_153022.csv

Differences from Custom Role Setup

AspectCustom IAM RoleAWSControlTowerExecution
DeploymentManual (StackSets)Automatic (Control Tower)
PermissionsLeast privilege (6 IAM + 1 CloudTrail action)AdministratorAccess
MaintenanceManual updatesControl Tower managed
New accountsRequires re-deploymentAutomatic inclusion
Security postureMinimal attack surfaceBroader permissions
Audit complianceEasier to justify least privilegeRequires documentation of read-only usage
For production environments with strict compliance requirements, consider deploying a custom least-privilege role even in Control Tower accounts. See IAM Permissions Setup.

Security Considerations

Privilege Escalation Risk

The AWSControlTowerExecution role can create IAM users, attach policies, and modify infrastructure. If the management account credentials are compromised, an attacker could abuse this role. Mitigations:
  • Use IAM Identity Center (SSO) for management account access
  • Enable MFA for all management account users
  • Monitor AssumeRole events in CloudTrail for anomalies
  • Consider deploying a dedicated least-privilege audit role

Compliance Implications

Some regulatory frameworks (PCI-DSS, SOC 2, HIPAA) require separation of duties and least privilege. Using a role with AdministratorAccess for audits may require additional documentation:
  • Demonstrate the tool’s code is read-only
  • Log all audit executions with approval workflows
  • Justify why least privilege wasn’t technically feasible
If your organization enforces strict least-privilege policies, deploy a custom audit role instead of using AWSControlTowerExecution.

Verifying Control Tower Setup

Before running the audit, confirm Control Tower is active:

Check Control Tower Status

aws controltower list-landing-zones --profile mgmt-profile

List Enrolled Accounts

aws organizations list-accounts \
  --query 'Accounts[?Status==`ACTIVE`].[Id,Name]' \
  --output table \
  --profile mgmt-profile

Test Role Assumption

aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/AWSControlTowerExecution \
  --role-session-name AuditTest \
  --profile mgmt-profile
If all commands succeed, your Control Tower environment is ready for auditing.

Troubleshooting

Symptom: AccessDenied when assuming AWSControlTowerExecution in a specific accountSolution:
  1. Check if the account is enrolled in Control Tower: 
    aws organizations describe-account --account-id 123456789012 --profile mgmt-profile
  2. Enroll the account via the Control Tower console
  3. Or deploy a custom audit role to that account using AWS Setup
Symptom: Role assumption succeeds but IAM or CloudTrail calls failSolution:
  1. Verify the role has AdministratorAccess or equivalent: 
    aws iam list-attached-role-policies \
  --role-name AWSControlTowerExecution \
  --profile assumed-role-profile
  2. Check for SCPs blocking IAM or CloudTrail actions
  3. Confirm CloudTrail is enabled in us-east-1
Symptom: NoSuchEntity when checking for Control Tower landing zonesSolution: If your Organization doesn’t use Control Tower, follow the AWS Organization Setup guide to deploy custom audit roles.

Best Practices

  1. Log all audit executions
    Use CloudTrail to monitor when AWSControlTowerExecution is assumed from the management account.
  2. Restrict management account access
    Limit who can run audits by tightly controlling sts:AssumeRole permissions in the management account.
  3. Automate regular audits
    Schedule the tool via Lambda or EventBridge to run weekly/monthly audits automatically.
  4. Review Control Tower drift
    Periodically verify the AWSControlTowerExecution role hasn’t been modified or deleted in member accounts.
  5. Consider least privilege for production
    For regulated industries, deploy a dedicated audit role even in Control Tower environments.

Additional Resources

AWS Control Tower Documentation

Official AWS documentation for Control Tower setup and management

IAM Permissions Setup

Deploy a least-privilege custom role instead of using Control Tower

AWS Organization Setup

Manual role deployment for non-Control Tower environments

Next Steps

Run Your First Audit

Execute the audit across your Control Tower-managed Organization

Build docs developers (and LLMs) love

Get started for freeTalk to us