How to setup Backup Accounts for GovCloud?

Question

I'm working on enabling AWS Backup for GovCloud using Control Tower. According to the [prerequisites](https://docs.aws.amazon.com/controltower/latest/userguide/backup-prerequisites.html), we need to provision two additional AWS accounts—one for the central backup account and one for the backup administrator account. These accounts **must not be enrolled** in AWS Control Tower.

We typically create accounts in the AWS Standard environment and map them to GovCloud. However, I don’t see an option to mark accounts as GovCloud-only (e.g., no enableGovCloud flag) in the Control Tower account creation screen. While I could use configuration files to include this setting, doing so would enroll the accounts into Control Tower, which goes against the prerequisite.

Can someone please clarify:

What is the recommended approach for creating these backup accounts for AWS GovCloud?
Should we bypass the account mapping from AWS Standard to AWS GovCloud and create these accounts directly within GovCloud?
Or is there a supported way to create GovCloud accounts that are not enrolled in Control Tower?

re:Post Agent · Answer

When setting up backup accounts for AWS GovCloud, you need to understand the unique relationship between standard AWS accounts and GovCloud accounts.

For creating GovCloud accounts that are not enrolled in Control Tower, you have a few options:

1. Use the AWS Organizations CreateGovCloudAccount API from your standard AWS Organizations management account. This creates two linked accounts: one in the standard AWS region (which becomes part of your organization) and an associated standalone account in the GovCloud region. Both accounts will be associated with the same email address.

2. For the Landing Zone Accelerator approach, you can use the `enableGovCloud` flag in the `accounts-config.yaml` file to create GovCloud accounts. This is done by adding new accounts with the `enableGovCloud: true` option in the workloadAccounts section.

Since the prerequisite states that the backup administrator and central backup accounts must not be enrolled in AWS Control Tower, you should:

1. Create these accounts using the CreateGovCloudAccount API directly from your AWS Organizations management account in the standard region.
2. This will create the corresponding GovCloud accounts that are not managed by Control Tower.
3. After creation, you can invite these standalone GovCloud accounts to your GovCloud organization.

Remember that AWS Organizations operates differently in GovCloud compared to standard regions:
- You must use AWS Organizations with all features enabled in GovCloud
- You can only create GovCloud accounts by calling the API from the standard region
- After creating the standalone account in GovCloud, you can invite it to your GovCloud organization

For AWS Backup specifically, Control Tower creates local backup vaults with four types of backup plans (hourly, daily, weekly, monthly) and a local backup role in your accounts when enabled.

If you are facing provisioning these accounts kindly reach out to us via [Support Case](https://support.console.aws.amazon.com/support)

**Sources**  
[CreateGovCloudAccount - AWS Organizations](https://docs.aws.amazon.com/organizations/latest/APIReference/API_CreateGovCloudAccount.html)  
[Option 1: Deploy to new standard and AWS GovCloud (US) accounts - Landing Zone Accelerator on AWS](https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/option-1-deploy-to-new-standard-and-aws-govcloud-us-accounts.html)  
[AWS Organizations in AWS GovCloud (US) - AWS GovCloud (US)](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-organizations.html)  
[Enable backups - AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/enable-backup.html)
[Creating your accounts](https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-controltower.html)

How to setup Backup Accounts for GovCloud?

Add your answer

Relevant content