If you’ve tried registering an Organizational Unit (OU) in AWS Control Tower and hit a wall of pre-check errors saying “The account may have an existing AWS Config configuration recorder”, you’re not alone. This is one of the most common — and frustrating — blockers when enrolling accounts into Control Tower.
In this post, I’ll walk through exactly what causes this error and how to fix it.
The Problem
When registering an OU in AWS Control Tower, you may see errors like this for each account:
| Error Type | Description |
|---|---|
| Pre-check | The account may have an existing AWS Config configuration recorder. These must be deleted through the AWS CLI in all regions before you can enroll an account. |
| Pre-check | The account may have an existing AWS Config delivery channel. These must be deleted through the AWS CLI in all regions before you can enroll an account. |
These errors occur because AWS Control Tower needs to deploy its own Config recorder and delivery channel in each account. If one already exists — even in a region you’re not actively using — the registration will fail.
Why Does This Happen?
There are a few common reasons pre-existing Config recorders exist in your accounts:
- Someone previously enabled AWS Config manually or through the console
- A CloudFormation stack or IaC tool deployed Config as part of a compliance setup
- AWS Config was enabled as a default during account creation through some other mechanism
- A previous Control Tower enrollment attempt partially completed
The Fix
You need to delete the existing Config recorder and delivery channel in every region of each affected account. Here’s the CLI script to do it.
Option 1: Single Region (if you’re certain Config only exists in one region)
# Delete Config recorder
RECORDER=$(aws configservice describe-configuration-recorders \
--region us-east-1 \
--query "ConfigurationRecorders[0].name" \
--output text)
aws configservice stop-configuration-recorder \
--configuration-recorder-name "$RECORDER" \
--region us-east-1
aws configservice delete-configuration-recorder \
--configuration-recorder-name "$RECORDER" \
--region us-east-1
# Delete delivery channel
CHANNEL=$(aws configservice describe-delivery-channels \
--region us-east-1 \
--query "DeliveryChannels[0].name" \
--output text)
aws configservice delete-delivery-channel \
--delivery-channel-name "$CHANNEL" \
--region us-east-1
Option 2: All Regions (recommended)
The error message says “in all regions” for a reason. Config recorders can exist in regions you’ve never intentionally used. Run this to clean all regions:
for region in $(aws ec2 describe-regions \
--query "Regions[].RegionName" --output text); do
echo "=== $region ==="
RECORDER=$(aws configservice describe-configuration-recorders \
--region "$region" \
--query "ConfigurationRecorders[0].name" \
--output text 2>/dev/null)
if [ "$RECORDER" != "None" ] && [ -n "$RECORDER" ]; then
aws configservice stop-configuration-recorder \
--configuration-recorder-name "$RECORDER" \
--region "$region"
aws configservice delete-configuration-recorder \
--configuration-recorder-name "$RECORDER" \
--region "$region"
echo "Deleted recorder: $RECORDER"
fi
CHANNEL=$(aws configservice describe-delivery-channels \
--region "$region" \
--query "DeliveryChannels[0].name" \
--output text 2>/dev/null)
if [ "$CHANNEL" != "None" ] && [ -n "$CHANNEL" ]; then
aws configservice delete-delivery-channel \
--delivery-channel-name "$CHANNEL" \
--region "$region"
echo "Deleted channel: $CHANNEL"
fi
done
How to Run This
- Log into each affected account — use AWS CloudShell, SSO, or
aws sts assume-rolewith a role likeAWSControlTowerExecutionorOrganizationAccountAccessRole - Paste and run the script above
- Repeat for every account that had pre-check errors
- Go back to Control Tower → Organization → select the OU → Actions → Re-register OU
Is This Safe?
Yes. AWS Control Tower will deploy its own Config recorder and delivery channel as part of the successful OU registration. You’re simply removing the old ones that are blocking enrollment. The only thing to verify is whether someone intentionally set up Config rules or conformance packs that depend on the existing recorder — if so, coordinate with your team before deleting.
Key Takeaway
When the Control Tower console says “in all regions”, it means it. Even if you only operate in us-east-1, Config recorders can exist in other regions. The all-regions cleanup script is the safest and most reliable approach.
Have questions or ran into a different Control Tower issue? Connect with me on LinkedIn.