This is the second article of AWS Control Tower and the AWS multi-account approach. In the first article I had explained why you need a multi-account approach, what are the best practices and recommendations and how to create the landing zone using AWS Control Tower.
In this article, we will continue to add new AWS accounts to our multi-account approach and review all options in the AWS Control Tower service.
Once the creation of the landing zone by the AWS control tower is completed, it will have the following organizational structure:
Now, we will review all the options available in AWS Control Tower.
We have more than one account and need/want a central place to access all accounts. Fortunately, AWS Control Tower provides us with a default configuration of the AWS Single Sign-On solution (IAM Identity Center, previously named AWS SSO).
IAM Identity Center expands the capabilities of AWS Identity and Access Management (IAM) to provide a central place that brings together administration of users and their access to AWS accounts and cloud applications.
The default configuration used as identity source is Identity Center directory, that is, an internal directory where we can add users directly to give them access to the organization.
This is the default configuration:
You can update the identity source of the IAM Identity Center configuration to use your Active Directory or an external identity provider.
By default, only the email used for the root account is included as a user, but you need to confirm it and set a new password. This is a new user different from the root user of the AWS management account.
To add a new user with this configuration the following information is mandatory:
- Username (required for this user to sign in to the AWS access portal. The username can’t be changed later.)
- Email address
- First name
- Last name
- Display name (typically the full name of the workforce user, is searchable, and appears in the user’s list)
By default, the following groups are created:
- AWSAccountFactory: Read-only access to account factory in AWS Service Catalog for end users
- AWSSecurityAuditors: Read-only access to all accounts for security audits
- AWSSecurityAuditPowerUsers: Power user access to all accounts for security audits
- AWSServiceCatalogAdmins: Admin rights to account factory in AWS Service Catalog
- AWSControlTowerAdmins: Admin rights to AWS Control Tower core and provisioned accounts
- AWSLogArchiveAdmins: Admin rights to log archive account
- AWSAuditAccountAdmins: Admin rights to cross-account audit account
- AWSLogArchiveViewers: Read-only access to log archive account
Use of SSO
You will access through one link similar to this “https://xxxxxxxxxxxxx.awsapps.com/start” y you will access to this portal:
When you successfully log in, you will see the following:
Clicking on the AWS account menu (number) will display information about these accounts:
New Organizational Units (OUs)
Creating a new Organizational Unit (OU) is very easy from the AWS Control Tower or AWS Organizations.
From AWS Control Tower: automatically will be registered in Control Tower service
From AWS Organizations: you need to register the OU in Control Tower
So, if you are using AWS Control Tower, better use it instead of AWS Organizations to create new OUs (Organizational Units) or AWS accounts.
With the account factory you can provision new accounts and enroll existing accounts, and you can standardize your account and network configurations for creating multiple accounts.
You can update the AWS Control Tower service to the Network configuration to define how VPCs will be created. When you save the changes, the defined configurations will be published to AWS Service Catalog as a product.
To deploy new AWS accounts with Account Factory you have 2 options:
Use the product in AWS Service Catalog:
Use Create accounts in the Account Factory feature of AWS Control Tower
In both cases, the mandatory fields are:
- Account email
- Display name
- Identity Center user email
- IAM Identity Center user name
- Organizational unit
Also, in both cases, the Service Catalog is used behind the scenes.
AWS Control Tower applies high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), and detect policy violations using AWS Config rules.
AWS Control Tower has 64 controls (governance rules for your AWS environment) in 3 different categories of guidance.
- Mandatory: always enforced
- 20 preventive guardrails to enforce policies
- 3 detective to detect configuration violations
- Strongly recommended: designed to enforce some common best practices for well-architected, multi-account environments.
- Example: Detect whether public write access to Amazon S3 buckets is allowed
- Elective: enable you to track or lock down actions that are commonly restricted in an AWS enterprise environment.
So, there are 23 mandatory guardrails, but there are 41 others that you can enable. To enable one of them you select, click on Enable control on OU and then select one of them.
Infrastructure as Code (IaC)
There are at least 2 solutions to define as
Infrastructure as Code (IaC) your AWS resources or SCPs and deploy it on each account (new or existing).
- Customizations for Control Tower (CfCT): use CloudFormation
- Use the Terraform module of Control Tower Account Factory for Terraform
Customizations for Control Tower (CfCT)
Customizations for AWS Control Tower (CfCT) helps you customize your AWS Control Tower landing zone and stay aligned with AWS best practices. Customizations are implemented with AWS CloudFormation templates and service control policies (SCPs).
Deploying CfCT builds the following environment in the AWS Cloud.
CfCT deploys two workflows:
- an AWS CodePipeline workflow (executed when changes appear)
- an AWS Control Tower lifecycle event workflow (executed when a new account is launched)
To deploy CfCT:
- Step 1: Launch the stack in CloudFormation here. You can choose S3 or CodeCommit as the source
- Step 2: connect to the source and perform some changes (CodePipeline will be deployed automatically when you upload the new changes)
Manage AWS Accounts Using Control Tower Account Factory for Terraform
There is a Terraform module that makes it easy to create and customize new accounts that comply with your organization’s security guidelines.
Here is the official link that explains how to do it step by step.