[AWS] Control Tower

AWS Control Tower ensures your accounts conform to company-wide policies. It provides the simple way to setup and govern an multi-account environment.

Features

• Setup a new account using a multi-account strategy
• Integrate directly with AWS Organizations service
  • Automatically set up AWS Organizations to manage accounts and SCP(Service Control Policies)
• Provide the dashboard to manage accounts and monitor compliance

AWS Control Tower vs. AWS Organizations

AWS Control Tower and AWS Organizations – AWS Organizations (amazon.com)

• AWS Organizations is the service to manage multiple accounts through a single root account.
• AWS Control Tower extends the AWS Organizations by applying preventive and detective guardrails to keep your accounts from divergence form best practices.

Setup

• AWS Organization
  • Organization Units (OUs)
  • Service Control Policies (SCPs)
• Shared Accounts
  • Management account
  • Log Archive account
  • Audit account

Landing Zone

A Landing Zone is an automatically provisioned multi-account environment that is secure and compliant.

It consists of

• AWS Organization
  • Organization Units (OU)
  • Service Control Policies (SCP): Preventive actions to disallow non-secure policies
• Account Factory
• IAM Identity Center
• Guardrails & AWS Config
  • Detective actions to identify non-compliance resources, such as untagged resources

Account Factory

Features

• Automatically provision accounts
• Create pre-approved configurations for AWS accounts in your Organization
  • VPC Settings, subnets, regions…
  • Use AWS Service Catalog to provision resources for a new account
• Events
  • You can catch the “CreateManagedAccount” event in the EventBridge rule and send it to SNS or Lambda

# Event

{
  "version": "0",      
  "detail-type": "AWS Service Event via CloudTrail",
  "source": "aws.controltower",
  "account": "XXXXXXXXXXXX",
  ...
  "detail": {
    "eventVersion": "1.05",
    "eventSource": "controltower.amazonaws.com",
    "eventName": "CreateManagedAccount",                  
    "eventType": "AwsServiceEvent",
    "serviceEventDetails": {
      "createManagedAccountStatus": {
        "organizationalUnit":{
          "organizationalUnitName":"Custom",
          "organizationalUnitId":"ou-XXXX-l3zc8b3h"
        },
        "account":{
          "accountName":"LifeCycle1",
          "accountId":"XXXXXXXXXXXX"
        },
        "state":"SUCCEEDED",
        ...
    }
}

Account Factory Customization (AFC)

• Custom Blueprint
  • CloudFormation Template
    • as a Service Catalog product
  • Only 1 blueprint can be deployed to the account

Account Factory for Terraform (AFT)

• You can provision accounts using the account request Terraform file (account-request.tf).
• CodePipeline can be used to orchestrate the CI/CD pipeline.

module "aft" {
  ...

  # Optional Feature Flags
  aft_feature_enterprise_support = false
  aft_feature_delete_default_vpcs_enabled = false 
}

Detecting Policy Violations

You can detect and remediate policy violations.

Guardrail

• Provides on-going governance of your landing zones (environments)
  • Detective – using AWS Config
  • Preventive – using SCPs (Service Control Policies)
• Levels
  • Mandatory
    • ex) Disallow public Read access to the Log Archive account
  • Strongly Recommended
    • Optional
    • Based on AWS Best Practices
    • ex) Enable EBS encryption
  • Elective
    • Optional
    • Commonly used practices
    • ex) disallow delete actions without MFA in S3

Migrating Existing Account to Control Tower

1. Move the target account to the unregistered OU (Organization Unit)
2. From the Organization Management account
   1. Create an IAM role “AWSControlTowerExecution”
   2. Evaluation – Deploy the AWS Config “Conformace Packs”
      • Evaluate the result of the conformance packs
      • Remove the Config delivery and recoder
3. Move the account to the target OU under the Control Tower