AWS Multi-Account Strategy-Part 3

You can jump to other parts of this series here:

1. AWS Multi-Account Strategy-Part 1
2. AWS Multi-Account Strategy — Part 2

In the previous article, we saw how to manually implement multi-account strategy using best practices. Here, we will learn how to automate the whole process.

Automation

AWS Service Catalog

A newly created account from AWS Organizations will have no resources. Users will probably have to manually deploy same resources in each account they use. This can lead to resources which are not uniformly configured across accounts. We can solve this problem by using AWS Service Catalogue.

Imagine AWS Service Catalog as an infrastructure vending machine, where users can choose the pre-configured cloudformation stacks which they want to deploy in their accounts. It uses AWS CloudFormation as the creation engine. These pre-configured cloudformation stacks work as building blocks which are very convenient and safe because by using them, you can standardize your architecture.

Now you may ask, how the entire Service Catalog be there and ready to use in newly created accounts? Because new accounts created by AWS Organizations are pretty much empty. Well, That's where AWS Control Tower comes into picture.

AWS Control Tower

AWS Control Tower automates accounts deployment. If you imagine AWS Service Catalog as a resource vending machine, you can imagine Control Tower as an account vending machine. AWS Service Catalog mostly runs within one account. Control Tower can create new accounts and can automatically deploy, not only AWS Service Catalog portfolios, but also everything else, as soon as the accounts are created. This is helpful to standardized your accounts.

AWS Control Tower has the following features:

• Landing Zone: The landing zone is a cloud environment that offers a recommended starting point, including default accounts, account structure, network and security layouts, and so forth. It is a multi-account setup designed with the best security and compliance practices in mind. It’s like a big container for your company, holding root, all your organizational units, accounts, users, and resources that need to comply with regulations. It’s flexible enough to grow with a business of any size.
• Controls: Controls are like high-level rules or guardrails for your AWS environment, keeping everything in check. They come in three flavors: preventive, detective, and proactive, and they’re categorized as mandatory, strongly recommended, or elective. Preventive controls are implemented with Service Control Policies (SCPs). Detective controls are implemented with AWS Config rules. Proactive controls are implemented with AWS CloudFormation hooks.
• Account Factory: The Account Factory is a customizable template for creating new accounts that meet pre-set configurations. AWS Control Tower’s Account Factory streamlines the process of setting up new accounts in your organization.
• Dashboard: Dashboard gives your cloud admin team a bird’s-eye view of your Landing Zone. It shows all the accounts set up, the controls in place for enforcing policies, the ones checking for policy breaches, and organizes noncompliant resources by accounts and OUs.

The structure of a landing zone in AWS Control Tower is as follows:

• Root: The overarching parent that encompasses all other Organizational Units (OUs) in your landing zone.
• Security OU: This OU is home to the Log Archive and Audit accounts, commonly known as shared accounts. When setting up your landing zone, you can personalize the names for these accounts.
• Sandbox OU: The Sandbox OU comes into existence with your landing zone launch if you opt for it. It, along with other registered OUs, includes the accounts your team uses to manage their AWS tasks.
• IAM Identity Center directory: This directory is where your IAM Identity Center users are located. It outlines the permissions boundaries for each user within IAM Identity Center.
• IAM Identity Center users: These users are the identities your team members will adopt to carry out AWS operations within your landing zone.

What happens when you set up control tower:

• It creates two organizational units (OUs) within AWS Organizations: ‘Security’ and an optional ‘Sandbox’, both nested under the root structure.
• It creates two shared accounts within the Security OU: the Log Archive and the Audit accounts.
• It sets up a cloud-native directory in IAM Identity Center, complete with pre-set groups and single sign-on capabilities, if you opt for the standard AWS Control Tower setup. Alternatively, you can manage your identity provider independently.
• It implements all compulsory, preventive controls to ensure policy compliance.
• It enforces all obligatory, detective controls to identify any configuration discrepancies.
• Controls are applied across the organization, with the exception of the management account.

Now, we will set up AWS Control Tower from AWS web console.

Login into the AWS Account where you want to set up AWS Control Tower. This account will turn into management account after the set up is finished.

1. Landing Zone: Now open the AWS Control Tower service and click on Set up your landing zone. I chose default settings except at one place where I renamed the Sandbox OU to Workloads OU because this is the OU where I will run my workloads. When you click the final Submit button, you will see following screen:

2. Dashboard: Note that Root is not a OU. It is just a logical container which contains all other OUs. There are total 2 OUs which are registered in this control tower: Security and Workloads and total 3 Accounts which are enrolled in this control tower: Log Archive, Audit, <your management account name>. This whole setup is called a landing zone.

You will also see Single sign-on link under User and Access. In IAM Identity Center there will be admin user created for your management account.

3. Controls: When you create a new landing zone, AWS Control Tower enables all Mandatory controls by default and applies them to your top-level OUs. Strongly recommended and elective controls are not enabled by default.

You can open one of the Mandatory controls and see the OUs and Accounts on which this is enabled. Since it is a Preventive control, you can see the SCP used to implement this control under the Artifacts tab.

4. Account factory: To use Account Factory, you need to login as Admin in the management account. Firstly, you have to verify your Admin email. An email is sent to your Admin email id by AWS Control Tower. You need to click on Accept invitation link in that email and set up a new password. Now open the User Portal URL in Users and Access section and sign in using your Admin credentials.

New accounts in AWS Control Tower are created and then provisioned by an interaction among AWS Control Tower, AWS Organizations, and AWS Service Catalog.

The process of account creation unfolds behind the scenes starting with your request, which can be made through the AWS Control Tower Account Factory or the AWS Service Catalog console. Launching accounts using using Service Catalog is also referred to as advanced account provisioning, or manual account provisioning. The AWS Service Catalog then signals AWS Control Tower to initiate a workflow. This workflow kicks off by calling the AWS Organizations CreateAccount API. Once AWS Organizations has set up the account, AWS Control Tower rounds off the setup by implementing blueprints and controls. Meanwhile, the Service Catalog keeps checking in with AWS Control Tower to monitor the progress of the provisioning. Upon completion of the workflow by AWS Control Tower, the Service Catalog wraps up the account setup and notifies you, the requester, of the outcome.

Open Service Catalog, then, in the navigation pane, click on Products. Choose AWS Control Tower Account Factory and hit the Launch product button to start the account creation wizard. You can choose the parent OU there. As you fill out the required information, remember:

• The SSOUserEmail can either be a new email or one linked to an existing IAM Identity Center user. This user will get administrative rights to the new account.
• The AccountEmail should be unique and not tied to any existing AWS account. If you’ve opted for a new email for SSOUserEmail, feel free to use it here as well.

Once you’ve double-checked your settings, go ahead and click Launch. Avoid setting up a resource plan, as it will prevent the account from being provisioned successfully.

This new account will have all the Controls enabled which is applied on its parent OU.