The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.

Before deploying this solution, customers need to have an AWS Control Tower landing zone deployed in their account.

This solution enables customers to easily add customizations to their AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs).

You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization.

This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with the customer’s landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account’s OUs will be automatically deployed.

Click here for more information about the solution.


architecture overview

What to expect in this lab:

  • Set up the Customizations for Control Tower (CfCT) Solution
  • Deploy an additional preventive guardrails (SCP policy)
  • Deploy an IAM Role in AWS Control Tower Account (Simple Lab)
  • Deploy an aditional detective guardrails (Config Rule)

Set up the Customizations for Control Tower (CfCT) Solution

Deploy the Customizations for Control Tower Solution

In this section of the lab, you will deploy the Customizations for Control Tower Solution on your Master account in your CT-Home-Region. The _CT-Home-Region is the AWS region where you launched AWS Control Tower.

  • Login to yout AWS Control Tower master account.
  • Click on the Launch Stack below to launch the CfCT solution CreateStack
  • Choose Next
  • In Specify stack details page update below parameters and leave the remaining as defaults.
    • AWS CodePipeline Source: AWS CodeCommit
  • Choose Next, Next
  • In Review page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names. and choose Create stack

Wait for the stack to complete. It could 5-10 minutes.

For details about deployment, see CfCT Solution Deployment Guide

Deploy the customizations

  • Connect to the CodeCommit Repository from your local machine.

    • Navigate to CodeCommit console to access the CodeCommit repository created part of the solution.
    • Follow instructions to connect to the CodeCommit repository.
      For Mac : [Click here for instructions].
      • Navigate to CodeCommit console.
      • Under Clone URL, choose HTTPS (GRC) to copy the link to buffer.
      • Install git-remote-codecommit package in your Mac.
      • pip install git-remote-codecommit
      • Follow the steps in Programmatic access lab.
      • Clone the CodeCommit repository to your Mac.
      • git clone <HTTPS (GRC) Buffer copied above>
      To use Cloud9 Environment: [Click here for instructions].
      • Navigate to Cloud9 Console, and select Create environment
      • Type in appropriate Name and Description to choose on Next step
      • Pick following options in Environment settings and choose Next step
        • Create a new instance for environment (EC2)
        • t2.micro (1 Gib RAM + 1 vCPU)
        • Amazon Linux
      • Choose Create environment
      • Once the environment is ready, make sure to install git package.
      • sudo yum install git -y

  • Download the Customizations lab content to your local CodeCommit Repository:

    cd <Your-local-CodeCommit-Repository>
    wget https://marketplace-sa-resources.s3.amazonaws.com/ctlabs/custom-control-tower-configuration.zip
    unzip custom-control-tower-configuration.zip
    rm custom-control-tower-configuration.zip

  • Modify the lab content as needed for your environment:

    • Rename the regions in manifest.yaml
      • [MANDATORY] In line#3, replace region: us-west-2 with region: <Your-CT-Home-Region>
      • [OPTIONAL] In cloudformation_resources: section, change the regions as needed. NOTE: IAM Role stackset-1 need to be deployed on only one region as IAM user is a global resource.
      • Update apply_to_accounts_in_ou and deploy_to_ou as needed. For this lab, you could leave them default.
      • Save the file.
    • Update parameters as needed. For this lab you will change the maximum key rotation limit from 24 to 30 days.
      • Update "ParameterValue": "24" in parameters/access_keys_rotated.json file from 24 to 30.
      • Save the file.

    Refer to the Developers Guide for additional information.

  • Checkin the customizations to your CodeCommit Repository:

    • Follow the steps below to checkin the customizations in to your CodeCommit Repository
      cd <Your-local-CodeCommit-Repository>
      git status
      git add -A
      git commit -m 'Initial checkin'
      git push 
  • Check the progress on the CodePipeline

    • Navigate to AWS CodePipeline Console on your master account.
    • Choose Custom-Control-Tower-CodePipeline to track the status of the pipeline at various stages.
    • Wait (could take ~10 minutes) until the last stage CloudformationResource is complete.

Congratulations, you sucessfully deployed Customizations for Control Tower Solution, added your customizations, and deployed them in to your AWS Control Tower environment.

In the following sections, you will see how to verify the customizations you just deployed.

Deploy an additional preventive guardrails (SCP policy)

This is the policy policies/preventive-guardrails.json you checked in to the CodePipeline.

Deploy an IAM Role in AWS Control Tower Account (Simple Lab)

  • Log in to a Provisioned Account (an account which is in DEVENV or Custom OU) with AWSAdministratorAccess .
  • Navigate to IAM Console
  • Check for a role that starts with StackSet-CustomControlTower-*

This role is deployed by the CodePipeline. While you are on logged in to this account, you may also verify the Cloudformation resources that created this role.

Deploy an aditional detective guardrails (Config Rule)

  • In the Provisioned Account, navigate to AWS Config Console
  • Choose Rules to list the Config Rules (detective guardrails) deployed.
  • Choose ACCESS_KEYS_ROTATED to view the details of the Config Rule.

This Config Rule is deployed by the CodePipeline. You could verify this further from the CloudFormation Console as well.

Cleanup Steps

1. Delete the CloudFormation StackSets
  • Navigate to AWS Cloudformation StackSet Console for stackset-1 deployed by this solution.
  • Note down the AWS account number, you will use this in next step.
  • On top right, under Actions choose Delete stacks from StackSet from the drop down.
  • In Accounts section, Account numbers, type in the AWS-Account-ID you copied above.
  • Under Specify regions, choose Add all regions
  • Choose Next, Submit
  • Refresh the screen and wait for the Operation ID status change to SUCCEEDED.
  • On top right, under Actions choose Delete StackSet from the drop down.
  • Repeat the above steps for stackset-2
2. Detach and delete the Service Control Policies
  • Navigate to AWS Organizations Service Control Policies screen.
  • Select test-preventative-guardrails, and choose Organizations units on the right panel.
  • Choose Detach on all OUs.
  • Click on Delete Policy button to delete the service control policy.
3. Delete the Solution Stack

Note that the S3 Bucket and CodeCommit repository created part of this solution are not deleted when the stack is deleted. If required delete them manually.