The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
Before deploying this solution, customers need to have an AWS Control Tower landing zone deployed in their account.
This solution enables customers to easily add customizations to their AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs).
You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization.
This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with the customer’s landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account’s OUs will be automatically deployed.
Click here for more information about the solution.
In this section of the lab, you will deploy the Customizations for Control Tower Solution on your Master account in your CT-Home-Region. The _CT-Home-Region is the AWS region where you launched AWS Control Tower.
Wait for the stack to complete. It could 5-10 minutes.
For details about deployment, see CfCT Solution Deployment Guide
Connect to the CodeCommit Repository from your local machine.
pip install git-remote-codecommit
git clone <HTTPS (GRC) Buffer copied above>
Descriptionto choose on Next step
sudo yum install git -y
Download the Customizations lab content to your local CodeCommit Repository:
wget https://marketplace-sa-resources.s3.amazonaws.com/ctlabs/custom-control-tower-configuration.zip unzip custom-control-tower-configuration.zip
Modify the lab content as needed for your environment:
cloudformation_resources:section, change the regions as needed. NOTE: IAM Role
stackset-1need to be deployed on only one region as IAM user is a global resource.
deploy_to_ouas needed. For this lab, you could leave them default.
Refer to the Developers Guide for additional information.
Checkin the customizations to your CodeCommit Repository:
git status git add -A git commit -m 'Initial checkin' git push
Check the progress on the CodePipeline
Congratulations, you sucessfully deployed Customizations for Control Tower Solution, added your customizations, and deployed them in to your AWS Control Tower environment.
In the following sections, you will see how to verify the customizations you just deployed.
This is the policy
policies/preventive-guardrails.json you checked in to the CodePipeline.
This role is deployed by the CodePipeline. While you are on logged in to this account, you may also verify the Cloudformation resources that created this role.
This Config Rule is deployed by the CodePipeline. You could verify this further from the CloudFormation Console as well.
AWS-Account-IDyou copied above.
Note that the S3 Bucket and CodeCommit repository created part of this solution are not deleted when the stack is deleted. If required delete them manually.