Overview
The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices.
Before deploying this solution, customers need to have an AWS Control Tower landing zone deployed in their account.
This solution enables customers to easily add customizations to their AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs).
You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization.
This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with the customer’s landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account’s OUs will be automatically deployed.
Click here for more information about the solution.
Architecture
What to expect in this lab:
- Set up the Customizations for Control Tower (CfCT) Solution
- Deploy an additional preventive guardrails (SCP policy)
- Deploy an IAM Role in AWS Control Tower Account (Simple Lab)
- Deploy an aditional detective guardrails (Config Rule)
Set up the Customizations for Control Tower (CfCT) Solution
Deploy the Customizations for Control Tower Solution
In this section of the lab, you will deploy the Customizations for Control Tower Solution on your Master account in your CT-Home-Region. The _CT-Home-Region is the AWS region where you launched AWS Control Tower.
- Login to yout AWS Control Tower master account.
- Click on the Launch Stack below to launch the CfCT solution
- Choose Next
- In Specify stack details page update below parameters and leave the remaining as defaults.
- AWS CodePipeline Source:
AWS CodeCommit
- AWS CodePipeline Source:
- Choose Next, Next
- In Review page, select I acknowledge that AWS CloudFormation might create IAM resources with custom names. and choose Create stack
Wait for the stack to complete. It could 5-10 minutes.
For details about deployment, see CfCT Solution Deployment Guide
Deploy the customizations
Connect to the CodeCommit Repository from your local machine.
- Navigate to CodeCommit console to access the CodeCommit repository created part of the solution.
- Follow instructions to connect to the CodeCommit repository.
For Mac : [Click here for instructions].
- Navigate to CodeCommit console.
- Under Clone URL, choose HTTPS (GRC) to copy the link to buffer.
- Install git-remote-codecommit package in your Mac.
- Follow the steps in Programmatic access lab.
- Clone the CodeCommit repository to your Mac.
pip install git-remote-codecommitgit clone <HTTPS (GRC) Buffer copied above>To use Cloud9 Environment: [Click here for instructions].
- Navigate to Cloud9 Console, and select Create environment
- Type in appropriate
NameandDescriptionto choose on Next step - Pick following options in Environment settings and choose Next step
- Create a new instance for environment (EC2)
- t2.micro (1 Gib RAM + 1 vCPU)
- Amazon Linux
- Choose Create environment
- Once the environment is ready, make sure to install
gitpackage.
sudo yum install git -y
Download the Customizations lab content to your local CodeCommit Repository:
cd <Your-local-CodeCommit-Repository>wget https://marketplace-sa-resources.s3.amazonaws.com/ctlabs/custom-control-tower-configuration.zip unzip custom-control-tower-configuration.ziprm custom-control-tower-configuration.zipModify the lab content as needed for your environment:
- Rename the regions in
manifest.yaml- [MANDATORY] In line#3, replace
region: us-west-2withregion: <Your-CT-Home-Region> - [OPTIONAL] In
cloudformation_resources:section, change the regions as needed. NOTE: IAM Rolestackset-1need to be deployed on only one region as IAM user is a global resource. - Update
apply_to_accounts_in_ouanddeploy_to_ouas needed. For this lab, you could leave them default. - Save the file.
- [MANDATORY] In line#3, replace
- Update parameters as needed. For this lab you will change the maximum key rotation limit from 24 to 30 days.
- Update
"ParameterValue": "24"inparameters/access_keys_rotated.jsonfile from24to30. - Save the file.
- Update
Refer to the Developers Guide for additional information.
- Rename the regions in
Checkin the customizations to your CodeCommit Repository:
- Follow the steps below to checkin the customizations in to your CodeCommit Repository
cd <Your-local-CodeCommit-Repository>git status git add -A git commit -m 'Initial checkin' git push
- Follow the steps below to checkin the customizations in to your CodeCommit Repository
Check the progress on the CodePipeline
- Navigate to AWS CodePipeline Console on your master account.
- Choose Custom-Control-Tower-CodePipeline to track the status of the pipeline at various stages.
- Wait (could take ~10 minutes) until the last stage CloudformationResource is complete.
Congratulations, you sucessfully deployed Customizations for Control Tower Solution, added your customizations, and deployed them in to your AWS Control Tower environment.
In the following sections, you will see how to verify the customizations you just deployed.
Deploy an additional preventive guardrails (SCP policy)
- On your Master Account, navigate to AWS Organizations Policies Page
- Select test-preventive-guardrails and choose View details on right side panel.
This is the policy policies/preventive-guardrails.json you checked in to the CodePipeline.
Deploy an IAM Role in AWS Control Tower Account (Simple Lab)
- Log in to a Provisioned Account (an account which is in DEVENV or Custom OU) with AWSAdministratorAccess .
- Navigate to IAM Console
- Check for a role that starts with
StackSet-CustomControlTower-*
This role is deployed by the CodePipeline. While you are on logged in to this account, you may also verify the Cloudformation resources that created this role.
Deploy an aditional detective guardrails (Config Rule)
- In the Provisioned Account, navigate to AWS Config Console
- Choose Rules to list the Config Rules (detective guardrails) deployed.
- Choose ACCESS_KEYS_ROTATED to view the details of the Config Rule.
This Config Rule is deployed by the CodePipeline. You could verify this further from the CloudFormation Console as well.
Cleanup Steps
1. Delete the CloudFormation StackSets
- Navigate to AWS Cloudformation StackSet Console for stackset-1 deployed by this solution.
- Note down the AWS account number, you will use this in next step.
- On top right, under Actions choose Delete stacks from StackSet from the drop down.
- In Accounts section, Account numbers, type in the
AWS-Account-IDyou copied above. - Under Specify regions, choose Add all regions
- Choose Next, Submit
- Refresh the screen and wait for the Operation ID status change to
SUCCEEDED. - On top right, under Actions choose Delete StackSet from the drop down.
- Repeat the above steps for stackset-2
2. Detach and delete the Service Control Policies
- Navigate to AWS Organizations Service Control Policies screen.
- Select test-preventative-guardrails, and choose Organizations units on the right panel.
- Choose Detach on all OUs.
- Click on Delete Policy button to delete the service control policy.
3. Delete the Solution Stack
- Navigate to CloudFormation Console
- Select the Customization framework stack you deployed in Deploy the Customizations for Control Tower Solution section above.
- Choose Delete to delete the solution completely.
Note that the S3 Bucket and CodeCommit repository created part of this solution are not deleted when the stack is deleted. If required delete them manually.