AWS Control Tower allows you to create new AWS accounts in your AWS Organization with AWS recommended best practices and guardrails in place. Our customers and partners often ask for ways to automatic execution of some customizations specific to their organizations on the creation of a new AWS account. The customizations include creating IAM roles to auto-integrate with the partner products, automate enabling services like VPC Flow Logs, Amazon GuardDuty, AWS Security Hub, and much more.
In this lab, you use AWS Control Tower life cycle events to achieve the below-mentioned tasks automatically when you create a new AWS account using Account Factory.
In this lab, you are going to use CloudFormation template provided to create an Amazon CloudWatch Event to watch for an AWS Service Event via CloudTrail and trigger an AWS Lambda function (or any other supported trigger) when one of the eight Control Tower Life Cycle events are received. For this lab, you are going to use AWS Lambda as a trigger.
The CloudFormation template provided as part of this lab, will create following resources:
An Amazon CloudWatch Event on the
An AWS Lambda function on the
master account, which acts as a trigger for the event.
You will type-in the partner(dome9) credentials as
Parameters. These parameters are stored as a secret in AWS Secrets Manager.
Launch multiple baseline AWS CloudFormation StackSet on master account.
When you create a new AWS Account, the stack-instances are added to these stack sets by the Lambda function.
1.1 This lab requires an account with Administrator privileges and Control Tower.
1.2 Email address to register with Dome9 and have access to it.
CloudFormation New Console. All instructions of this lab are based off new console.
1.4 If you are still on old console, expand CloudFormation on top left and choose New Console
1.5 Launch the CloudFormation stack in the region where your Control Tower is deployed.
Registering with a partner product and getting the credentials will take around 10-15 minutes. You may choose to skip this step by using dummy credentials given below. This will allow you to create the IAM roles on new account, skip registration with Dome9, and continue with remaining part of the lab.
|Parameter Name||Dummy Input|
Please Read: Using above values will CREATE required IAM roles. However it will NOT register your new account with Dome9.
You could jump to Launch the lab resources section if you decide to use above dummy credentials.
PS: When you register a dome9 free-trail account, you receive an email to accept the registration. Please make sure you have access to your email and 2-5 minutes of patience while registering.
2.1. Go to Dome9 Portal and select
2.2. Provide a valid email address and register for new account.
2.3. You will receive an email from dome9 to validate the email address you provided. Could take up to 5 min.
2.4. From the email received, follow the instructions to Complete Registration
3.1. On successful registration, login to the dome9 portal.
3.2. Under GET STARTED, choose Get started with Amazon
3.3. Choose GET STARTED and click on NEXT
3.4. On Create IAM Role for Dome9 page, note
External ID in to you favorite notepad.
3.5. You don’t need to proceed further on this screen as will programmatically configure the accounts in this lab.
3.6. Click on SETTINGS on the left side panel and choose Credentials.
3.7. Under V2 API, choose CREATE API KEY to generate
New API keys.
3.8 Note the
Secret in to your favorite notepad.
Congratulations, you successfully created a dome9 account and captured the Key information required for proceeding with this lab.
By end of this section, you should have following information. If anything missing, please go back and collect it before continuing. We will use this information in the next part of our lab.
In this part of the Lab, you will launch a CloudFormation Stack to setup the lab environment in your account.
In this section you will create an Organizational Unit(OU) from AWS Control Tower. We will use this OU to enable guardrail in the next step.
4.1. Login to AWS Control Tower Dashboard and click on Organizational units on the left Sidebar.
4.2. This opens up an Organizational units window. Click on Add an OU button.
4.3. Provide a new OU Name (say
Sandboxes) and click on Add button.
4.4. Wait for green Success notification on top of the page.
In this section you will enable a guardrail on newly created OU. Later in this lab when you create a new AWS account, it will have these guardrail enabled by default.
5.1. While you are still on AWS Control Tower Dashboard, Click on Guardrails on the left Sidebar.
5.2. This lists all the Guardrails. Search for Disallow internet connection through SSH and click on it.
5.3. Scroll down to Organizational units enabled section and click on Enable guardrail on OU button.
5.4. Select the OU named as
Sandboxes and click on Enable guardrail on OU button.
5.5. Wait for green Success notification on top of the page.
6.1. Log in to your AWS Control Tower
6.2. Choose the appropriate region.
6.5. On Specify stack details page, enter the information you noted in
steps 5.4 and
5.8 and choose NEXT
6.6. Under the Configure stack options page, choose NEXT.
6.7. Under the Review page,
scroll down, and select, I acknowledge that AWS CloudFormation might create IAM resources with custom names. Under Capabilities. Then choose Create stack.
6.8. Wait for the stack state change to CREATE_COMPLETE
7.1. Log in to Control Tower
Master account using the
User portal URL and
7.2. Click HERE to jump on to the Account Factory home page.
7.3. In the Account Factory page, under Network configuration, choose Edit.
7.4. Uncheck all four regions under Regions for VPC Creation and choose Save. By unselecting the regions, you are skipping the creation of VPCs on the new AWS account, reducing the overall time it takes for creating new AWS Account.
7.5. In the Account Factory page, choose Enroll account.
7.6. This opens up the Create account page. Key in below information
|Parameter Name||Input value|
|AWS SSO email||
|AWS SSO user name
||Your First Name|
|AWS SSO user name
||Your Last Name|
7.7. Follow the instructions on the screen, leave all
default values and Enroll account.
Congratulations, you successfully launched creation of a new AWS Account. Please Note!! The account creation process includes creating a new AWS account, applying baselines, and applying the appropriate guardrails on the newly created account. This account creation operation could take up to 30 minutes.
While the new AWS account is being created, proceed to the next part of the lab to Dive Deep into the resources deployed in steps 6.x.
While you wait for the creation of a new AWS account, look into the details of the resources deployed in steps 6.x.
8.1. While you are still on Control Tower
master account, go to CloudWatch Console.
8.2. Under CloudWatch and Events, choose Rules to open the Rules page.
8.3. On the Rules page, click on CaptureControlTowerLifeCycleEvents to open Summary page.
8.4. With in Event pattern content look for eventName list. These are the list of Events we watch for. 8.5. Scroll down the page and look at the Targets section.
8.6. Click on the Lambda function to inspect the code used to process the event received.
8.7. From the Lambda code you could see, when a new AWS Account is successfully provisioned, a new stack instance is added to the existing StackSets.
9.8. Go to the CloudFormation Console and choose StackSets.
9.9. Notice the StackSets
VPC-FLOWLOG-CREATION StackSets are created.
9.10. Click on each StackSet and look for Stack instances. There are
no stacks created for DOME9 stack, but you will a
Stack Instances(1) for VPC-FLOWLOG stack.
9.11. These are the stack instances deployed as part of the lab initialization template you ran in 4.x steps
9.12. Bonus: find out what is the trigger frequency for Lambda in
VPC-FLOWLOG-CREATION, this can help you to do verification later.
Wait for the provisioning of new account to complete. This could take 20-30 minutes if you have disabled all the four regions above in step 7.4.
10.1. Log in to Service Catalog Console and make sure you are in the
10.2. Choose Provisioned Products on the left side panel.
10.3. In Provisioned products list page, wait for the status to become
10.4. Click on provisioned product to additional information related to the new account.
10.5. Note down the
AccountId we will use it in next steps.
11.1. Log in to Dome9 Console. [SKIP this section if you have used dummy credentials provided in this lab during step 6.5]
11.2. Click on the AWS Accounts and key in
AccountId in the search bar to find your new AWS account.
Run the following steps on the new AWS account you just created on the previous step.
12.1. Sign in into your newly created AWS account with AWSAdministratorAccess role.
12.2. Navigate to VPC console. You can do this in any AWS regions.
12.3. Click Launch VPC Wizard. - Select VPC with a Single Public Subnet - Enter the VPC name, i.e. Test-VPC - Click Create VPC
12.4. Select the VPC from the list and go to Tags tab.
12.5. Click Add/Edit Tags.
12.6. Click Create Tag to add new key-value
12.7. Enter the following key-value tag
- Key =
- Value = choose either
12.8. Click Save
12.9. Lambda function will trigger periodically to scan for VPC with the tag key
flowlog, this could take up to 5 minutes (based on the
CheckFrequency value from
12.10. Click on Flow Logs tab in the VPC console to verify if the flow log created successfully.
Note: The S3 bucket is owned by
log archive account, there’s no cross-account access from your new AWS account.
12.11 To generate Flow Log traffic, feel free to explore by launching EC2 instances in this VPC.
12.12 Flow Log is stored in the
log archive account. Login to your
log archive account with AWSAdministratorAccess role to locate the S3 bucket.
To clean up the lab:
C.1 Sign in into your newly created AWS account, locate the new VPC from step 12.x.
C.2. Click on Flow Logs tab, select the Flow log from the list. Click Action > Delete.
C.3 On Control Tower
master account, go to CloudFormation Console.
C.4 Locate the stack you created previously on steps 6.x.
C.5. Click Delete stack, wait until stack deleted successfully.
C.6. Navigate to StackSet, confirm that StackSet
VPC-FLOWLOG-CREATION also deleted.
C.7 On the
log archive account, go to S3 Console.
C.8. Locate S3 bucket with name format
[$account_id]-vpcflowlog, empty and delete the S3 bucket