Account Factory



Objective: In this lab we’ll walk you through the steps involved in creating an AWS Account which is compliant to the policies assigned by AWS Control Tower. We’ll explain some of the parameters used on the new AWS Account. You will log into the AWS Account and create an S3 bucket and see how the AWS Control Tower guardrails watch out and report any policy violations.

Overview Steps: You will perform the following activities in this lab:

  • Create an Organizational Unit (OU) and enable a guardrail from the AWS Control Tower dashboard.
  • Modify the network baseline settings of Account Factory.
  • Launch a new AWS Account using Account Factory as an AWS Control Tower Admin user.
  • Log into the new AWS Account
  • Create an S3 bucket with versioning disabled.
  • Investigate the violation captured by the AWS Control Tower and take corrective action.

1. AWS Control Tower environment setup

In this section, we’ll walk you through various AWS Control Tower operations that you could do before provisioning an account.

1.1 Create an Organizational Unit (OU)

You can also find the steps to create an OU in AWS Control Tower tasks: Create OUs

An OU is a container for AWS Accounts that allows you to apply a set of common policies to all AWS Accounts in that group in a single place. Basically, you create an entity to consolidate your AWS accounts so that you can administer them as a single unit. Please Note: AWS Organizations supports more complex OU structures; in contrast, AWS Control Tower supports only one OU level.

With AWS SSO, log into the AWS Control Tower management console in the Management account.

  1. When you launch AWS Control Tower, you will receive an email notification with SSO User portal URL and Username (referred to as admin user).
  2. The email notification will have instructions to log in to AWS SSO and then to AWS Console on the AWS Control Tower Management Account.
  3. Click on the Management Account to expand. Select Management console next to AWSAdministratorAccess Role to login AWS Management console of the Management Account (as shown below).
  4. Select the service AWS Control Tower under Management & Governance.

Create a new Organization Unit from the AWS Control Tower dashboard

  1. Login to AWS Control Tower Dashboard and click on Organizational units on the Left Sidebar.
  2. This opens up the Organizational units page. Click on Add an OU button.
  3. Provide a new OU Name (for this lab, we will call it Labs) and click on Add button. Wait for the green Success notification on top of the page.

1.2 Enable a Strongly recommended Guardrail on the OU we just created

A guardrail is a high-level rule that provides ongoing governance for your overall AWS environment. It’s expressed in plain language. Guardrails enable you to express your policy intentions. For example, if you enable the detective to Disallow public read access to S3 buckets guardrail on an OU, you can determine whether a user has attempted public read access to any S3 buckets for any AWS Accounts under that OU. Refer to Control Tower User Guide - Guardrails for more information.

In this lab, you will find two examples. Check out Enable Guardrails for more examples.

Enable a Strongly recommended Guardrail on new OU

  1. On AWS Control Tower Dashboard, click on Guardrails on the left sidebar.
  2. Search and choose Detect whether versioning for Amazon S3 buckets is enabled.
  3. Scroll down to Organizational units enabled section and choose Enable Guardrail on OU button.
  4. Select the name of the OU created on step 1 earlier (Labs for this lab) and choose Enable guardrail on OU button.
  5. Wait for the green Success notification on top of the page.

1.3 Modify Network baseline settings of the Account Factory

The Account Factory’s network settings (referred to as aws-controltower network) are not dynamic and should be modified before every launch. The aws-controltower network can also be disabled. In such a case, the VPC of that AWS Account would have to be provisioned after account creation.

To avoid incurring extra costs, we will not use the aws-controltower network for this lab.

Disable network configurations for new accounts

  1. While you are still on AWS Control Tower Dashboard, choose Account factory on the left sidebar.
  2. In Account factory page, under Network configuration, choose Edit button.
  3. Under Edit account factory network configuration:
    • Deselect all regions and choose Save.
    • With the above configuration you are disabling the AWS Control Tower provided VPC.
  4. After selecting the required options, click on Save.
  5. Wait for green Success notification on top of the page.

So far we were able to create an OU, enable a Strongly recommended guardrail on that OU and modify network baseline settings. In the next section we will see how to provision a new AWS Account in this OU

2. Launch a new AWS Account using Account Factory

By default, AWS Control Tower admin user will have permissions to launch the Account Factory. This section will walk through the steps involved in provisioning a new AWS Account as an AWS Control Tower admin user. You can create a new AWS Account by using the Enroll account button in AWS Control Tower or using the AWS Service Catalog product called AWS Control Tower Account Factory. Both are included in AWS Control Tower.

2.1 Launch a new AWS Account using Account Factory as an AWS Control Tower Admin user

Provision new AWS Account using Enroll account option

  1. On AWS Control Tower service console, choose Account factory from left side panel.
  2. Choose Enroll account
  3. Fill in the form

    3.1 Account Email : You MUST provide unique email IDs for any new AWS Account you create.

    3.2 Display Name : This is the account Alias and will be shown in the SSO portal.

    3.3 AWS SSO email

    3.4 AWS SSO user name

    3.5 pick a ManagedOrganizationalUnit from the drop down.

    3.6 choose Enroll account Quick Launch Note: The field for AWS SSO email, is used to enable access to AWS Account in AWS SSO.

  4. As indicated in the blue banner on top of your screen, you could trace the status of AWS Account provisioning from AWS Service Catalog service console under individual Provisioned Product Name. Confirmation

  5. The status of the launch can be monitored from the AWS Service Catalog dashboard, under the Provisioned products list by selecting the individual Provisioned Product Name

[Optional] Provision new account using AWS Service Catalog directly

Click to Expand - Launching Account Factory from AWS Service Catalog
Click to Expand - How to launch a SC product
Click to Expand - Optional Step

3. Creating resources that trigger the Guardrails

We will now proceed to trigger the guardrail Disallow S3 buckets that are not versioning enabled

Creating an S3 bucket

In your new AWS Account provisioned in step 2, we will now create an Amazon S3 bucket with versioning disabled.

Login to the new AWS account as account owner.

  1. Using the SSO user portal landing page, log on using the SSO Email Address provided when you provisioned the AWS Account. That email address should have a message with the SSO Portal URL and login information.
  2. Using the welcome email’s information, you can set up a password and login into the new AWS Account. Or go to AWS SSO and set up the password for that user.
  3. Once you have logged in to SSO you should see all your AWS Accounts: AWS
  4. Click on the account, and use the row for the newly created AWSAdministratorAccess and click in Management console.

Creating an S3 bucket

  1. Login to AWS S3 console screen AWS Console
  2. Click on Create bucket
  3. Give the bucket a unique name, scroll down to Bucket Versioning and make sure is disabled
  4. Scroll to the bottom of the page and click Create bucket

4. Investigate violation reported on the AWS Control Tower Dashboard

We will see how to monitor your AWS Control Tower environment using the dashboard.

Go back to the management account and check your AWS Control Tower you should see the non-compliant OU.

4.1 Check the AWS Control Tower Dashboard

  1. Go back to your SSO user portal and switch AWS Accounts to your management account.
  2. Login to AWS Control Tower Dashboard with AWSAdministratorAccess
  3. Scroll down to Noncompliant resources. You would see the Resource causing the violation.
  4. Click on the Link under Account Name to open complete Account details of the account with violations. Note down the AWS Account ID and Resource ID that is causing the violation.
  5. You could use the account owner information available on this page to notify about this violation.

4.2 Switch to the AWS Account to fix the violation

  1. Go back to your SSO user portal and switch AWS Accounts to your non-compliant account.
  2. Go to the S3 Management Console on the browser to your s3 buckets on the newly created AWS Account
  3. Scroll down and click on the bucket with your unique name created at step Creating an S3 bucket
  4. Select Properties tab in the top panel and click on Edit on Bucket Versioning. Use the radio button and select Enable then Save changes.

4.3 Verify that the violations are fixed

  1. Go back to your SSO user portal and switch AWS Accounts to your management account.
  2. Login to AWS Control Tower Dashboard with AWSAdministratorAccess or type on the browser to access AWS Control Tower Dashboard on the Management Account
  3. Note the violation noted earlier is cleared now and all the resources are Compliant. It could take few minutes to get the dashboard updated.

5. Moving an AWS Account to another OU

This process applies only to AWS Accounts that were created by the AWS Control Tower.

  1. Go back to your SSO user portal and switch AWS Accounts to your management account.
  2. Login to AWS Control Tower Dashboard with AWSAdministratorAccess using the steps mentioned in log into the AWS Control Tower management console
  3. Click on Accounts to see a full list of the Accounts.
  4. Copy the Account Name and Account email.
  5. Open AWS Service Catalog Management console
  6. Click on Provisioned products
  7. Locate the provisioned product using the Account Name under the Name column.
  8. Select the radio button on the left of the row for the desired account.
  9. Use the Actions dropdown on the top-right of the screen, select Update
  10. In the parameters section, fill out the form using the same Account Name and Account email from step 4.
  11. Using the ManagedOrganizationalUnit dropdown select the new OU to move the account.
  12. Click Update at the bottom of the screen.

6. Deleting AWS resources deployed in this lab

  1. You need to terminate any stacks deployed in addition for this lab to avoid extra costs.
  2. Follow below steps to remove an AWS Account provisioned through Account Factory.

2.1. Unmanage a member account

2.2. Closing an Account Created in Account Factory


Copyright 2021, Amazon Web Services, All Rights Reserved.