Objective: This lab will walk you through the steps involved in creating an AWS Account which is compliant to the policies assigned by AWS Control Tower. It will explain some of the parameters used on the new AWS Account. It will show you how to log into the AWS Account to create an s3 bucket and see how the AWS Control Tower guardrails will watch out and report any policy violations.
Overview Steps: We will perform the following activities in this lab:
Create an Organizational Unit (OU) and enable a guardrail from the AWS Control Tower dashboard.
Modify the network baseline settings of Account Factory.
Launch a new AWS Account using Account Factory as an AWS Control Tower Admin user.
Log into the new AWS Account
Create an s3 bucket with versioning disabled.
Investigate the violation captured by the AWS Control Tower and take corrective action.
1. AWS Control Tower environment setup
This section will walk through various AWS Control Tower operations that you could do before provisioning an account.
1.1 Create an Organizational Unit (OU)
You can also find the steps to create an OU in AWS Control Tower tasks: Create Ous
An OU is a container for AWS Accounts that allows you to apply a set of common policies to all AWS Accounts in that group in a single place. Basically, you create an entity to consolidate your AWS accounts so that you can administer them as a single unit. Please Note: AWS Organizations supports more complex OU structures; in contrast, AWS Control Tower supports only one OU level.
With AWS SSO, log into the AWS Control Tower management console in the Management account.
When you launch AWS Control Tower, you will receive an email notification with SSO User portal URL and Username (referred to as admin user).
The email notification will have instructions to log in to AWS SSO and then to AWS Console on the AWS Control Tower Management Account.
Click on the Management Account to expand. Select Management console next to AWSAdministratorAccess Role to login AWS Management console of the Management Account (as shown below).
Select the service AWS Control Tower under Management & Governance.
Create a new Organization Unit from the AWS Control Tower dashboard
Login to AWS Control Tower Dashboard and click on Organizational units on the Left Sidebar.
This opens up the Organizational units page. Click on Add an OU button.
Provide a new OU Name (for this lab, we will call it Labs) and click on Add button. Wait for the green Success notification on top of the page.
1.2 Enable a Strongly recommended Guardrail on the OU we just created
A guardrail is a high-level rule that provides ongoing governance for your overall AWS environment. It’s expressed in plain language. Guardrails enable you to express your policy intentions. For example, if you enable the detective to Disallow public read access to S3 buckets guardrail on an OU, you can determine whether a user has attempted public read access to any S3 buckets for any AWS Accounts under that OU.
Refer to Control Tower User Guide - Guardrails for more information.
In this lab, you will find two examples. Check out Enable Guardrails for more examples.
Enable a Strongly recommended Guardrail on new OU
On AWS Control Tower Dashboard, click on Guardrails on the Left Sidebar.
Search and choose Disallow S3 buckets that are not versioning enabled.
Scroll down to Organizational units enabled section and choose Enable Guardrail on OU button.
Select the name of the OU created on step 1 earlier (Labs for this lab) and choose Enable guardrail on OU button.
Wait for the green Success notification on top of the page.
1.3 Modify Network baseline settings of the Account Factory
The Account Factory’s network settings (referred to as aws-controltower network) are not dynamic and should be modified before every launch. The aws-controltower network can also be disabled. In such a case, the VPC of that AWS Account would have to be provisioned after account creation.
To avoid incurring extra costs, we will not use the aws-controltower network for this lab.
Disable network configurations for new accounts
While you are still on AWS Control Tower Dashboard, Click on Account factory on the Left Sidebar and click on Edit button.
Under Edit account factory configuration:
Disable Internet-accessible subnet
Change CIDR range if needed (should be changed before any new AWS Account enrollment, change the subnet to /23 for this lab)
Select the number of private subnets to 0
Diselect all regions.
With the above configuration you are disabling the AWS Control Tower provided VPC.
After selecting the required options, click on Save.
Wait for green Success notification on top of the page.
So far we were able to create an OU, enable a Strongly recommended guardrail on that OU and modify network baseline settings. In the next section we will see how to provision a new AWS Account in this OU
2. Launch a new AWS Account using Account Factory
By default, AWS Control Tower admin user will have permissions to launch the Account Factory. This section will walk through the steps involved in provisioning a new AWS Account as an AWS Control Tower admin user. You can create a new AWS Account by using the Enroll account button in AWS Control Tower or using the AWS Service Catalog product called AWS Control Tower Account Factory. Both are included in AWS Control Tower.
2.1 Launch a new AWS Account using Account Factory as an AWS Control Tower Admin user
Provision new AWS Account using Enroll account option
On AWS Control Tower service console, choose Account factory from left side panel.
Choose Enroll account
Fill in the form
3.1 Account Email. You MUST provide unique email IDs for any new AWS Account you create.
3.2 Display Name. This is the account Alias and will be shown in the SSO portal.
3.3 AWS SSO email
3.4 AWS SSO user name
3.5 pick a ManagedOrganizationalUnit from the drop down.
3.6 choose Enroll accountNote: The field for AWS SSO email, is used to enable access to AWS Account in AWS SSO.
As indicated in the blue banner on top of your screen, you could trace the status of AWS Account provisioning from AWS Service Catalog service console under individual Provisioned Product Name.
The status of the launch can be monitored from the AWS Service Catalog dashboard, under the Provisioned products list by selecting the individual Provisioned Product Name
[Optional] Provision new account using AWS Service Catalog directly
Click to Expand - Launching Account Factory from AWS Service Catalog
You can also use AWS Service Catalog to launch the Account Factory. Detailed steps are outlined in the next section.
Click to Expand - How to launch a SC product
To launch AWS Service Catalog product:
You need to allow the user/role that you used to login to access the portfolio. To do that, add the user/role to the portfolio.
Use an SSO ID that is already added to the portfolio.
Or launch Enroll the AWS Account from AWS Control Tower dashboard.
On AWS Console, select Services, Management & Governance, and Service Catalog.
PS: Alternatively, you could also type Catalog in the search bar and choose Service Catalog.
Select Products list (NOT under Administration), and choose AWS Control Tower Account Factory.
On the top right, choose Launch product to start the wizard.
Under Provisioned product name, provide a Name for the new AWS account or use the pre-generated name.
Scroll down in the Parameters section and fill the form (all fields are mandatory). This includes AccountEmail, SSOUserEmail, the ManagedOrganizationalUnit that will contain the new AWS Account, and the name for the AWS Account.
PS: In this lab, we use email@example.com format. This is not supported by all the email servers. You MUST provide unique email IDs for new AWS account you create.
The parameters would look like this:
Click Launch product.
Soon, the email address that you provided for the AccountEmail will receive an invite notification to use the new AWS Single Sign-On Account, and to set a new password for the AWS Account’s user.
The status of the launch can be monitored from the AWS Service Catalog dashboard, from the Provisioned products list by clicking on the individual Provisioned Product Name
On completion of new account creation, AccountId, AccountEmail, SSOUserPortal, and SSOUserEmail will be displayed under Provisioned products list under Events, Outputs which can be shared with the AWS Account owner.
Click to Expand - Optional Step
This is an optional step, and you can find this in Delegate User also, use this procedure to delegate new AWS Account creation activity to a user/group with no admin rights. We will use a preconfigured AWS SSO group to perform this task.
Now, go back to the AWS SSO user portal, log into the AWS Control Tower Management Account.
Go to AWS Control Tower dashboard, choose Users and Access from the left side navigation panel.
Under User identity management, choose View in AWS Single Sign-On.
An AWS SSO page will open. Then choose Users from the left side navigation panel.
Choose Add user
Fill in the form and choose Next: Groups
Select AWSAccountFactory, and then choose Add user.
The user will receive an email with a link to Accept Invitation, User portal URL, and Username.
When the user accepts the invitation in their email, they’ll get to generate a new password.
The new user can log in to User portal URL with those credentials. The new user will now have the necessary AWSServiceCatalogEndUserAccess permissions to use Account Factory to create new AWS Accounts.
3. Creating resources that trigger the Guardrails
We will no proceed to trigger the guardrail Disallow S3 buckets that are not versioning enabled
Creating an S3 bucket
In your new AWS Account provisioned in step 2, we will now create an Amazon S3 bucket with versioning disabled.
Login to the new AWS account as account owner.
Using the SSO user portal landing page, log on using the SSO Email Address provided when you provisioned the AWS Account. That email address should have a message with the SSO Portal URL and login information.
Using the welcome email’s information, you can set up a password and login into the new AWS Account. Or go to AWS SSO and set up the password for that user.
Once you have loged in to SSO you should see all your AWS Accounts:
Click on the account, and use the row for the newly created AWSAdministratorAccess and click in Management console.
Note the violation noted earlier is cleared now and all the resources are Compliant. It could take few minutes to get the dashboard updated.
5. Moving an AWS Account to another OU
This process applies only to AWS Accounts that were created by the AWS Control Tower.
1. Go back to your SSO user portal and switch AWS Accounts to your management account.
2. Login to AWS Control Tower Dashboard with AWSAdministratorAccess using the steps mentioned in step 1.1.1
3. Click on Accounts to see a full list of the Accounts.
4. Copy the Account Name and Account email.
5. Open AWS Service Catalog Management console
6. Click on Provisioned products
7. Localte the provisioned product using the Account Name under the Name column.
8. Select the radio button on the left of the row for the desired account.
9. Use the Actions dropdown on the top-right of the screen, select Update
10. In the parameters section, fill out the form using the same Account Name and Account email from step 4.
11. Using the ManagedOrganizationalUnit dropdown select the new OU to move the account.
12. Click Update at the bottom of the screen.
6. Deleting AWS resources deployed in this lab
You need to terminate any stacks deployed in addition for this lab to avoid extra costs.
Follow below steps to remove an AWS Account provisioned through Account Factory.