In Lab-2, we saw how John from CCoE team of organization-A deployed AWS Control Tower successfully and used Account Factory to provision brand new AWS accounts with company policies and governance in place. In this lab, we will walk through some of the day-to-day tasks that CCoE team would perform and see how to do those.
Please note that we will not be able to cover the advanced topics like customizations, or account migration-related tasks in this lab. All advanced topics will be included as separate labs as and when the features are supported.
By default, the AWS Control Tower Administrator will have AWSAdministratorAccess permissions to all the Shared accounts. However, for user accounts provisioned using Account Factory, only AWSOrganizationsFullAccess permissions are granted.
In this section, we will see how to access the shared accounts using AWS SSO. Then we will switch to other accounts with the AWS Control Tower environment using switch-role functionality. We will review the steps involved in performing these operations both from the AWS Console and AWS CLI.
1.1.1 With AWS SSO, log into the AWS Control Tower management console in the Master account.
1.1.2 Switch roles to access the child account as Administrator.
The AWS Control Tower admin provides an email-id when he/she provisions a new AWS account using Account Factory. The owner of that Email ID will be granted with AWSAdministratorAccess to the new account. By default, AWS Control Tower Administrator will have only AWSOrganizationsFullAccess to user accounts. If AWS Control Tower Administrator need to access the user account as administrator for operation reasons, the switch role functionality can be used. We will walk through how to perform the switch role.
We did this task already on Lab-2, please feel free to skip this section if your comfortable to do so.
1.2.1 Instructions on using CLI on AWS Control Tower environment
You may skip this session if you already tried this in Lab-1
Run some sample awscli commands:
You should see AWS Control Tower master account number by executing below command.
aws sts get-caller-identity --query 'Account' --output text
Run below command to list out all the CloudFormation StackSets present on the master account.
aws cloudformation list-stacks --query 'StackSummaries\[?StackStatus==`CREATE_COMPLETE`].StackName'
1.2.2 Instructions to switch role using awscli.
For simplicity of the lab we will be using awscli to demonstrate how to switch roles between accounts. The same thing can be done using SDKs as well. This operation is similar to what we already did in section 1.1.2 using AWS Console.
export ACC=[[USER-ACCOUNT-NO]] # replace USER-ACCOUNT-NO with your user account Id. export temp_role=$(aws sts assume-role --role-arn "arn:aws:iam::$ACC:role/AWSControlTowerExecution" --role-session-name "userAct-$ACC") export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq .Credentials.AccessKeyId | xargs) export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq .Credentials.SecretAccessKey | xargs) export AWS_SESSION_TOKEN=$(echo $temp_role | jq .Credentials.SessionToken | xargs)
aws sts get-caller-identity --query 'Account' --output text
In this lab, we saw how to access AWS accounts using Console as well as programmatically. In the next section we will see how to use pre-configured Groups in AWS SSO to enable some routine tasks.
As part of initial AWS Control Tower setup, an AWS SSO is configured with some pre-defined user groups to simplify the delegation of certain common operational tasks to other user/teams. In this section, as an example let us see how to enable an auditor to access the AWS environment with read-only access to all accounts under Control Tower the predefined user group on SSO.
2.1.1 Create an user in AWS SSO.
2.1.2 Share the login information.
Following are the list of pre-defined user groups in AWS SSO
|User group name||Description|
|AWSAccountFactory||Read-only access to account factory in AWS Service Catalog for end users|
|AWSAuditAccountAdmins||Admin rights to cross-account audit account|
|AWSControlTowerAdmins||Admin rights to AWS Control Tower core and provisioned accounts|
|AWSLogArchiveAdmins||Admin rights to log archive account|
|AWSLogArchiveViewers||Read-only access to log archive account|
|AWSSecurityAuditors||Read-only access to all accounts for security audits|
|AWSSecurityAuditPowerUsers||Power user access to all accounts for security audits|
|AWSServiceCatalogAdmins||Admin rights to account factory in AWS Service Catalog|
The AWS Control Tower initialization process creates two new shared accounts for log archive, and security audit. It also creates two Organizational Units (OU) named as Core and Custom. The shared accounts log archive, and security account are placed in Core OU. The Custom OU is an empty OU created for accounts that will be provisioned for your users using Account Factory. The AWS Control Tower Administrator can create more OUs from the dashboard directly as per organizations requirement. For GA time frame, 17 preventive guardrails and 8 detective guardrails are available. Expect this number to grow in the near future. The strongly recommended guardrails are not enabled on any OUs by default. The administrator could enable it on OU level as needed.
In this section of the lab, we will see how-to:
PS: Most of these operations are covered as part of the Lab-2. Feel free to skip this session as needed.
In this section, we will see how to create and delete an OU from AWS Control Tower dashboard. Since we covered provisioning a new account in Lab-2 already, we will skip that operation here.
3.1.1 Create a new Organization Unit.
3.1.2 Delete an Organizational Unit.
3.2.1 Enable a Strongly recommended Guardrail on a OU.
Enabling a strongly recommended guardrail is performed on an OU level. Mandatory guardrails as name implies are enabled by default on the respective guardrails and they cannot be modified.
For this part of the lab, we will use the Account we provisioned in Lab2 under the OU DEVENV to try enable guardrails.
3.2.2 Disable a Strongly recommended Guardrail on new OU.
Please note that every time you enable or disable a guardrail, the CloudFormation StackSet will update the stacks belongs to that OU. Depending on number of AWS accounts you have in each OU, it may take few minutes for the process to complete. You could check the status of the operation by looking in to the StackSet instances of the individual guardrails. Please refer to AWS CloudFormation Stacks Updates if you need additional help.
3.3.1 Detecting and Resolving Drift in AWS Control Tower.
When you create your landing zone, the landing zone and all the OUs, accounts, and resources are compliant with all the governance rules enforced by your chosen guardrails. As you and your users use the landing zone, changes in this compliance status may occur. Some changes may be accidental, and some may be made intentionally to respond to time-sensitive operational events.
Regardless, changes can complicate your compliance story. You can use drift detection to identify resources that need changes or configuration updates to resolve the drift. Resolving drift helps to ensure your compliance with governance regulations, and is a regular operations task for your master account administrators.
Since the corrective operations are manual and could be time consuming, we are not going to have any scenarios in this lab at this point. Please refer to https://docs.aws.amazon.com/controltower/latest/userguide/drift.html?icmpid=docs_ctower_console for updated information on type of events that could cause drift and how to take corrective operations.
The AWS Control Tower dashboard provides a single pane of glass view for your AWS environment. It gives you all the information about your accounts and their compliance status at OU, Account and resources level. You could choose the name of the OU, to view the details of specific OU. Choose the name of the account, guardrails to view specific details. All the Non-compliant resources are listed on the dashboard and resources causing the violation can be browsed through directly from the dashboard.
In this section, we will walk through the components of the dashboard.
4.1.1 AWS Control Tower Dashboard Explained
In this section, we’ll outline how to check per account costs from the master account.
5.1.1 Multi account cost overview with AWS Cost Explorer.
Copyright 2019, Amazon Web Services, All Rights Reserved.