Tasks in Control Tower


In Lab-2, we saw how John from CCoE team of organization-A deployed AWS Control Tower successfully and used Account Factory to provision brand new AWS accounts with company policies and governance in place. In this lab, we will walk through some of the day-to-day tasks that CCoE team would perform and see how to do those.

Please note that we will not be able to cover the advanced topics like customizations, or account migration-related tasks in this lab. All advanced topics will be included as separate labs as and when the features are supported.

Things to know

  • AWS Control Tower management operations like create/delete OUs, enable/disable guardrails, and create AWS account are single threaded. You will not be able to start second operation, until the current operation completes.

What to expect in this lab:

  • Access multiple accounts in AWS Control Tower environment.
  • Enable an auditor using pre-populated User Groups.
  • [Optional] How to create an OU/delete an OU.
  • [Optional] Enable and disable a guardrail on OU.
  • Handling the drift.
  • Access billing information across all accounts [Need 24-hours of data].
  • AWS Control Tower Dashboard walk-through.

1. How to access multiple accounts in AWS Control Tower environment

By default, the AWS Control Tower Administrator will have AWSAdministratorAccess permissions to all the Shared accounts. However, for user accounts provisioned using Account Factory, only AWSOrganizationsFullAccess permissions are granted.

In this section, we will see how to access the shared accounts using AWS SSO. Then we will switch to other accounts with the AWS Control Tower environment using switch-role functionality. We will review the steps involved in performing these operations both from the AWS Console and AWS CLI.

1.1 AWS Console

1.1.1 With AWS SSO, log into the AWS Control Tower management console in the Master account.

  1. When you launch AWS Control Tower, you will receive an email notification with User portal URL and Username (referred to as admin user).
  2. The email notification will have instructions to log in to AWS SSO and then to AWS Console on the AWS Control Tower master account.
  3. Click on the Master account to expand. Select Management console next to AWSAdministratorAccess Role to login AWS Management console of the master account (as shown below).
  4. Select the service Control Tower under Management & Governance.

1.1.2 Switch roles to access the child account as Administrator.
The AWS Control Tower admin provides an email-id when he/she provisions a new AWS account using Account Factory. The owner of that Email ID will be granted with AWSAdministratorAccess to the new account. By default, AWS Control Tower Administrator will have only AWSOrganizationsFullAccess to user accounts. If AWS Control Tower Administrator need to access the user account as administrator for operation reasons, the switch role functionality can be used. We will walk through how to perform the switch role.

We did this task already on Lab-2, please feel free to skip this section if your comfortable to do so.

  1. Once you login in to AWS Control Tower master console, Click on Username on the top right corner next to the region and select Switch Role.
  2. Enter the User Account ID that you like to connect under Account*. Type AWSControlTowerExecution under Role* and click on Switch Role
  3. This opens up the management console of the user Account with Administrator privileges.

1.2 Programmatic access

1.2.1 Instructions on using CLI on AWS Control Tower environment

You may skip this session if you already tried this in Lab-1

  1. Log into the AWS SSO screen, as described in the console access process. Choose Command line or programmatic access. AWS
  2. Copy the credential information from Option 1 and paste them on your terminal or putty session.
  3. Run some sample awscli commands:

    • You should see AWS Control Tower master account number by executing below command.

      aws sts get-caller-identity --query 'Account' --output text 
    • Run below command to list out all the CloudFormation StackSets present on the master account.

      aws cloudformation list-stacks --query 'StackSummaries[?StackStatus==`CREATE_COMPLETE`].StackName' 

1.2.2 Instructions to switch role using awscli.

For simplicity of the lab we will be using awscli to demonstrate how to switch roles between accounts. The same thing can be done using SDKs as well. This operation is similar to what we already did in section 1.1.2 using AWS Console.

  1. Obtain a temporary token and export the environment keys to the user account by executing below commands.
  export ACC=[[USER-ACCOUNT-NO]] # replace USER-ACCOUNT-NO with your user account Id.
  export temp_role=$(aws sts assume-role --role-arn "arn:aws:iam::$ACC:role/AWSControlTowerExecution" --role-session-name "userAct-$ACC")
  export AWS_ACCESS_KEY_ID=$(echo $temp_role | jq .Credentials.AccessKeyId | xargs)
  export AWS_SECRET_ACCESS_KEY=$(echo $temp_role | jq .Credentials.SecretAccessKey | xargs)
  export AWS_SESSION_TOKEN=$(echo $temp_role | jq .Credentials.SessionToken | xargs)
  1. You are ready to execute the commands on user account with Administrator privileges
aws sts get-caller-identity --query 'Account' --output text

In this lab, we saw how to access AWS accounts using Console as well as programmatically. In the next section we will see how to use pre-configured Groups in AWS SSO to enable some routine tasks.

2. Enable an auditor using AWS SSO User Groups

As part of initial AWS Control Tower setup, an AWS SSO is configured with some pre-defined user groups to simplify the delegation of certain common operational tasks to other user/teams. In this section, as an example let us see how to enable an auditor to access the AWS environment with read-only access to all accounts under Control Tower the predefined user group on SSO.

2.1.1 Create an user in AWS SSO.

  1. Log into AWS Control Tower as the admin user, select Users and access from the left panel, and choose View in AWS Single Sign-on to open the AWS SSO console.
  2. In the AWS SSO console, select Users from the left panel and choose Add User.
  3. Fill out the form and select Generate a one-time password that you can share with the user to skip verification through email.
  4. Choose Next: Groups.
  5. Select AWSSecurityAuditors group and click on Add User

2.1.2 Share the login information.

  1. Choose Copy details and share the information with the person who will be your auditor.
  2. Using User Portal URL, Email and One-time password from the shared information, the auditor can log in to AWS environment.
  3. On first login, the auditor will be prompted to reset the password
  4. After that, the auditor will be granted read-only access to all the accounts in Control Tower.

Following are the list of pre-defined user groups in AWS SSO

User group name Description
AWSAccountFactory Read-only access to account factory in AWS Service Catalog for end users
AWSAuditAccountAdmins Admin rights to cross-account audit account
AWSControlTowerAdmins Admin rights to AWS Control Tower core and provisioned accounts
AWSLogArchiveAdmins Admin rights to log archive account
AWSLogArchiveViewers Read-only access to log archive account
AWSSecurityAuditors Read-only access to all accounts for security audits
AWSSecurityAuditPowerUsers Power user access to all accounts for security audits
AWSServiceCatalogAdmins Admin rights to account factory in AWS Service Catalog

3. AWS Control Tower dashboard operations

The AWS Control Tower initialization process creates two new shared accounts for log archive, and security audit. It also creates two Organizational Units (OU.md”%}}) named as Core and Custom. The shared accounts log archive, and security account are placed in Core OU. The Custom OU is an empty OU created for accounts that will be provisioned for your users using Account Factory. The AWS Control Tower Administrator can create more OUs from the dashboard directly as per organizations requirement. For GA time frame, 17 preventive guardrails and 8 detective guardrails are available. Expect this number to grow in the near future. The strongly recommended guardrails are not enabled on any OUs by default. The administrator could enable it on OU level as needed.

In this section of the lab, we will see how-to:

  • Create an Organizational Unit
  • Enable a Guardrail on the Organizational Unit
  • Disable a Guardrail on the Organizational Unit
  • Delete an Organizational Unit

PS: Most of these operations are covered as part of the Lab-2. Feel free to skip this session as needed.

3.1 Create / Delete Organizational units

In this section, we will see how to create and delete an OU from AWS Control Tower dashboard. Since we covered provisioning a new account in Lab-2 already, we will skip that operation here.

3.1.1 Create a new Organization Unit.

  1. Login to AWS Control Tower Dashboard and click on Organizational units on the left Sidebar.
  2. This opens up an Organizational units window. Click on Add an OU button.
  3. Provide a new OU Name (for this lab we will call it as LABOU) and click on Add button.
  4. Wait for green Success notification on top of the page.

3.1.2 Delete an Organizational Unit.

  1. While you are still on AWS Control Tower Dashboard, Click on Organizational units on the left Sidebar.
  2. Select the radio button next to the OU Name (LABOU for this lab) and click on Delete button.
  3. This opens a warning message for confirmation as this operation cannot be undone. Click on Delete. PS: The dashboard doesn’t let you delete an OU if it contains any child accounts.

3.2 Enable / Disable Guardrails

3.2.1 Enable a Strongly recommended Guardrail on a OU.

Enabling a strongly recommended guardrail is performed on an OU level. Mandatory guardrails as name implies are enabled by default on the respective guardrails and they cannot be modified.

For this part of the lab, we will use the Account we provisioned in Lab2 under the OU DEVENV to try enable guardrails.

  1. While you are still on AWS Control Tower Dashboard, Click on Guardrails on the left Sidebar.
  2. This lists all the Guardrails. Search for Disallow internet connection through SSH and click on it.
  3. Scroll down to Organizational units enabled section and click on Enable guardrail on OU button.
  4. Select the OU named as DEVENV and click on Enable guardrail on OU button.
  5. Wait for green Success notification on top of the page.
  6. (Optional.md”%}}) If you want to try this out, launch an EC2 instance on an account in DEVENV OU with SSH ports enabled. The violation reports under Noncompliant resources as the config rule detects the violation (Note: It could take some time for violation to be reported on control tower).

3.2.2 Disable a Strongly recommended Guardrail on new OU.

  1. Click on Guardrails on the left Sidebar and search for Disallow internet connection through SSH and click on it.
  2. Scroll down to Organizational units enabled section and select the OU Name you want to disable guardrail on.
  3. Click on Disable guardrail and it opens a window. Then click on Disable.
  4. Wait for green Success notification on top of the page.

Please note that every time you enable or disable a guardrail, the CloudFormation StackSet will update the stacks belongs to that OU. Depending on number of AWS accounts you have in each OU, it may take few minutes for the process to complete. You could check the status of the operation by looking in to the StackSet instances of the individual guardrails. Please refer to AWS CloudFormation Stacks Updates if you need additional help.

3.3 Drift detection and corrective steps

3.3.1 Detecting and Resolving Drift in AWS Control Tower.

When you create your landing zone, the landing zone and all the OUs, accounts, and resources are compliant with all the governance rules enforced by your chosen guardrails. As you and your users use the landing zone, changes in this compliance status may occur. Some changes may be accidental, and some may be made intentionally to respond to time-sensitive operational events.

Regardless, changes can complicate your compliance story. You can use drift detection to identify resources that need changes or configuration updates to resolve the drift. Resolving drift helps to ensure your compliance with governance regulations, and is a regular operations task for your master account administrators.

Since the corrective operations are manual and could be time consuming, we are not going to have any scenarios in this lab at this point. Please refer to https://docs.aws.amazon.com/controltower/latest/userguide/drift.html?icmpid=docs_ctower_console for updated information on type of events that could cause drift and how to take corrective operations.

4. AWS Control Tower Dashboard walk-through

The AWS Control Tower dashboard provides a single pane of glass view for your AWS environment. It gives you all the information about your accounts and their compliance status at OU, Account and resources level. You could choose the name of the OU, to view the details of specific OU. Choose the name of the account, guardrails to view specific details. All the Non-compliant resources are listed on the dashboard and resources causing the violation can be browsed through directly from the dashboard.

In this section, we will walk through the components of the dashboard.

4.1.1 AWS Control Tower Dashboard Explained

  1. Login to AWS Control Tower Dashboard with AWSAdministratorAccess using the steps mentioned in 1.1.1
  2. The Recommended actions pane provides the overview of actions you could do on the dashboard.
  3. Scroll down and you could see OUs and Accounts summary under Environmental summary pane.
  4. Under Guardrail summary, you could see summary of active guardrails in the environment
  5. The Organizational units pane provides the overview of OUs in your AWS environment with their current Compliance status. You could click on OU name to look in to the details of the OU, Accounts, and Enabled guardrails.
  6. Similar to Organizations units, you can browse through the Accounts, Enabled guardrails and Noncompliant resources directly from the dashboard.

5. Check billing across all accounts

In this section, we’ll outline how to check per account costs from the master account.

5.1.1 Multi account cost overview with AWS Cost Explorer.

  1. Log in to the Control Tower master account with role AWSAdministratorAccess.
  2. From AWS Services, select AWS Cost Management and choose AWS Cost Explorer. PS: the AWS Cost Explorer is not enabled by default. It will take time to have reports once you enable the service. The account provided for you as part of this lab will have it enabled already.
  3. On the AWS Cost Explorer, choose the Explore costs link under Daily unblended costs ($.md”%}}). This opens Explore Cost & Usage. AWS
  4. Select the Linked Account filter under Group by. This gives the breakdown charges for each individual account. AWS


Copyright 2019, Amazon Web Services, All Rights Reserved.