This lab gives you a high-level overview of the deployment of AWS Control Tower service. Let us walk through the implementation of the AWS Control Tower, and review some of the initial automated tasks that happen under the hood as part of the Control Tower initialization.
AWS Control Tower is a managed service, that provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud. You could initiate the AWS Control tower deployment from the AWS Management Console with few clicks and a form to fill.
It takes 60-90 minutes to launch an AWS Control Tower on a new AWS account. Hence we recommend to deploy the AWS Control Tower Section upfront before attending the class if possible.
In this section, we will deploy the AWS Control Tower service. Following tasks are performed on the successful launch of the service:
We recommend performing this ahead of the session as the initial setup could take 60-90 minutes. If you are using an account which already got an AWS Control Tower installed by somebody else, still recommend going through the below steps to get familiar with installation:
|Log archive account Email Address||The log archive account is a repository of immutable logs of API activities and resource configurations from all accounts|
|Audit Account Email Address||The audit account is a restricted account for your security and compliance teams to gain read and write access to all accounts|
Note: The email address you provided for the audit account will receive AWS Notification - Subscription Confirmation emails from every AWS Region supported by AWS Control Tower. To receive compliance emails in your audit account, you must choose the Confirm subscription link within each email from each AWS Region supported by AWS Control Tower.
P.S Please refer to AWS Control Tower Documentation for the latest information.
AWS Control Tower uses AWS CloudFormation StackSets to establish the baselines and create the guardrails across multiple accounts and regions. In this section we will walk through the StackSets used under the hood.
|AWSControlTowerBP-BASELINE-CLOUDTRAIL||Configure AWS CloudTrail on all accounts|
|AWSControlTowerBP-BASELINE-CLOUDWATCH||Configure Cloudwatch Rule, local SNS Topic, forwarding notifications from local SNS Topic to Security Topic|
|AWSControlTowerBP-BASELINE-CONFIG||Configure AWS Config on all accounts/regions|
|AWSControlTowerBP-BASELINE-ROLES||Creates all required baseline roles on all the accounts|
|AWSControlTowerBP-BASELINE-SERVICE-ROLES||Creates all required service roles on all the accounts for services (like AWS Config, SNS) used by CT|
|AWSControlTowerBP-SECURITY-TOPICS||Central monitoring and alerting using SNS and AWS CloudWatch|
|AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED||Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access|
|AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED||Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access|
|AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-READ-PROHIBITED||StackSet for applying guardrail|
|AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-WRITE-PROHIBITED||StackSet for applying guardrail|
|AWSControlTowerLoggingResources||StackSet to setup required resources on Log archive Account|
|AWSControlTowerSecurityResources||StackSet to setup required resources on Audit Account|
|AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1||Once the Account is provisioned this stack will be run to setup account configuration based on the baselines|
You may see additional stacksets depending on the number of guardrails you enable on Control Tower.
$ aws cloudformation list-stacks --query 'StackSummaries[?StackStatus==`CREATE_COMPLETE`].StackName'
[ "StackSet-AWSControlTowerBP-BASELINE-CONFIG-f389a50e-4dc1-4528-8b32-18635ca6574f", "StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-d341f2b3-18b5-40cb-8c49-c3cc220c8df3", "StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-41be771b-1b42-422f-85d9-a75fc9c2e39e", "StackSet-AWSControlTowerBP-BASELINE-ROLES-00320288-ff98-4fb7-a703-6bbcc97ac058", "StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-4510cb1e-6d8e-4138-aaf6-f269b9327deb", ]
Copyright 2019, Amazon Web Services, All Rights Reserved.