AWS Control Tower is a managed service that provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud.
This lab gives you a high-level overview of the deployment of the AWS Control Tower service. We will walk through the implementation of the service and what to expect during the installation.
You initiate the AWS Control Tower deployment from the AWS Management Console with few clicks and a form to fill. It takes 60-90 minutes to launch an AWS Control Tower on a new AWS account. Hence we recommend to deploy the AWS Control Tower Section upfront before attending the class if possible.
In this section, we will deploy the AWS Control Tower service. The following resources are provisioned on the successful launch of the service:
We recommend performing the installation ahead of the session as the initial setup could take 60-90 minutes. If you are using an account which already got an AWS Control Tower installed by somebody else, we recommend reiewing below steps to get familiar with installation. You will not be able to drive thru all the steps mentioned below:
On AWS Control Tower home page, select Set up landing zone button.
|Note: If you are using a brand new AWS account with no prior history, you may receive an error message indicating that AWS Control Tower detected issues with your AWS account environment that prevent successful setup. To resolve this, launch a Free tier eligible EC2 instance such as a t2.micro, wait 10-15 minutes then retry the setup.|
In the Set up landing zone page you will be prompted for various inputs and acknowledgement:
|Step-1||Pricing||Learn more||List of services that you will pay for basws on your usage.|
|Step-1||Home Region||AWS Region selector||This is the default region where resources in your shared accounts will be provisioned, for example, your S3 bucket for your log archive. You CANNOT change after setting your landing zone.|
|Step-1||Additional AWS Regions for governance||Select additional Regions||Select the regions you want to govern in addition to the Home region. Typically, you’ll select regions you plan to run workloads in.|
|Step-2||Foundational OU||Security (default)||Security is the default OU name for your shared accounts. OU names must be unique and can be edited after you set up your landing zone.|
|Step-2||Additional OU||Sandbox (default)||Sandbox is the default OU name for your additional OU. OU names must be unique and can be edited after you set up your landing zone.|
|Step-3||Log archive account||Log archive(default)||The log archive account is a repository of immutable logs of API activities and resource configurations from all accounts|
|Step-3||Audit account||Audit(default)||The audit account is a restricted account for your security and compliance teams to gain read and write access to all accounts|
|Step-3||KMS Encryption - optional||Checkbox||Create and manage cryptographic keys, and control your resources in AWS Control Tower.|
|Step-4||Service permissions||Learn more about permissions||AWS Control Tower requires creation of three roles to launch a landing zone. AWS Control Tower splits permissions into three roles as a best practice to restrict access to the minimal sets of actions and resources|
|Step-4||Service permissions||Learn more about guidance||We strongly recommend that you follow the guidance below when you use AWS Control Tower. This guidance may change as we continue to update the service|
To proceed with the installation, click on Set up Landing Zone. You will be redirected to the AWS Control Tower Dashboard. The installation progress is shown in the blue bar on top of the Dashboard.
Check the appropriate email inbox(es) for the following emails from firstname.lastname@example.org or email@example.com:
|AWS Organizations email verification request||Management account email address||Click on Verify your email address. Once verified, you can now invite existing AWS accounts to join your organization.|
|Invitation to join AWS Single Sign-On||Management account email address||Click on Accept invitation, You will be redirected to enter a New password for the AWS SSO user, Confirm the password, and click on Set new password. You will then be redirected to log into the AWS SSO user portal with these credentials. (You may want to bookmark the portal url for later)|
|AWS Notification - Subscription Confirmation||Audit account email address||Click on Confirm subscription. The Audit account user email will receive a SNS subscription confirmation email for every region that you selected in Step 5.|
Wait for the blue progress bar with % complete to disappear on top of the AWS Control Tower dashboard. Once completed, you should see a green banner indicating that your landing zone has been setup successfully.
Please refer to AWS Control Tower Documentation for the latest information.
Copyright 2021, Amazon Web Services, All Rights Reserved.