This lab gives you a high-level overview of the deployment of AWS Control Tower service. Let us walk through the implementation of the AWS Control Tower, and review some of the initial automated tasks that happen under the hood as part of the Control Tower initialization.
AWS Control Tower is a managed service, that provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud. You could initiate the AWS Control tower deployment from the AWS Management Console with few clicks and a form to fill.
It takes 60-90 minutes to launch an AWS Control Tower on a new AWS account. Hence we recommend to deploy the AWS Control Tower Section upfront before attending the class if possible.
In this section, we will deploy the AWS Control Tower service. Following tasks are performed on the successful launch of the service:
We recommend performing this ahead of the session as the initial setup could take 60-90 minutes. If you are using an account which already got an AWS Control Tower installed by somebody else, still recommend going through the below steps to get familiar with installation:
Under Set up your AWS Control Tower, provide the email IDs which you plan to use for shared accounts.
|Log archive account Email Address||The log archive account is a repository of immutable logs of API activities and resource configurations from all accounts|
|Audit Account Email Address||The audit account is a restricted account for your security and compliance teams to gain read and write access to all accounts|
Expand Learn more about permissions under Service permissions to review the roles used to launch the AWS Control Tower service. Please note the two roles AWSControlTowerAdmin and AWSControlTowerExecution are created as part of initialization. We will use these roles in the rest of our labs.
Checkbox I understand the permissions AWS Control Tower will use to administer AWS resources and enforce rules on my behalf. and click on Set up Landing Zone.
You will be redirected to AWS Control Tower Dashboard. The launch progress is shown in the blue bar on top of the Dashboard.
Check your emails for account creation confirmation from AWS Single Sign-On.
In a few minutes, you will receive an email with subject Invitation to join AWS Single Sign-On to the master account email address. Make sure to open the email and click on Accept invitation.
The email you received also contains User portal URL, recommend to bookmark this, we will use it to access the AWS environment throughout the labs.
On selecting Accept Invitation, you will be redirected to the AWS Single Sign-On page and from where you could set New Password to your master account. Repeat Password and Update User to proceed.
You will receive one more email with subject AWS Organizations email verification request to the master account email address. Click on Verify your email address to continue with inviting newly created accounts into AWS Organization.
Wait for the blue progress bar with % complete to disappear on top of the AWS Control Tower dashboard. Note: It is normal to see the progress staying at 99% for 15-20 minutes
Note: The email address you provided for the audit account will receive AWS Notification - Subscription Confirmation emails from every AWS Region supported by AWS Control Tower. To receive compliance emails in your audit account, you must choose the Confirm subscription link within each email from each AWS Region supported by AWS Control Tower.
P.S Please refer to AWS Control Tower Documentation for the latest information.
AWS Control Tower uses AWS CloudFormation StackSets to establish the baselines and create the guardrails across multiple accounts and regions. In this section we will walk through the StackSets used under the hood.
step 10 and 11.
|AWSControlTowerBP-BASELINE-CLOUDTRAIL||Configure AWS CloudTrail on all accounts|
|AWSControlTowerBP-BASELINE-CLOUDWATCH||Configure Cloudwatch Rule, local SNS Topic, forwarding notifications from local SNS Topic to Security Topic|
|AWSControlTowerBP-BASELINE-CONFIG||Configure AWS Config on all accounts/regions|
|AWSControlTowerBP-BASELINE-ROLES||Creates all required baseline roles on all the accounts|
|AWSControlTowerBP-BASELINE-SERVICE-ROLES||Creates all required service roles on all the accounts for services (like AWS Config, SNS) used by CT|
|AWSControlTowerBP-SECURITY-TOPICS||Central monitoring and alerting using SNS and AWS CloudWatch|
|AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED||Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access|
|AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED||Configure AWS Config rules on core accounts to check that your S3 buckets do not allow public access|
|AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-READ-PROHIBITED||StackSet for applying guardrail|
|AWSControlTowerGuardrailAWS-GR-S3-BUCKET-PUBLIC-WRITE-PROHIBITED||StackSet for applying guardrail|
|AWSControlTowerLoggingResources||StackSet to setup required resources on Log archive Account|
|AWSControlTowerSecurityResources||StackSet to setup required resources on Audit Account|
|AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1||Once the Account is provisioned this stack will be run to setup account configuration based on the baselines|
You may see additional stacksets depending on the number of guardrails you enable on Control Tower.
$ aws cloudformation list-stacks --query 'StackSummaries[?StackStatus==`CREATE_COMPLETE`].StackName'
[ "StackSet-AWSControlTowerBP-BASELINE-CONFIG-f389a50e-4dc1-4528-8b32-18635ca6574f", "StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-d341f2b3-18b5-40cb-8c49-c3cc220c8df3", "StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-41be771b-1b42-422f-85d9-a75fc9c2e39e", "StackSet-AWSControlTowerBP-BASELINE-ROLES-00320288-ff98-4fb7-a703-6bbcc97ac058", "StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-4510cb1e-6d8e-4138-aaf6-f269b9327deb", ]
Copyright 2019, Amazon Web Services, All Rights Reserved.