AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing your accounts conform to your company-wide policies.
AWS Service Catalog enables organizations to create and manage catalogs of approved IT services for use on AWS. In a multi-account environment, the AWS Service Catalog portfolios can be managed centrally at the master account and distribute across the remaining accounts across the AWS Organizations.
In this lab, we will walkthrough: 1)some of the common tasks an AWS Control Tower Administrator perform on a day-to-day basis; 2) a way to centrally manage the commonly deployed self-service catalogs. This lab is broken in to two tasks:
John is an application architect in a financial services organization. His organization has compliance requirements to store the last three-year log files of several applications running in his environment.
Sam is the cloud architect, who is part of the CCOE team in the same organization and responsible for cloud architecture. Sam decided to use the pre-configured centralized logging account in the AWS Control Tower to archive log files from all the applications running in multiple accounts. Sam wants to ensure that the environment is secure and at the same time, give flexibility to John’s team to design his applications without a need to reach out to the Cloud Architecture team.
Sam provided access to John to log in to log archive account and desgin S3 buckets as required for his applications.
In this part of the lab, we will walk through:
PS: Please make sure you have the below information before getting started with this lab. If you don’t have the below details STOP HERE and reach out to one of the Lab Admin.
1.1.1 Log in to AWS Control Tower Environment
In this section you are going access the AWS Control Tower service from AWS Console.
Copy and paste the Sign-in URL you recieved in to your favorite browser.
Under Username, enter the Email you collected earlier.
Enter the Password, that you collected above.
You will be prompted to reset the password.
Enter the same password you collected above under Current Password.
Pick your own New Password, Repeat it and click on Update Password.
You will be redirected to AWS SSO login page.
Click on AWS Account(3) to expand.
Click on Account-no
(Master) to expand.
Click on Management Console Next to AWSAdministratorAccess to go to AWS Console.
Type Tower
under Find Services and select Control Tower.
You will be redirected to Control Tower Dashboard.
In this section you are going to enable a guardrail on an organization unit to watch out for any violations to the company policies. In this case, guardrail will check for any S3 buckets with no versioning enabled.
1.2.1 Enable a Strongly recommended Guardrail
Right click and open the Control Tower console
On the Control Tower Dashboard, select Guardrails from the left side bar.
Click on the little arrow ”>” on the top right corner to go next page of Guardrails
Click on Disallow S3 buckets that are not versioning enabled
Scroll down to Organizational units enabled and Click on Enable guardrail on OU
Select the Core OU and click on Enable guardrail on OU. Wait for the green banner on the top of the screen.
Please note : Enabling guardrail will instantiate CloudFormation Stackset update in the background and could take 2-5 minutes for the operation to get effective.
Congratulations, you sucessfully enabled a guardrail on the core OU to watch for any violations to the company policy of versioning their S3 buckets.
In this section, you will create a new AWS SSO user and grant permissions for the new user to access the Log Archive account.
1.3.1 Create new permission set
On the left sidebar, select Users and access.
Under Federated access management click on View in AWS Single Sign-On.
Select AWS accounts on the left side bar.
In AWS Accounts page, select Permission sets tab, and click Create permission set button.
In Create new permission set page, select Create a custom permission set.
Type in LogArchiveAdminAccess
for Name and enter some Description to the Role.
Under What policies do you want to include in your permission set?, select Attach AWS managed policies.
Under Attach AWS Managed polices search bar, type in and add the following
AWSCloudFormationFullAccess AmazonS3FullAccess IAMReadOnlyAccess AmazonSNSReadOnlyAccess
Select the all policies and click on Create button.
1.3.2 Create an AWS SSO user / group
Select Directory from the left sidebar
Under Users, click on Add user button.
Fill in the Email address (could be [your-alias]
+logAdmin@amazon.com), confirm email address
Select Generate a one-time password…. and type in all other required fields.
Click on Next:Groups button.
Click on Create group on top of the panel.
Type in LogArchiveAdminGroup
under Group name, with some appropriate description.
Click on Create button and you will be redirected to Add users to groups page.
On the search bar, type in LogArchiveAdminGroup
and select the newly created group.
Click on Add user button.
Copy and paste User portal URL: value in a notepad. (PS: Avoid using Copy details link on to right, as it messes up few characters)
Click on Show password next to One-time password:, note the value in a notepad.
Click on Close button to go back to the Directory page
1.3.3 Assign permission set to AWS SSO User/Group
Now click on the AWS accounts on the left sidebar and select check box next to Log archive.
Click on Assign users.
Under Assign Users, select the Groups tab,
Type in LogArchiveAdminGroup
in the search bar and select the LogArchiveAdminGroup Group
Click Next: Permission sets
In Select permission sets page, select checkbox next to LogArchiveAdminAccess
Click on Finish
Click on Proceed to AWS Accounts
1.3.4 Logout from AWS SSO as Administrator
1. On AWS SSO Console, Logout as Administrator by clicking on Sign Out link on the top right corner.
You successfully created an AWS SSO User, Group and a Permission set. You also Assigned the permission set to the AWS SSO Group. We will use these credentials in both Task-1 and Task-2.
In this section you will log in to Log Archive Account using username and password you set up for a newly created AWS SSO User in step 1.3.2. You will also create a private S3 bucket using CloudFormation.
1.4.1 Log in to Log Archive Account as New User
Log in to the Sign-in URL, provide the Email address and one-time password you saved in 1.3.2 as the Username and Password.
You will be prompted to reset the password. Please follow the instructions on screen to reset the password.
Once you set up the password sucessfully, you will be redirected to AWS SSO login page.
Click on AWS Account(1) to expand
Click on Account-no
(Log Archive) to expand.
Click on Management Console Next to LogArchiveAdminAccess to go to AWS Console.
1.4.2 Launch an S3 bucket using CloudFormation stack
Right click and Open in new tab CloudFormation Console-Launch Stack
Click on Next button
Click on Next button
Scroll down and click on Next
Review the content and click Create
Wait for the Stack status to become CREATE_COMPLETE
On completion of this stack, a private S3 bucket will be deployed on your LogArchive Account.
In this section let us see how the violations are reported and take a remediation action.
1.5.1 Log in to AWS Control Tower Dashboard as Administrator
Log out as a non-admin user from the AWS SSO Console by clicking on Sign out at the top right corner.
Follow the steps mentioned on 1.1.1 to login in back to master account as AWS Control Tower Administrator.
Find the Control Tower service and go to the Dashboard. You could use link https://console.aws.amazon.com/controltower/home/dashboard to jump to dashboard directly.
1.5.2 Check for the Noncompliant resources on dashboard
Scroll down and check under Noncompliant resources. The newly created S3 Bucket will be listed as a Noncompliant resource.
You could scroll down further and see the Compliance status of the Organizational units and Accounts.
It could take 2-3 minutes for the Noncompliance to be reported here. Refresh the screen if you don’t see the Noncompliant resource.
1.5.3 Corrective Action
The possible corrective actions here are to notify the Business user(John) to fix the permissions on S3 bucket or Administrator take the corrective action.
For this lab-session we will DELETE the resource and move on to next task.
PS: Important Please do not skip this step. It is important to delete this stack.
Choose to open the Control Towwer Console
Click on Log archive and Copy the Account ID.
Expand Username next to bell icon on the top right corner.
Select Switch Role option, and Switch Role again (if you get additional screen)
Under Account, Paste the Log archive AccountId that you collected above
Type in AWSControlTowerExecution for Role, and click on Switch Role
You will be switched to Log archive account.
On Log archive account, go to CloudFormation console. You may use link https://console.aws.amazon.com/cloudformation/
Select the check box next to the stack named AppX-LogSetup, and select Outputs tab
Click on the URL shown under value of BucketAccessURL to go to S3 bucket properties page
Click on Versioning, select Enable versioning, and Save
Make sure Versioning as show as Enabled
Expand Username next to bell icon on the top right corner.
Select Back to AWSReservedSSOAWSAdministratorAccess…… to switch back to Master Account.
Check back the AWS Control Tower Dashboard, and the Noncompliances reported should be cleared. If not cleared wait for 2-5 minutes.
[Optional]: For sanity purposes, please delete the stack to delete the resources created for this lab.
Congratulations! you completed the Task-1 successfully, please proceed to the next Task.
Sam’s team identified a common set of workloads that application team uses. Both teams collaboratively created CloudFormation templates for these patterns with all best practices, and fine tuning needed for applications, along with organizations compliance and tagging policies in place.
Sam’s team want to make these portfolios available to all the newly vended AWS accounts as they get vended. We will see how Sam used Service Catalog to centrally manage these resources from master and distribute to rest of the accounts as they get vended.
PS: Due to logistical issues of this lab, we will use core OU which consists of log and audit AWS accounts to share the Service catalog portfolios to vended AWS accounts. In practice, these portfolios from master are shared to various other OUs in the organization.
In this section, we will grant AWSServiceCatalogEndUserAccess to the AWS SSO User ([your-alias]
+logAdmin@amazon.com) we created earlier.
2.1.1 Grant Service Catalog EndUser access to an AWS SSO Group
If you logged out as Administrator, please follow the steps mentioned on 1.1.1 to login in back.
Access AWS Control Tower Users and access using https://console.aws.amazon.com/controltower/home/usersandaccess
Under Federated access management, click on View in AWS Single Sign-On
You will be redirected to AWS SSO Console.
Select AWS accounts from the left side bar.
Click on Log archive account, you will be redirected to Log archive page.
Find LogArchiveAdminGroup and click on Change permission sets next to it.
In Select permission sets page, check box AWSServiceCatalogEndUserAccess and click on Save changes.
In this step, you granted AWS SSO Group access to Log Archive account with permissions AWSServiceCatalogEndUserAccess.
In this section you are going to create an AWS Service Catalog Portfolio with a set of Products. Share it with remaining accounts with in an AWS Organizational unit (Core OU in this case).
2.2.1 Capture the AWS Organizational unit ID
Follow below steps to capture the AWS Organization ID. You are going to use this value in next section.
Copy and Paste https://console.aws.amazon.com/controltower/home/organizationunits on your browser and click on Core.
Note down the Organizational Unit ID that looks like ou-xxxx-yyyyzzzz
2.2.2 Launch CloudFormation stack to create SC Portfolio on Master account and Share with an OU
You are going to launch the cloudFormation stack to create the SC Portfolio and share it with an Organizational unit using Service Catalog Organizational sharing.
Click on Next
Replace the default OrganizationalUnitToShare value with the OU value you noted in step 2.1.1
Click on Next
Click on Next
Select checkbox I acknowledge that AWS CloudFormation might create IAM resources. and click on Create
Wait for the Stack Status to change to CREATE_COMPLETE
Click on the Outputs tab and note down both MasterPortfolioId and OrganizationalUnitId
2.3.1 Launch CloudFormation stackset to configure local portfolios on Spoke Accounts
Go to CloudFormation Stacksets page, type in https://console.aws.amazon.com/cloudformation/stacksets/ in the browser
Click on Create StackSet button
Select Specify an Amazon S3 template URL
Under Specify Amazon S3 location, copy and paste https://s3.amazonaws.com/marketplace-sa-resources/ct_spoke_setup_sc_with_roles.yaml
Click Next
For StackSet name type in SpokePortfolioShared
Please note that the steps below could vary if you are using latest console of Cloudformation.
For MasterPortfolio, get the value from output of previous stack you ran in step 2.2.2 and click Next
Select Deploy stacks in AWS organizational units. Enter an AWS organizational unit ID
Type in the OrganizationalUnitId
value you noted down in step 2.2.2
Under Specify regions, Available regions, select the region you are working on (NOTE: Should be the same region where you deployed MasterPortofolioToShare)
Click on Add to move it to Deployment order box
Leave remaining settings to defaults and click on Next
Under IAM Admin Role ARN, expand the options and select AWSControlTowerStackSetRole
Under IAM Execution Role Name, Type in AWSControlTowerExecution and click on Next
Select checkbox I acknowledge that AWS CloudFormation might create IAM resources. and click on Create
Wait for all Stacks status change from OUTDATED to CURRENT
2.4.1 Log in as a Service Catalog EndUser
Logout from the AWS SSO Console as Administrator by clicking on Sign out at the top right corner.
Log in to the Sign-in URL, provide the Email address and one-time password you saved in 1.3.2 as the Username and Password
You will be redirected to AWS SSO login page
Click on AWS Account(1) to expand
Click on
Click on Management Console Next to AWSServiceCatalogEndUserAccess to go to AWS Console.
2.4.2 Access the available Products
Access Service Catalog Console using https://console.aws.amazon.com/servicecatalog
You will see list of available Products ready to use
Congratulations, you successfully completed this lab. Due to time-constraints we will not be launching any of the resources. However these products are ready for consumption by the End Users.
Please follow below steps to cleanup the resources that you just deployed.
2.5.1 Delete the stackset used to configure the local portfolios on Spoke accounts
SpokePortfolioShared
and expand Actions button.2.5.2 Delete the stack that created the Master portfolio
Copyright 2019, Amazon Web Services, All Rights Reserved.