Customizing Your AWS Control Tower Landing Zone
This article was written by Bill Junidez Liad. Bill works as a Cloud and DevOps Engineer and is situated in the Philippines. He is actively engaged in furthering his knowledge of the cloud and has significant experience with Web Application Development and Amazon Web Services (AWS). He presently has three AWS Associate certifications.
AWS Control Tower is an AWS solution designed to streamline the administration of multi-account AWS deployments. While it offers default configurations for setting up a landing zone, customization remains crucial to address specific organizational needs. Organizations can adjust access controls, organizational hierarchies, and resource provisioning workflows according to their requirements.
In this article, we'll discuss various methods to adjust the landing zone, helping organizations make the most of AWS Control Tower and build a specialized setup that fits their specific requirements. Customizing the landing zone enables businesses to enhance their management, security, and compliance within their AWS environment.
Customizations from AWS Control Tower Console
These are adjustments made through the AWS Control Tower console:
Account Factory Customization (AFC)
The AWS Control Tower Account Factory automates account creation and management, streamlining the process and ensuring they begin with a baseline security setup. However, customizing AWS accounts can be complex, particularly when attempting to maintain consistency across all accounts. The difficulty lies in establishing and enforcing consistent configurations across multiple accounts at scale, which often poses challenges in the long run.
So, in this article, we'll introduce Account Factory Customization to aid Cloud Operations teams in establishing a simple and consistent approach to applying customized configurations to both newly created and existing AWS accounts.
Account Factory Customization leverages AWS Control Tower and AWS Service Catalog. The initial step involves creating a blueprint, a product within the Service Catalog generated from a CloudFormation template.
Once you've created a blueprint, you can import it into the AWS Control Tower Account Factory customization settings. This can be done either when creating new AWS accounts or when updating them. Subsequently, these customizations will be automatically applied to the account. Through the AWS Tower Console, we can ensure the consistent implementation of customizations across all AWS accounts managed under Account Factory.
Customizations for AWS Control Tower (CfCT)
AWS Control Tower Customizations (CfCT) were introduced to offer enhanced customization options for your landing zone. CfCT comprises a suite of tools that empower you to customize your landing zone in greater depth than what is possible through the AWS Control Tower console alone. These customizations are implemented using AWS CloudFormation templates and service control policies (SCPs). Additionally, the CfCT functionality is integrated with AWS Control Tower lifecycle events to ensure that your resource deployments remain synchronized with your landing zone configuration.
CfCT Architecture
AWS offers a CloudFormation template designed to set up the Customizations for Control Tower (CfCT). This template creates an AWS CodePipeline that deploys stack sets or Service Control Policies (SCPs) to Organizational Units (OUs) or accounts. It is essential to deploy this template to the management account initially.
CfCT Deploy Workflows
AWS CodePipeline Workflow — This workflow is triggered by changes in the configuration package. The package can either be a zipped file uploaded from S3 (default) or a committed package from CodeCommit.
A configuration package includes:
领英推荐
The pipeline includes a build stage to validate the templates and manifest files. After validation, a state machine will use the AWS Organizations API to create Service Control Policies and AWS CloudFormation to deploy the stack sets.
AWS Control Tower Lifecycle Event Workflow – This workflow extends the AWS CodePipeline workflow by allowing triggers based on AWS Control Tower Lifecycle Events. It consists of an Amazon EventBridge rule, an Amazon Simple Queue Service (Amazon SQS) first-in-first-out (FIFO) queue, and an AWS Lambda function. The Amazon EventBridge rule detects the AWS Control Tower Lifecycle Event, sends it to the Amazon SQS FIFO queue, and triggers a Lambda function that runs the AWS CodePipeline workflow.
Account Factory for Terraform (AFT)
AFT is a Terraform module maintained by AWS that enables the automated provisioning and customization of new accounts. This module deploys a pipeline of AWS services, facilitating the management of AWS Control Tower accounts through Terraform configuration.
AFT Workflow
There are two levels of customization:
Global level – Customizations applied to all accounts.
Account level – Customizations applied to a specific AWS account or a predetermined group of AWS accounts.
To apply customizations to existing accounts created with AFT, users must initiate customization requests via the Customization Invocation State Machine. Any updates to the customization repositories will not automatically trigger the account-specific pipeline; however, users can manually execute the state machine to run the account-specific pipeline.
Customizing Your AWS Control Tower Landing Zone by Integrating Security Hub
AWS Control Tower is a powerful service that provides organizations with a centralized and automated way to set up and manage multiple AWS accounts. By integrating AWS Control Tower with Security Hub and utilizing the CIS Benchmarks for AWS Foundations, you can greatly enhance the security and compliance of your AWS environment. This integration enables streamlined security operations, centralized security monitoring, and adherence to industry best practices.
The Center for Internet Security (CIS) AWS Foundations standard was developed by a global community of security experts from both public and private sector organizations. The CIS Benchmarks offer a comprehensive set of security controls and recommendations specifically for AWS environments. While other AWS standards in Security Hub, such as AWS Foundational Security Best Practices, also provide valuable security insights, the CIS AWS Foundations Benchmark delivers a detailed and robust framework that is widely recognized and respected in the industry.
When using AWS Control Tower, you have several options for managing Security Hub and other security-related services. One approach is to designate an account as the central administrator for Security Hub. This account is responsible for configuring Security Hub settings, such as enabling standards like the CIS AWS Foundations Benchmark and monitoring the security posture of member accounts.
By configuring permission sets in AWS IAM Identity Center (AWS Single Sign-On) and assigning them to the Security Hub administrator account, you can grant the security team specific permissions for managing Security Hub within the administrator account.
The auto-enable feature in Security Hub ensures that Security Hub is automatically activated for all existing and future member accounts within the AWS Control Tower environment, enabling you to maintain a consistent security posture across the organization.
Conclusion
In summary, customizing your AWS Control Tower Landing Zone offers substantial advantages for organizations aiming to enhance their cloud infrastructure. This article outlines various customization options that enable businesses to tailor their cloud environment to their specific needs. Additionally, the flexibility provided by AWS Control Tower allows organizations to adjust and scale their Landing Zone as their cloud infrastructure grows. Ultimately, customizing the AWS Control Tower Landing Zone helps businesses optimize their cloud investment while ensuring a secure and compliant environment.
* This newsletter was sourced from this Tutorials Dojo article.
Aspiring Cloud Security Architect | Sec+ | AWS CP
1 个月I just recently started checking on CT and trying to do a deep dive on it. This was very helpful and insightful. Thanks.
Integration Architect with specialization in Boomi, Open Source API Gateways, Cloud Migration (AWS Certified, Azure), TOGAF, BFSI, Security, Governance Frameworks etc
2 个月Very informative
Cloud Engineer (AWS, GCP) | DevOps Engineer | Terraform | CICD | Kubernetes | Serverless | Server Configuration and Management
2 个月Thanks for sharing, I have only briefly used AWS control tower landing zone, now I understand more about it.
Sr. Cloud Platform Architect - AWS | DevOps | SRE -
2 个月Thanks for sharing