Customizing Your AWS Control Tower Landing Zone

Customizing Your AWS Control Tower Landing Zone

This article was written by Bill Junidez Liad. Bill works as a Cloud and DevOps Engineer and is situated in the Philippines. He is actively engaged in furthering his knowledge of the cloud and has significant experience with Web Application Development and Amazon Web Services (AWS). He presently has three AWS Associate certifications.

AWS Control Tower is an AWS solution designed to streamline the administration of multi-account AWS deployments. While it offers default configurations for setting up a landing zone, customization remains crucial to address specific organizational needs. Organizations can adjust access controls, organizational hierarchies, and resource provisioning workflows according to their requirements.

In this article, we'll discuss various methods to adjust the landing zone, helping organizations make the most of AWS Control Tower and build a specialized setup that fits their specific requirements. Customizing the landing zone enables businesses to enhance their management, security, and compliance within their AWS environment.

Customizations from AWS Control Tower Console

These are adjustments made through the AWS Control Tower console:

  • OU Names During setup, you have the option to modify the OU Names. Additionally, you can change the OU names even after setting up AWS Organizations.
  • Audit and Log Archive Accounts—You can personalize the shared account names during setup, but modifications are not permitted afterward.
  • AWS Regions—You can choose or unchoose regions during the landing zone's setup or update. Selecting them enables the AWS Control Tower to manage them.
  • Optional Controls — After setup, you can choose whether to activate optional controls. By selecting which controls to enable, you can adjust the level of enforcement for OUs.
  • AWS CloudTrail trails You have the option to choose whether to participate in the organizational CloudTrail trails managed by AWS Control Tower. Opt-in if you prefer AWS Control Tower to handle the creation and management of a CloudTrail trail at the organizational level for you. Opt-out if you intend to manage to log yourself using your own CloudTrail trails or a third-party logging solution.
  • Member Account—You can personalize member accounts through the console using Account Factory Customization (AFC).

Account Factory Customization (AFC)

The AWS Control Tower Account Factory automates account creation and management, streamlining the process and ensuring they begin with a baseline security setup. However, customizing AWS accounts can be complex, particularly when attempting to maintain consistency across all accounts. The difficulty lies in establishing and enforcing consistent configurations across multiple accounts at scale, which often poses challenges in the long run.

So, in this article, we'll introduce Account Factory Customization to aid Cloud Operations teams in establishing a simple and consistent approach to applying customized configurations to both newly created and existing AWS accounts.

Account Factory Customization leverages AWS Control Tower and AWS Service Catalog. The initial step involves creating a blueprint, a product within the Service Catalog generated from a CloudFormation template.

Once you've created a blueprint, you can import it into the AWS Control Tower Account Factory customization settings. This can be done either when creating new AWS accounts or when updating them. Subsequently, these customizations will be automatically applied to the account. Through the AWS Tower Console, we can ensure the consistent implementation of customizations across all AWS accounts managed under Account Factory.

Customizations for AWS Control Tower (CfCT)

AWS Control Tower Customizations (CfCT) were introduced to offer enhanced customization options for your landing zone. CfCT comprises a suite of tools that empower you to customize your landing zone in greater depth than what is possible through the AWS Control Tower console alone. These customizations are implemented using AWS CloudFormation templates and service control policies (SCPs). Additionally, the CfCT functionality is integrated with AWS Control Tower lifecycle events to ensure that your resource deployments remain synchronized with your landing zone configuration.

CfCT Architecture

AWS offers a CloudFormation template designed to set up the Customizations for Control Tower (CfCT). This template creates an AWS CodePipeline that deploys stack sets or Service Control Policies (SCPs) to Organizational Units (OUs) or accounts. It is essential to deploy this template to the management account initially.

CfCT Deploy Workflows

AWS CodePipeline Workflow This workflow is triggered by changes in the configuration package. The package can either be a zipped file uploaded from S3 (default) or a committed package from CodeCommit.

A configuration package includes:

  • Manifest file – This configuration file serves as the pipeline's reference, detailing which templates or JSON policies need to be deployed, to which OUs or accounts, and whether to deploy resources or SCPs.
  • Set of templates
  • JSON files

The pipeline includes a build stage to validate the templates and manifest files. After validation, a state machine will use the AWS Organizations API to create Service Control Policies and AWS CloudFormation to deploy the stack sets.

AWS Control Tower Lifecycle Event Workflow – This workflow extends the AWS CodePipeline workflow by allowing triggers based on AWS Control Tower Lifecycle Events. It consists of an Amazon EventBridge rule, an Amazon Simple Queue Service (Amazon SQS) first-in-first-out (FIFO) queue, and an AWS Lambda function. The Amazon EventBridge rule detects the AWS Control Tower Lifecycle Event, sends it to the Amazon SQS FIFO queue, and triggers a Lambda function that runs the AWS CodePipeline workflow.

Account Factory for Terraform (AFT)

AFT is a Terraform module maintained by AWS that enables the automated provisioning and customization of new accounts. This module deploys a pipeline of AWS services, facilitating the management of AWS Control Tower accounts through Terraform configuration.

AFT Workflow

  • AFT begins with submitting new account requests to the pipeline. These requests are initially queued in an SQS FIFO Queue, allowing multiple requests to be made without having to wait for the previous ones to complete, providing flexibility.
  • The new SQS message triggers a Lambda function, initiating the account vending process in AWS Control Tower.
  • Once the account is created, another Lambda function invokes a state machine to provision an account-specific pipeline.
  • This newly created pipeline will then run the global customizations stage, followed by account-level customizations.

There are two levels of customization:

Global level – Customizations applied to all accounts.

Account level – Customizations applied to a specific AWS account or a predetermined group of AWS accounts.

To apply customizations to existing accounts created with AFT, users must initiate customization requests via the Customization Invocation State Machine. Any updates to the customization repositories will not automatically trigger the account-specific pipeline; however, users can manually execute the state machine to run the account-specific pipeline.

Customizing Your AWS Control Tower Landing Zone by Integrating Security Hub

AWS Control Tower is a powerful service that provides organizations with a centralized and automated way to set up and manage multiple AWS accounts. By integrating AWS Control Tower with Security Hub and utilizing the CIS Benchmarks for AWS Foundations, you can greatly enhance the security and compliance of your AWS environment. This integration enables streamlined security operations, centralized security monitoring, and adherence to industry best practices.

The Center for Internet Security (CIS) AWS Foundations standard was developed by a global community of security experts from both public and private sector organizations. The CIS Benchmarks offer a comprehensive set of security controls and recommendations specifically for AWS environments. While other AWS standards in Security Hub, such as AWS Foundational Security Best Practices, also provide valuable security insights, the CIS AWS Foundations Benchmark delivers a detailed and robust framework that is widely recognized and respected in the industry.

When using AWS Control Tower, you have several options for managing Security Hub and other security-related services. One approach is to designate an account as the central administrator for Security Hub. This account is responsible for configuring Security Hub settings, such as enabling standards like the CIS AWS Foundations Benchmark and monitoring the security posture of member accounts.

By configuring permission sets in AWS IAM Identity Center (AWS Single Sign-On) and assigning them to the Security Hub administrator account, you can grant the security team specific permissions for managing Security Hub within the administrator account.

The auto-enable feature in Security Hub ensures that Security Hub is automatically activated for all existing and future member accounts within the AWS Control Tower environment, enabling you to maintain a consistent security posture across the organization.

Conclusion

In summary, customizing your AWS Control Tower Landing Zone offers substantial advantages for organizations aiming to enhance their cloud infrastructure. This article outlines various customization options that enable businesses to tailor their cloud environment to their specific needs. Additionally, the flexibility provided by AWS Control Tower allows organizations to adjust and scale their Landing Zone as their cloud infrastructure grows. Ultimately, customizing the AWS Control Tower Landing Zone helps businesses optimize their cloud investment while ensuring a secure and compliant environment.

* This newsletter was sourced from this Tutorials Dojo article.

Victor Cabrales

Aspiring Cloud Security Architect | Sec+ | AWS CP

1 个月

I just recently started checking on CT and trying to do a deep dive on it. This was very helpful and insightful. Thanks.

回复
Anbu Anand Gurusamy

Integration Architect with specialization in Boomi, Open Source API Gateways, Cloud Migration (AWS Certified, Azure), TOGAF, BFSI, Security, Governance Frameworks etc

2 个月

Very informative

回复
Anorue Wilson

Cloud Engineer (AWS, GCP) | DevOps Engineer | Terraform | CICD | Kubernetes | Serverless | Server Configuration and Management

2 个月

Thanks for sharing, I have only briefly used AWS control tower landing zone, now I understand more about it.

回复
Binod Baiju

Sr. Cloud Platform Architect - AWS | DevOps | SRE -

2 个月

Thanks for sharing

回复

要查看或添加评论,请登录

社区洞察

其他会员也浏览了