From AWS Organizations to Control Tower: A Migration Blueprint
In an enterprise AWS environment, you may need to move your AWS accounts from your current AWS Organization to another AWS Organization. One possible explanation is that you want to build a new landing zone with the Control Tower. This article will explain various conditions to consider when migrating a member account from AWS Organizations to AWS Control Tower.
Valid Payment Method Requirement
AWS accounts require a valid payment method before leaving an organization. It’s essential to ensure that each account, including the management account, has a valid payment method. Setting the payment method to Invoice can be the easiest way to manage this requirement across multiple accounts in an organization.
To change the payment method to invoice for an account, create a support case with the following information from the management account of the organization:
- AWS Account Number, Company Name, Contact Name, Contact Phone, Contact Email, Address, City, State or Province, Zip, and Country.
Avoiding additional bills
When an account is moved across AWS Organizations, it first leaves its present organization before joining the new one. If the entire process is not completed within 1 hour, you will be charged while the account is in the “standalone†state.
This will require a separate invoice that must be followed in addition to the organization’s consolidated billing.
To avoid this scenario, invite the migrated account to the new organization as soon as they leave the old organization, within the 1-hour limit.
IAM Identity Center Configurations
When you set up a landing zone with AWS Control Tower, an IAM Identity Center (previously AWS SSO) environment is created within the system. AWS Control Tower automates the configuration of a multi-account AWS environment using AWS best practices, which includes installing the IAM Identity Center for centralized access management.
Before migrating an AWS account to a new organization, you should carefully evaluate the current IAM Identity Center settings. This includes examining the SSO users, SSO groups, and permission sets associated with the AWS account. Ensure that the IAM Identity Center created by Control Tower contains similar configurations to the legacy IAM Identity Center. (user, group, permission set definition, etc).
Additionally, after migrating the AWS account to the new organization, ensure that the account is associated with the correct SSO group and Permission Sets.
AWS-managed applications integrate with the IAM Identity Center and can use it for authentication and directory services. If you are using the AWS services mentioned in AWS’s documentation here, make sure to check the SSO settings of the services after the migration of your test AWS accounts before migrating your production AWS accounts. If you detect a migration-related problem in services, you will have time to resolve it before migrating your prod accounts.
Global Condition Context Keys
Evaluate your current environment to determine organizational conditions for identity and resource-based policies. It should be checked whether any of the global condition keys “aws:PrincipalOrgIDâ€, “aws:PrincipalOrgPaths, aws:ResourceOrgID†or “aws:ResourceOrgPaths†are used in IAM policies. All IAM policies for the account should be evaluated.
If your AWS account contains a small number of IAM policies, you can manually check them. If you believe you are unable to handle this, you can scan your account using the “Account Assessment for AWS Organizations†tool. Alternatively, you can write your custom script and scan all Customer Managed Policies, Inline Policies, and Role Trust Policies defined in the AWS account with the script.
If you detect one of these condition keys in your policies, you need to update these policies before migrating the member account. Otherwise, when the account leaves AWS Organizations, access to resources will be lost and bad consequences may occur.
In addition, please verify whether these global condition keys are also used in AWS CloudFormation Stack Policies.
Also, check whether the Lambda Functions defined in AWS accounts use the Organization API. If used, the organization ID will need to be changed.
Compare member account regions to new Control Tower Landing Zone regions
When moving an AWS account to a new AWS Organization, ensure that the regions enabled for the new organization are also enabled for the migrated AWS accounts.
Let’s illustrate some negative outcomes that could happen if this approach isn’t followed. Let’s say we move an AWS account to the newly created organization. Sidney region was not activated in the AWS account, but it was activated in the Organization. A CloudFormation StackSet running in an organization's management account wants to deploy a service across all regions enabled for the AWS Organization. In this case, an error will occur when CloudFormation StackSet starts running in the migrated AWS account. Because a region you want to work in has not been activated in the migrated member account.
The behavior of Resource Access Manager (RAM)
RAM service is a service that you should analyze before migrating accounts between organizations. Before moving an account to the target organization, check if there are any AWS RAM resource shares owned by the account or any resources shared with the account. Please check this document for more information. Review the “AWS RAM resource shares†section of the document in detail.
AWS Marketplace Subscriptions
If your Marketplace subscriptions are tied to the account to which they are subscribed, if you leave an organization and join a new organization, the subscriptions will remain in the account throughout the process. The only thing that will change will be the account responsible for payment for the services used.
Depending on how an organization is set up, there may be other accounts sharing a subscription. AWS Marketplace supports grants, which share the use of a license directly with AWS Organizations, an AWS account, or an organizational unit using AWS License Manager. If you have a Marketplace structure that includes this situation, I recommend you get support from AWS Support before starting the migration.
AWS Config Resources
After moving the AWS account between organizations, some AWS Config resources need to be deleted or modified as mentioned in this document. If you try to enroll an account in Control Tower without following this step, you will encounter an error.
Organizational Trails
AWS CloudTrail is an AWS service that helps you enable governance, compliance, and operational and risk auditing of your AWS account. Using AWS CloudTrail, a user in a management account can create an organizational trail that logs all events for all AWS accounts in that organization. Organizational trails are automatically applied to all member accounts in the organization.
领英推è
Once an account is removed from the organization, it loses access to the Organizational trails. After you leave one organization and join another, you can delete the Organizational Trail for the old organization because you will no longer be associated with the old organization.
Cost Explorer
When you move an AWS account from one organization to another organization, you will not be able to see historical cost information in Cost Explorer. Currently, the AWS Organizations service doesn’t migrate individual accounts’ usage history when moving them between organizations. However, you can still access the previous data by accessing the management account of the old organization. A CSV file of individual reports can be exported from the previous management account using the Cost Explorer service of the previous management account.
Replicating the CUR (Cost and Usage Reports) files from the source Amazon S3 bucket in the old organization’s management account to an Amazon S3 bucket in the new organization’s management account will allow you to keep the Cost and Usage Reports from the old organization.
Activate Cost Allocation Tags
Any of the “User-defined cost allocation tags†and “AWS-defined cost allocation tags†found in the “Cost Allocation Tags†section in the old organization’s management account can also be defined and activated in the new organization’s management account.
These tags can be used in the Cost and Usage Reports created. The propagation of these tags into the approval list may require up to 24 hours.
Control Tower Issue: No Launch Paths Found Error
Once you have completed setting up the Control Tower, you may need to create a new AWS account in the AWS Organization via the Account Factory and Service Catalog. However, when you start this process, you may receive the “No Launch Paths Found†error. There may be several reasons for this situation:
- You may be logged in as a root. AWS Control Tower does not support creating accounts when you log in as the root user.
- If you are using an IAM user to authenticate to an Amazon account
– Ensure that the policies granted to the user are sufficient to perform actions associated with the Service Catalog and Account Factory.
– Go to the Service Catalog service in the AWS Console. Under Administration in the left menu, select Portfolios. Click on “AWS Control Tower Account Factory Portfolioâ€. Select the “Access†tab and you will see a list of identities that have permissions to use this portfolio and products. Use the “Grant Access†button to add your “User†to that list.
- If you are authenticated as an IAM Identity Center user:
– Ensure that the Permission Set used is sufficient to perform operations associated with the Service Catalog and Account Factory.
– As in the previous step, authorization is required for the Service Catalog Portfolio in this step. But when you click the “Grant Access†button this time, you must choose the “Role†you use. Due to being logged in via SSO and Permission Sets, your role will match something like aws-reserved/sso.amazonaws.com/<region>/AWSReservedSSO_<Permission Set name>_<unique identifier>
Creating an AWSControlTowerExecution Role
There are different methods to create this role:
1- Enroll Individual Account
- In this step, you need to manually create the “AWSControlTowerExecution†role in the account before enrollment. For this, you can follow the document here.
NOTE:
In the document above, the “OrganizationAccountAccessRole†role is intended to be used. However, this role is not automatically created for an account migrated from another organization. You can also create this role by following the document here.
2- OU-Reregister
- Updates and reapplies Control Tower settings to all accounts within an OU, ensuring they meet the latest compliance and governance standards
- With this method, there is no need to create a manual AWSControlTowerExecution role.
- This role is defined in a CloudFormation StackSet run by the Control Tower, and this StackSet is applied to all accounts within the OU.
- However, since this method will work on all accounts, it may take a really long time.
Summary
Migrating AWS accounts from one organization to another, particularly when integrating with AWS Control Tower, is a complex but manageable process. This guide has provided some key considerations and steps to ensure a smooth transition.
By following these comprehensive strategies and best practices, you can make your migration process smoother and leverage Control Tower to increase governance, compliance, and operational efficiency in your AWS environment.
References
AWS & DevOps Engineer Trainee
9 个月Good work. Thanks for sharing.