As customers create and manage multi-account AWS environments, cloud administrators need to process where each account can apply configuration autonomously from a centralize configuration repository. Some of the customers I work with use AWS Control Tower to manage a multi account environment. Administrators use AWS Control Tower to create organization units for account grouping and then create multiple accounts in those organization units. These administrators would like a process to ensure consistency. For example, the administrator would like accounts across all regions to deploy a security configuration or apply an account base tagging strategy for resources that will be deployed. A mechanism to do this will be for the administrator to add an AWS CloudFormation template that contains the steps for applying the security configuration to a configuration repository, then each account will then retrieve the configuration and deploy it in its own environment.
In this blog post, I will show you how to enable administrators to configure an AWS Control Tower environment to automatically deploy configurations when needed using AWS Service Catalog, AWS Cloud Watch events and other AWS services.
This solution uses the following AWS services. Most of the resources are set up for you with an AWS CloudFormation stack:
- AWS Service Catalog
- AWS Lambda
- AWS CloudFormation
- AWS Systems Manager
- Amazon DynamoDB
- AWS Control Tower
- Amazon CloudWatch
Here are some of AWS Service Catalog concepts referenced in this post. For more information, see Overview of AWS Service Catalog.
- A product is a blueprint for building the AWS resources to make available for deployment on AWS, along with the configuration information. Create a product by importing an AWS CloudFormation template, or, in case of AWS Marketplace-based products, by copying the product to AWS Service Catalog. A product can belong to multiple portfolios.
- A portfolio is a collection of products, together with the configuration information. Use portfolios to manage user access to specific products. You can grant portfolio access for an AWS Identity and Access Management (IAM) user, IAM group, or IAM role level.
- A provisioned product is an AWS CloudFormation stack; that is, the AWS resources that are created. When an end-user launches a product, AWS Service Catalog provisions the product from an AWS CloudFormation stack.
- Constraints control the way users can deploy a product. With launch constraints, you can specify a role that the AWS Service Catalog can assume to launch a product.
The following diagram maps out the solution architecture.
Here’s the process for the administrator:
- The administrator deploys an AWS CloudFormation template that creates base components in the Control Tower management environment like API Gateway, DynamoDB, Lambda, Step Function and others. These components will be used by the add configuration and managed account configuration deployment process.
- The administrator uses the Add Configuration process to add a CloudFormation configuration item to the configuration database which will be used by the managed account deployment process.
Here’s the process when the managed account deploys a CloudFormation configuration item:
- Behind the scene, invisible to the end-user, a scheduled Cloud Watch rule triggers a Lambda in the managed account which communicates to the master account through an API Gateway. The process queries the configuration database for new CloudFormation configuration items.
- If there are new CloudFormation configuration item the managed account deploys the CloudFormation template and updates the configuration database.
Step 1: Configuring an environment
You will need the following information to deploy the base components:
A user with an administrator role
The name of a user, group or role who will launch AWS Service Catalog products. You will enter the user as follows:
Deploy the base components:
Download content and use your own bucket.
- Download this content zip file
- Extract the zip file, it will create a folder called postaction
- Create an AWS S3 bucket, note the bucket name
- Upload the postaction folder to the bucket
- Drill down into the postaction folder
- Click the checkbox next to setup_ctpostaction_base.json
- Right click and copy the Object URL
Use content from existing location.
- Login to the AWS Control Tower console using the Control Tower master account with an administrator role.
- Verify that AWS Control Tower has been deployed successfully.
- Right click and copy this CloudFormation setup link.
- Open the AWS CloudFormation console in a new browser tab.
- In the AWS CloudFormation console, choose Create Stack, Amazon S3 URL, paste the URL you just copied, and then choose Next.
- On the Specify stack details page, specify the following:
- Stack name: ctpostactionbase
- SourceBucket: use default or enter your bucket name
- Leave the default values except as noted.
- On the Review page, check the box next to I acknowledge that AWS CloudFormation might create IAM resources with custom names, and choose Create.
- After the status of the stack changes to CREATE COMPLETE, select the stack and choose Outputs to see the output.
- In the parameter screen the user selects the parameters for the stack location and the target organization unit.
- When the parameters have all been selected, the user launches the AWS Service Catalog product.
Deploy a CloudFormation configuration item:
- Login to the AWS Service Catalog console
- Select Product list from the top left
- Select the SCproductCTAddConfigItem AWS Service Catalog product
- Select the LAUNCH PRODUCT button
- Enter a Name myfirstconfig select Next
- AutomationDescription: default
- Autonomous – configuration will be deployed by the service.
- SpokePull – The manage accounts will download and install this configuration
- MasterPush – The Control Tower master account will push this configuration to manage accounts.
- S3StackLocation – The CloudFormation stack to be deployed
- OrgUnits – The OrgUnit to deploy the configuration to accounts in this OU will get the configuration
- Regions – The region to apply the configuration select 1 or ALL
- AdministrationRoleARN – use default
- ExecutionRoleName – use default
- Select Next
- On the TagOptions page select Next
- On the Notifications page select Next
- On the Review page select Launch
- Monitor until the Status changes to Succeeded
- Optional – you can switch to a mange account to verify the configuration has been deployed.
To avoid incurring cost, please delete resources that are not needed. You can terminate the Service Catalog product deployed from the AWS Service Catalog console, select Provisioned products then select Action then Terminate.
In this post, you learned an easy way to for administrators to configure an AWS Control Tower environment to automatically deploy configurations when needed. You also saw how there’s an extra layer of governance and control when you use Control Tower and AWS Service Catalog to deploy resources to support business objectives.
About the Author
Kenneth Walsh is a solutions architect focusing on AWS Marketplace. Kenneth is passionate about cloud computing and loves being a trusted advisor for his customers.