Many enterprise customers who use AWS Control Tower to create accounts want a way to extend the account creation process. They want this process to cover common business use cases including the creation of networks, security profiles, governance, and compliance. A manual process manually is cumbersome and makes it difficult for the organization to respond to the needs of its business. It might also be expensive if the organization pays another party to manage this process.

In this blog post, we will show you how to automate steps after an account is created. Each step can be unique to an organizational unit (OU) by placing the name of a template or infrastructure as code (IaC) in a tag on the OU. An OU can have multiple tags, one per Control Tower lifecycle event. After each lifecycle event, the template in the tag is executed to support the customer’s use case.

This solution we describe in the post uses the following AWS services. Most of the resources are set up for you with an AWS CloudFormation stack:

Solution overview­

The following diagram shows the solution architecture for automation account management, after an organization has been created through Control Tower.

The architecture diagram shows the components used by the solution. It also shows the steps in which they will be deployed and used.

Figure 1: Solution architecture diagram

Administrator process

The administrator deploys a CloudFormation template that creates resources in the management account. These resources include an AWS Service Catalog product, an Amazon EventBridge rule, and an AWS Lambda function. At this step in the process, tags are created on each Control Tower OU. These tags values are the Amazon Simple Storage Service (S3) locations of CloudFormation templates which  are deployed when the life cycle event is triggered.

The administrator also creates or updates an account using Account Factory. When a create or update event takes place, the backend processes trigger a CloudFormation stack deployment in the managed account, using the value of the organizational unit tags.

End-user process

End users use an AWS Service Catalog product to update the S3 locations of templates in the organizational unit tags.

Solution prerequisites

This solution assumes that you have AWS Control Tower already configured, and that you have AWS Organizations defined and registered within AWS Control Tower. For help with configuring AWS Control Tower visit Setting up – AWS Control Tower. For help with creating AWS Organizations visit Creating and managing an organization – AWS Organizations

Download automation content

Download the ctautomation.zip file and extract its content. It creates the content folder.

Create an S3 bucket and upload the folder

  1. Sign in to your AWS account as an administrator. Make sure that you have an AdministratorAccess IAM policy attached to your role so you can create AWS resources.
  2. Open the Amazon S3 console and create a bucket. For instructions, see Creating a bucket in the Amazon S3 User Guide.
  3. In the Buckets list, choose the name of the bucket you just created, and then choose Upload.
  4. Choose Add Folder, choose the content folder, and then choose Upload.
  5. In the Amazon S3 console, open the content/ctautomation/ folder and choose the ctautomation_setup.json file.
  6. Copy the object URL.

Deploy the CloudFormation template

  1. Sign in to your AWS account as an administrator with permission to create resources.
  2. Open the CloudFormation console and choose Create Stack with new resources (standard).
  3. Choose Amazon S3 URL, paste the URL you copied earlier, and choose Next.
  4. In Specify stack details, for Stack name, enter CTSetup.
  5. In Parameters, for SCenduser, enter a user, group or role. The user must have administrator permissions.
  6. For SourceBucket, paste the S3 URL and edit it to include the bucket name only. For example, if the URL is https://${testbucket}.s3.amazonaws.com/content/ctautomation/config/sc_ct_tag_automation.json, enter <testbucket>, and then choose Next.ctblogre1

    Figure 2: Specify stack details

  7. On the Configure stack options page, choose Next.
  8. On the Review page, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box and then choose Create stack.
  9. Wait for the stack status to change to CREATE_COMPLETE.
  10. Alternatively, you can use Amazon CloudWatch to check on deployment progress or events associated with the creation of the resources.

View the tag report

  1. In the CloudFormation console, choose the stack you just created.
  2. Choose the Outputs tab and then right-click and open the OuTagReport tag.
    This will open a report that shows the tags associated with the various OUs. The values are CloudFormation templates that are stored in an S3 bucket. The bucket was created during the stack deployment.

The report shows the OU, tags, and the S3 stack name value of each tag

Figure 3: Tag report

Update your templates

  1. In the CloudFormation console, on the Outputs tab of the stack you created, choose the value of the Scproduct key.
  2. In the AWS Service Catalog console, choose Launch product.
  3. Under Product Actions, choose UpdateTags.
  4. Find the name of the OU that you want to modify and update the location of the CloudFormation template.

The end user uses serivce catalog to change the tag values

Figure 4: Update OU tag values

 

 

 

Clean up

To avoid ongoing charges in your account, delete the resources you created. Use the AWS Service Catalog console to delete the AWS Service Catalog product. Choose Provisioned products, and from Actions, choose Terminate. Use the CloudFormation console to delete the stack that you created. For instructions, see Deleting a stack on the AWS CloudFormation console.

Use the Amazon S3 console to delete the bucket contents, and then delete the bucket. For instructions, see Deleting a bucket.

Conclusion

In this blog post, we showed you how to use AWS Control Tower to automate the services setup as part of the account creation process in your organization. We shared a streamlined method for creating resources that offers users more agility, but also provides the organization with tighter control on governance, compliance, and costs associated with these resources.

About the authors

Kenneth Walsh

Kenneth Walsh

Kenneth Walsh is a New York-based Solutions Architect whose focus is AWS Marketplace. Kenneth is passionate about cloud computing and loves being a trusted advisor for his customers. When he’s not working with customers on their journey to the cloud, he enjoys cooking, audio books, movies, and spending time with his family and dog.

clearblog removebg preview

Clare Holley

Clare Holley is a Solutions Architect with AWS who helps customers on their cloud journey. With more than 20 years of experience in the IT discipline, she helps customers build highly resilient and scalable architectures.

doughha removebg preview

Doug Chando

Doug Chando is a Solutions Architect with AWS with more than 20 years of experience in the IT industry. He enjoys helping customers solve the most difficult data protection and management challenges through modern practices and architectures.