Control Tower

As of date : 25 Feb 2020

Pre-requisites

Central Managment of Root Access

Create 3 email Accounts

I used a shared email account as , roles in an account can be changed , using a shared account makes it easy to switch roles without making any changes to the account

e.g i am Solution Architect for a Client project . i want to set up AWS Account and define and assign roles , i would Then make email accounts like so

So my aws account is created with root account email and not my individual email , i will move on to another client and this role can be taken up by another designated person and he/she will be added to hac.cloudroot@hybridacumen.ie

Rules at Creation Time

There are a couple of rules for Setting up control tower on the account

control tower can never have been associated with AWS organizations in the past
you need to supply an email address for the root account

-if the domain for that email address has ever been associated with another AWS account you're going to get a rollback

The log email and the audit email those two have to be unique
The domains for those emails have to be part of the domain that a root account belong

Rules for Management

You cannot use an IAM User to spin up new AWS Account you have to use SSO User

you have use AWSServiceCatalogEndUserAccess Role - under which you can see Account factory

price - $15 month as base set up

Service Cataloge - $5 PM

Config Rules - charges XX

After set up completes few mails will be received in Master account email

Invitation to Single Signon - following this link you will be asked to create a password for single sign on user
AWS organisation verification request - this will ask you to sign in using master creds to make sure you know WTF you are doing , as this account pays for all child account resources .

Interesting read : https://cevo.com.au/post/2019-10-05-thoughts-on-aws-control-tower

Creating Accounts from Account factory

AWS-ControlTower-Guide.pdf

Follow the PDF Steps , i am not re typing the hard work aws did already :)

Once Account is created an email invite is is send to email used for creating account

Note : you have to use https://<id>.awsapps.com/start url to create a new password , SO you will be logged in using SSO as AWS Admin

When you login with master creds on the above url you get access to this account but only with AWSOrganizationsFullAccess

you cannot login as Admin , use the above creds to login as Account Admin

Managed Account Access using AWS SSO - created by Account factory

SSO login using root acc creds

Issues / Limitations ( Still investigating )

Nested OUs are not displayed in the AWS Control Tower console.

If i plan to create nested ous under Custom , i cannot do that , AWS or support 5 level deep hierarchy but with Control tower ,every Account is under Custom or Root , this is contradictory to the AWS ORG design practice . I would need

Custom/Network
Custom/Security
Custom/Prod or OU: Prod/ ProjectA , OU:Prod/openbanking
Custom/Nonprod

so that i can apply SCP for OU project A that is only for internal i.e no IGW

and different SCP for OU:Prod/openbanking with scp to allow pubic api endpoints . is it that we cannot see on Control Tower Dashboard but we can Do this in AWS organizations Dash board we can create ou under managed out and move account there but need to find out what is AWS recommendation

Creation of nested OUs from the AWS Control Tower console is not supported.

Page updated

Google Sites

Report abuse