Posted On: Jun 3, 2022
AWS Control Tower now provides you with the ability to manage and customize your shared and management accounts with Account Factory for Terraform (AFT). You can now centralize your account customization management and increase governance coverage of your AWS Control Tower environment while still protecting the security of your account configurations. Shared account customization assists customers that want the ability to use the same mechanism for customization across all of their accounts. AFT has also made a role change to help you better manage the permissions of your customizations. You will now be able to fully automate your permission management for AFT to act on all of your accounts with any level of granularity.
To customize your shared and management accounts, you will create an AFT account request and provide the same information as you would for your existing enrolled accounts. To limit the permissions of your customizations with AFT, you will use IAM permission boundaries to scope the AWSAFTExecution role to the minimum necessary permissions your customizations require. With this new role change and shared account support, you can now programmatically customize and manage all of your accounts with the same experience, while continuing to protect your sensitive and secure data.
AWS Control Tower offers a streamlined way to set up and govern a new, secure, multi-account AWS environment based on AWS best practices. With AFT, Terraform customers can automate the creation of fully functional accounts that have access to all the resources they need to be productive. To learn more, visit Overview of AWS AFT or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.