Automate multi account data access in AWS using Couchbase and AWS Control Tower
Having a multi account strategy is a best practice for achieving higher isolation of resources in AWS. It helps you meet regulatory and compliance needs, track operational costs, and add an extra layer of security. AWS Control Tower uses AWS best practices to establish a well-architected, multi-account baseline across your AWS accounts. For more information about managing multi-account AWS environments with AWS Control Tower, see Getting Started with AWS Control Tower.
Couchbase, a member of the AWS Partner Network (APN), is available in AWS Marketplace. It is a distributed document database with a powerful search engine and built-in operational and analytical capabilities. Couchbase brings the power of NoSQL to the edge and provides fast, efficient bidirectional synchronization of data between the edge and the cloud.
In this post, Justin, Perry, and I share a new solution that integrates Couchbase with AWS Control Tower. You can use this solution to automatically enroll newly added AWS accounts in an AWS Control Tower environment with Couchbase using Account Factory. The integration automates access to the centralized Couchbase cluster by an administrator of the newly added AWS account.
You must complete the following prerequisites before implementing the Couchbase and AWS Control Tower integration solution:
- Subscribe to Couchbase server in the Shared Services account via AWS Marketplace.
- Choose Continue to Subscribe, and then choose Continue to Configuration to proceed to configuration of the software.
- Under Delivery Method, select CloudFormation Template and other options if required. Default values point to the latest version.
- To go to the Launch this software page, choose Continue to Launch.
- Under Choose Action, select Launch CloudFormation and choose Launch.
- Follow through the CloudFormation deployment instructions under Usage Information of the AWS Marketplace listing to launch the Couchbase Server. Write down the URL where the Couchbase server is running (ClusterAdminURL).
- Once the template deploys successfully, in the Output section of the CloudFormation template, write down the CouchbaseBootstrapParameter and the CouchbaseSecretArn.
The solution uses a Couchbase server cluster that is deployed in an AWS shared services account in your AWS Control Tower organization. It then provisions the following infrastructure in the AWS Control Tower management account that enables management and access to your centralized Couchbase server cluster:
- Provisions two Couchbase AWS CloudFormation StackSets in the AWS Control Tower management account. These stacksets enable deployment of CloudFormation stacks in the shared services account and the newly vended managed account.
- Provisions an Amazon CloudWatch Events Rule that is triggered based on AWS Control Tower lifecycle events.
- Provisions an AWS Lambda lifecycle function as a target for the CloudWatch Events rule.
- The lifecycle Lambda creates an AWS Identity and Access Management (IAM) role in the managed account to access the shared services accounts. It also provisions a unique user in the Couchbase cluster deployed in the shared services account. This user is used by the managed account to access the Couchbase cluster.
You deploy this solution using AWS CloudFormation templates, and it integrates with AWS Control Tower lifecycle events. When a new account is created or an existing one is enrolled using the AWS Control Tower Account Factory, the lifecycle event triggers a Lambda function.
The Lambda function creates new CloudFormation stack instances in the newly vended managed account as well as the shared services account. Refer to the following diagram.
The stack instance in the shared services account provisions a new user for the Couchbase cluster and stores it in AWS Secrets Manager. The stack instance in the newly vended account creates an IAM role for the managed account to access the Couchbase server in the shared services account. Refer to the following diagram.
The Couchbase integration with AWS Control Tower is set up in one step. Launch the control-tower-management.yml template in the AWS Control Tower management account. Provide the following parameters:
- For the CouchbaseBootstrapParameter and CouchbaseSecretArn parameter, enter the value that you noted earlier from the prerequisites step 7.
- For the SharedServicesAccountId parameter, enter the AWS account ID of the shared services account where the Couchbase server is deployed.
Test and Validate
Test—Create a Lifecycle Event—Add a managed account
- Sign in to the AWS Control Tower management account and navigate to the AWS Control Tower console. Then do the following:
- To enroll a new managed account in the AWS Control Tower organization, in the navigation pane, choose Account Factory.
- Enter values for Account email, Display name, AWS SSO email, AWS SSO user name, and Organizational unit.
- Choose Enroll account.
- Sign in to the newly added AWS Control Tower managed account. Navigate to the AWS CloudFormation console. Check that there is an AWS CloudFormation stack instance in this account that launches the Couchbase cluster access IAM integration role in the managed account. From the navigation pane, select this stack instance and choose Stack info. The status field should display a value of CREATE_COMPLETE.
From the newly vended AWS Control Tower managed account:
- Use AWS Single Sign-On from your AWS Control Tower environment and sign in to the newly vended managed account.
- Sign in to your Couchbase server cluster administrative webpage at http://<ClusterAdminURL>:8091 and go to the Security tab to view the created user for the managed account. The ClusterAdminURL is the location of the Couchbase server that you obtained from the prerequisites Step 6. The following screenshot shows the Couchbase cluster security page showing a created user.
In this post, we showed you how to automatically enroll new AWS Control Tower accounts with Couchbase. Couchbase’s integration with AWS Control Tower enables you to automatically extend Couchbase’s capabilities to all newly added AWS accounts in your multi-account AWS environment. Our integration automates access to the centralized Couchbase cluster by an administrator of the newly added AWS account. For more information about this solution, see Solutions for AWS Control Tower in AWS Marketplace.
About the Authors
Justin Ashworth is a senior software engineer with the Couchbase Cloud Engineering team. He works on developing and maintaining the cloud infrastructure deployment scripts for the Marketplace team. Justin loves figuring out how to quickly and easily deploy and manage complex infrastructure.
Kanishk Mahajan is an Independent Software Vendor (ISV) Solutions Architecture Lead at AWS. In this role, he leads cloud transformation and solution architecture for AWS partners and mutual customers in all areas that relate to management and governance, security and compliance, and migrations and modernizations in AWS.
Perry Feler is a Senior Solutions Architect at AWS. He helps Independent Software Vendor (ISV) customers transform, build, and succeed with AWS. He has over two decades of industry experience in consulting, training, operations, and product development roles.