AWS Marketplace
Integrating the CloudCheckr CMx cloud management platform with AWS Control Tower
As more AWS customers adopt a multi-account strategy, they’re using AWS Control Tower to build their landing zones. This strategy uses the best practices and recommendations by AWS to secure, segregate, and manage your workloads. To support the adoption and proliferation of accounts, CloudCheckr has developed an integration with AWS Control Tower to enable onboarding of new AWS accounts into CloudCheckr CMx.
CloudCheckr CMx is a cloud governance platform that is available in AWS Marketplace from CloudCheckr, an AWS Advanced Technology Partner. CloudCheckr CMx helps businesses manage and automate cost analysis, security, and compliance for their cloud environments. CloudCheckr CMx provides more than 600 Best Practice Checks that are based on legal regulations and compliance frameworks like CIS, NIST 800-53, HIPAA, PCI-DSS, and more.
In this blog post, I show you how to integrate CloudCheckr CMx with your AWS Control Tower environment to automatically enroll accounts into CloudCheckr CMx upon creation. I also show how to aggregate checks across a collection of accounts by setting up a Multi-Account View (MAV). With the provided template and implementation guide, you can simplify and automate the management of AWS accounts within CloudCheckr CMx.
Solution overview
CloudCheckr CMx uses automation to integrate with AWS Control Tower lifecycle events, including the following:
- Call the installed AWS Lambda function triggered by rules from Amazon EventBridge
- Provision the new account in CloudCheckr CMx
- Create an IAM role in the new account
- Provision the IAM role in CloudCheckr CMx
- Create an Amazon Simple Notification Service (Amazon SNS) topic for notifications
The first part in the solution is to create a new AWS account as illustrated in steps 1-3 below:
- The AWS administrator launches the AWS Service Catalog Account Factory product to create an AWS account in AWS Control Tower.
- The AWS account is created.
- An AWS Control Tower lifecycle event is recorded in Amazon EventBridge.
The next step of the solution automatically creates the required IAM role on the new AWS account and provisions the new AWS account into CloudCheckr CMx as illustrated in steps 4-8 below. Once completed, you can then manage the new account immediately after AWS account creation.
- The EventBridge rule invokes the installed CloudCheckr Lambda function.
- The CloudCheckr Lambda function calls the CloudCheckr CMx API to register the new AWS account.
- The CloudCheckr Lambda function deploys the AWS CloudFormation StackSet instance into the new AWS account.
- The StackSet instance creates the requisite IAM role for CMx in the new AWS account.
- The CloudCheckr Lambda function updates CloudCheckr CMx with the IAM role ARN for the new AWS account. Refer to the following diagram.
Prerequisites
To run this solution, you must have the following prerequisites:
- AWS Control Tower deployed in your AWS environment. If you have not already installed AWS Control Tower, you can follow the Getting Started with AWS Control Tower documentation to get started.
- A subscription to CloudCheckr CMx, which you can procure here: CloudCheckr CMx from AWS Marketplace.
Solution walkthrough: Integrating the CloudCheckr CMx cloud management platform with AWS Control Tower
Here’s how to integrate CloudCheckr CMx with your AWS Control Tower environment to automatically enroll accounts into CloudCheckr CMx upon creation. CloudCheckr provides an implementation guide for this solution that you can refer to for step-by-step instructions and technical support. To examine the source used in this solution, see the cloudcheckr-controltower-integration.template.yaml and cc_aws_cfn_iam_stack.template.json files provided by CloudCheckr.
In this walkthrough, I focus on the deployment of the integration as described on the Deployment and configuration steps section of the implementation guide.
A. Deploying the integration
- From the Implementation Guide, complete Step 1 Provision an API client within CloudCheckr CMx.
- Log in to your AWS Control Tower Management account with Administrator permissions.
- To launch the AWS CloudFormation Quick create Stack, follow this link: launch AWS CloudFormation Quick Create Stack.
- Enter the ApiClientID and ApiClientSecret parameters that you created from Step 1.
- Unless you need to change the CloudCheckr regional endpoint, leave the other parameters as default.
- Acknowledge the warning for AWS IAM resource creation. Choose the Create Stack button.
- Wait until the CloudFormation stack has finished executing. You will see CREATE_COMPLETE in the CloudFormation console.
B. Testing the integration
Next, test your integration by following these steps to enroll a new account.
- Open the AWS Control Tower console.
- In the navigation pane, choose Account factory.
- Choose Enroll account.
- Under Account details, enter values as follows:
- For Account email: the email address of the new account
- For Display name: the name of the new account as it appears in AWS Control Tower
- For AWS SSO email: a user for AWS SSO
- For AWS SSO user name: the first and last name of the AWS SSO user
- For Organizational unit: the governance type for the new account in an AWS Organizations organizational unit (for example, Child)
- Choose Enroll account.
AWS Control Tower begins the account creation process and deploys the guardrails and other configurations to the new account.
C. Verifying account provisioning
Next, verify that the account was provisioned in CloudCheckr CMx.
- Log in to the CloudCheckr CMx console.
- In the upper-right corner, select the account switcher.
- In the Accounts window, choose the new account.
At this point, you should see your new AWS account in the CloudCheckr console. It is now available for further analysis.
D. Using Multi-Account View
Once you have successfully configured your new accounts via integration with AWS Control Tower, CloudCheckr can perform optimization checks across accounts. To aggregate this data across a group of related accounts, you can set up a Multi-Account View (MAV). An MAV shows a collection of accounts in order to monitor and take action on all accounts in the collection simultaneously. The MAV provides detailed insights that can suggest how to save money and retire underutilized resources. It does this by enabling cross-account analysis of idle, unused, under provisioned, and previous-generation instances. Customers can use the Multi-Account View to group accounts by business unit, department, owner, or even by software development lifecycle workloads such as development, staging, or production use.
In my scenario, I am grouping my three child accounts (child1, child2, and child3) by the IT and Finance department. Here are the steps I followed to do that:
- Create the attribute key named department and provide the IT and Finance values for the key. To do this, log into the CloudCheckr CMx console. In the upper right, select the account switcher, choose Manage Accounts, and select the Attributes tab. To create the department attribute, choose the +New button. A frame appears on the right side. Choose the +New button and enter the IT and Finance values for the attribute.
- Assign the department:IT attribute to two of my accounts (child1 and child2). To do this, in the CloudCheckr CMx console upper right, select the account switcher and then choose Manage Accounts. Choose the View by: List Select the child1 account. In the Edit Account frame, select the Attributes dialogue box and select the department:IT attribute. Choose Save. Repeat these steps for the child2 account.
- Assign the department:Finance attribute to my third account (child3). Repeat Step 2, selecting the department:Finance attribute for the child3 account.
- Create two new MAVs called IT AWS Accounts and Finance AWS Accounts and select the attribute to filter on for the MAV. To do this, in the CloudCheckr CMx console upper right, select the account switcher and then choose the MAVs To create a new MAV, choose +New. Enter a name for the MAV. For Cloud Provider, select AWS. Uncheck the box next to Include all AWS Accounts in this MAV, and then choose the Filters box. From the drop-down, select the attribute filter to assign to the MAV. I selected IT under department as my filter for this MAV. Repeat the steps to create the Finance AWS Accounts MAV but select Finance under department as the filter for the MAV.
Now I can see how my AWS accounts are evaluated against the CloudCheckr built-in Best Practices checks as a group. To do that, log into the CloudCheckr CMx console and select the Account Switcher in the upper-right corner. Click on the MAV tab and select the IT AWS Accounts MAV that I created in the previous sections. Next click on the Best Practices tab and select the Cost tab to see all of the cost related findings across the two IT AWS Accounts in this MAV.
The following screenshot shows my IT AWS Accounts MAV Costs tab with 15 issues. Three at the top are in red, 10 are in orange, and one is in yellow. The first issue in red indicates that I have five idle EC2 instances across two accounts.
With this information, I can now contact the account owner and have them investigate the issue and, if they are no longer needed, save costs by decommissioning the instances.
To learn more about how to apply further customizations, see the CloudCheckr CMx documentation.
Conclusion
In this blog post, I showed you how to integrate your AWS Control Tower landing zones with CloudCheckr CMx. I also showed how to simplify the management and governance of your AWS accounts created by AWS Control Tower using CloudCheckr Multi-Account Views to group accounts together. The automated solution instantly provisions new accounts into CloudCheckr CMx for immediate visibility and management to enable your IT, security, and finance teams.
For more information on solutions for AWS Control Tower in AWS Marketplace, check the Cost management and governance section. For more information about CloudCheckr CMx, see the CloudCheckr website.
Code and contents of this post were validated to work on the publishing date.
About the authors
Ram Reddy
Ram is a Senior Technical Account Manager at AWS and specializes in AWS Control Tower. Ram enjoys working with customers to help them deploy their solutions using AWS best practices.
.
.
.
Alana Fitts
Alana is the Director of Sales Strategy at CloudCheckr. Alana is an AWS Certified Cloud Practitioner and is the co-organizer of the Rochester, NY chapter of the AWS Users Meetup group.
.
.
Rob Mossi
Rob is the Senior Director of Product Marketing at CloudCheckr. Rob is a go-to-market specialist with over 15 years in the technology data governance and data management sectors.