AWS Marketplace

Seamlessly uphold security and budgeting posture with cloudtamer.io and AWS Control Tower

In the years that I have spent working with customers, a recurring trend is the need to create structural organization in the way that they manage their AWS environments. As companies continue to grow and diversify, they find that additional business units in the organization want to explore AWS. In other cases, they have brought on teams from acquisitions that require them to rethink the way that they create, dispense, and secure additional AWS accounts.

In this blog post, I show how to integrate cloudtamer.io from AWS Marketplace with AWS Control Tower Account Factory. This integration allows you to activate and configure cloudtamer.io into your AWS Control Tower managed accounts. When you do, you can use cloudtamer.io governance features to improve your budgeting posture.

To mitigate the governance challenge, AWS introduced AWS Control Tower in 2019. At the heart of AWS Control Tower is a landing zone, the foundational skeleton of infrastructure automatically built for you. The landing zone is based on the AWS Well-Architected Framework for security and compliance best practices. When you launch your landing zone, AWS Control Tower uses best-practice blueprints to give your workloads a safe and secure place to be hosted.

The cloudtamer.io solution provides a three-pronged approach for complete cloud governance:

  • Account management – Centrally manage all accounts and resources that are aligned to the organizational hierarchy you dictate
  • Budget enforcement – Align your budget to your organizational structure and enforce with several actions
  • Continuous compliance – Automate compliance with inheritable access policies that ensure your accounts adhere to regulations, restrict use of noncompliant resources, and report and remediate issues

Solution overview

Setting up your AWS Control Tower environment for integration with cloudtamer.io involves the following steps.

  1. Subscribe to cloudtamer.io in AWS Marketplace by navigating to this link and selecting Continue to Subscribe.
  2. Log in to the cloudtamer.io Support Center and download the AWS Deployment Guide.
  3. Set up the application by launching the provided AWS CloudFormation templates.
  4. Set up the cloudtamer.io-to-AWS workflow using the provided templates. Verify the integration by creating a new AWS account from the cloudtamer.io portal.
  5. Set up the AWS to cloudtamer.io workflow using the provided templates. Verify the integration by creating a new AWS account from AWS Control Tower.

As shown in the following architecture diagram, there are two workflows in this integration.

  • On the left, a user starts a workflow by launching an account in AWS Control Tower, which logs a lifecycle event in AWS Service Catalog. This event is being monitored by an Amazon CloudWatch event rule, which then triggers an AWS Lambda function that registers the new account with cloudtamer.io. Refer to the following diagram.

Diagram that shows on the left a user starting a workflow by launching an account in AWS Control Tower, which logs a lifecycle event in AWS Service Catalog. This event is being monitored by an Amazon CloudWatch event rule, which then triggers an AWS Lambda function that registers the new account with cloudtamer.io.

  • On the right, the workflow starts with a user creating an account through the cloudtamer.io application. This logs a CreateAccount event in AWS Organizations that is being monitored by a CloudWatch event rule. When triggered, this event will launch a Lambda function that provisions an account in AWS Control Tower through AWS Service Catalog with the account details from cloudtamer.io. Refer to the following diagram.

Diagram that shows on the right a workflow starting with a user creating an account through the cloudtamer.io application. This logs a CreateAccount event in AWS Organizations that is being monitored by a CloudWatch event rule. When triggered, this event will launch a Lambda function that provisions an account in AWS Control Tower through AWS Service Catalog with the account details from cloudtamer.io.

Prerequisites

This blog post assumes that you have done the following:

  • Launched AWS Control Tower in your AWS account.
  • Installed cloudtamer.io software by subscribing to cloudtamer.io in AWS Marketplace.
  • Launched the cloudtamer-aurora.json and the cloudtamer-app.json templates from the AWS Deployment Guide.
  • Validated your license on the cloudtamer.io application hosted in the Amazon EC2 instance in your account.

Step 1 Integrate cloudtamer.io to AWS Control Tower

The first step is to launch the control-tower-account.json template that cloudtamer.io has created. This template creates a CloudWatch event rule that triggers an AWS Lambda function when AWS Organizations logs a CreateAccount event. This occurs when a new account is enrolled in AWS Organizations. The Lambda function then applies an AWS Service Catalog product for AWS Control Tower. You should then see the new account on your single-pane dashboard.

1.1 Download the template file

The template is in the AWS Implementation Guide. Download the file to your desktop, and then upload it to AWS CloudFormation.

1.2 Launch the template

To launch this template, you need some details about your AWS Control Tower environment. To get those details, do the following:

  1. Sign in to the AWS Management Console and open the AWS Service Catalog console.
  2. In the navigation pane, choose Portfolios.
  3. On the Local tab, copy the value for Portfolio ID for AWS Control Tower Account Factory Portfolio.
  4. To get the value of the Product ID for AWS Control Tower Account Factory, select the portfolio name. Copy the Product ID.
  5. To get the value of the Version ID for AWS Control Tower Account Factory, select the product name. Copy the Version ID.
  6. To get the account number for the account that has AWS Control Tower deployed, in the AWS Management Console’s navigation bar, choose the account name. Open the dropdown menu and copy the account number.

1.3 Create the stack using the template

To start the creation process, review the parameters you entered and choose Create Stack. If the stack is successful, the status should read Create_Complete.

Step 2 Test cloudtamer.io Account Creation

2.1 Confirm an account was created in the cloudtamer.io portal

To confirm that the stack created from the control-tower-account.json template is functional, create an account in the cloudtamer.io portal. To do that, follow these steps:

  1. Sign in to your cloudtamer.io portal using the unique URL created when installing the application and validating your license.
  2. On the left pane, under Accounts, select the Account Cache tab, and choose Add New.
  3. Select Create a new AWS Account.
  4. Enter an account name.
  5. From the dropdown list, select the billing source.
  6. Keep the default value for Linked Role (OrganizationAccountAccessRole).
  7. Choose Create.

When the status in the portal is Accessible, confirm that the account was created in the cloudtamer.io portal.

2.2 Confirm the corresponding account has been enrolled in AWS Control Tower

To confirm the corresponding account has been enrolled in AWS Control Tower do the following:

  1. In cloudtamer.io, under the Account cache section, note the name and number of the new account.
  2. In a new browser tab, open the AWS Control Tower console.
  3. In the navigation pane, choose Accounts.
  4. Note the name and number of the new account.
  5. Confirm that the two accounts have the same name and account number.

Congratulations, the integration from cloudtamer.io to AWS Control Tower was successful!

Step 3 Generate API keys

  1. To successfully send API requests to cloudtamer.io, you must create a cloudtamer.io service user and generate API keys for it. Following the steps in section 3.2 of the AWS Implementation Guide, set up the user with the permissions outlined in the guide and save the API key that is generated.
  2. You must now tell AWS what that API key is so that you can place Lambda calls to cloudtamer.io when necessary. You can save the key using AWS Systems Manager by following these steps.
  • Open the Systems Manager console.
  • In the navigation pane, under Application Management, choose Parameter Store.
  • To save the plaintext key, select Create Parameter.

Step 4 Integrate AWS Control Tower Lifecycle to cloudtamer.io

To complete the integration to and from cloudtamer.io, you must enroll accounts from AWS into the cloudtamer.io portal. The AWS CloudFormation template authored by cloudtamer.io, cloudtamer-io-account.json, triggers a Lambda function watching for a CloudWatch event rule. That rule triggers when an AWS Service Catalog lifecycle event for account creation is logged. This lifecycle event from AWS Service Catalog occurs any time a new account is provisioned in AWS Control Tower.

To set up this integration, do the following:

  1. Open the AWS CloudFormation console.
  2. Upload the JSON template you downloaded above.
  3. Fill in the required fields with information from your AWS management account, as detailed in the AWS Implementation Guide, and wait for the stack to complete. And you’re done!

Step 5 Test AWS Control Tower Account Factory

Make sure that the solution is functional by testing the integration. To do this, do the following:

  1. Create an AWS account from AWS Control Tower by navigating to the AWS Control Tower console and selecting Account Factory, then select Enroll Account.
  2. When the status of the new account in AWS Service Catalog changes to Available, the new account details should have been sent to cloudtamer.io. You should see the account in the portal under Accounts in the Account Cache section.

Next steps

With the integrations complete, you can access cloudtamer.io’s governance tools.

  • Use the budget enforcement features to see what each account in AWS Organizations is spending and allocate funds at varying levels.
  • In the cloudtamer.io portal, track in near-real time the amount being spent by AWS accounts in your account cache and plan ahead with embedded forecasting tools. Take this even further by identifying opportunities where you can save costs. For example, determine which resources that have been underutilized or abandoned but are still consuming funds.
  • Take a proactive approach to budget enforcement. Create alarms for accounts that are getting close to their fund allotment and automatically prevent the creation of resources.

Conclusion

In this blog post, I showed you how to enhance your governance posture and mitigate the challenges in managing a multi-account environment by integrating cloudtamer.io with AWS Control Tower. I walked through how to use the AWS Implementation Guide to onboard a new account from AWS Control Tower to cloudtamer.io. I also showed how to onboard a new cloudtamer.io account into AWS Control Tower. Finally, I suggested account management and budget control features that help keep your account spending under control with minimal day to day intervention.

About the Author

Laura Salinas is a Solutions Architect with Amazon Web Services. She is passionate about guiding her customers on their cloud journey and finding solutions that help them innovate and inspire adoption of cloud technologies. Outside of work she loves cycling, kayaking and watching the latest movie at the theater.