Seamlessly uphold security and budgeting posture with Kion (cloudtamer.io) and AWS Control Tower
Update 2-23-22: Cloudtamer.io is now Kion
In the years that I have spent working with customers, a recurring trend is the need to create structural organization in the way that they manage their AWS environments. As companies continue to grow and diversify, they find that additional business units in the organization want to explore AWS. In other cases, they have brought on teams from acquisitions that require them to rethink the way that they create, dispense, and secure additional AWS accounts.
In this blog post, I show how to integrate Kion (formerly cloudtamer.io) from AWS Marketplace with AWS Control Tower Account Factory. This integration allows you to activate and configure Kion into your AWS Control Tower managed accounts. When you do, you can use Kion governance features to improve your budgeting posture.
To mitigate the governance challenge, AWS introduced AWS Control Tower in 2019. At the heart of AWS Control Tower is a landing zone, the foundational skeleton of infrastructure automatically built for you. The landing zone is based on the AWS Well-Architected Framework for security and compliance best practices. When you launch your landing zone, AWS Control Tower uses best-practice blueprints to give your workloads a safe and secure place to be hosted.
The Kion solution provides a three-pronged approach for complete cloud governance:
- Account management – Centrally manage all accounts and resources that are aligned to the organizational hierarchy you dictate
- Budget enforcement – Align your budget to your organizational structure and enforce with several actions
- Continuous compliance – Automate compliance with inheritable access policies that ensure your accounts adhere to regulations, restrict use of noncompliant resources, and report and remediate issues
Solution overview: uphold security and budgeting posture with Kion and AWS Control Tower
Setting up your AWS Control Tower environment for integration with Kion involves the following steps.
- Subscribe to Kion in AWS Marketplace by navigating to this link and selecting Continue to Subscribe.
- Log in to the Kion Support Center and download the AWS Deployment Guide.
- Set up the application by launching the provided AWS CloudFormation templates.
- Set up the Kion-to-AWS workflow using the provided templates. Verify the integration by creating a new AWS account from the Kion portal.
- Set up the AWS to Kion workflow using the provided templates. Verify the integration by creating a new AWS account from AWS Control Tower.
As shown in the following architecture diagram, there are two workflows in this integration.
- On the left, a user starts a workflow by launching an account in AWS Control Tower, which logs a lifecycle event in AWS Service Catalog. This event is being monitored by an Amazon CloudWatch event rule, which then triggers an AWS Lambda function that registers the new account with Kion. Refer to the following diagram.
- On the right, the workflow starts with a user creating an account through the Kion application. This logs a
CreateAccountevent in AWS Organizations that is being monitored by a CloudWatch event rule. When triggered, this event will launch a Lambda function that provisions an account in AWS Control Tower through AWS Service Catalog with the account details from Kion. Refer to the following diagram.
This blog post assumes that you have done the following:
- Launched AWS Control Tower in your AWS account.
- Installed Kion software by subscribing to Kion (formerly cloudtamer.io) in AWS Marketplace.
- Launched the
cloudtamer-app.jsontemplates from the AWS Deployment Guide.
- Validated your license on the Kion application hosted in the Amazon EC2 instance in your account.
Step 1: Integrate Kion to AWS Control Tower
The first step is to launch the control-tower-account.json template that Kion has created. This template creates a CloudWatch event rule that triggers an AWS Lambda function when AWS Organizations logs a
CreateAccount event. This occurs when a new account is enrolled in AWS Organizations. The Lambda function then applies an AWS Service Catalog product for AWS Control Tower. You should then see the new account on your single-pane dashboard.
1.1 Download the template file
1.2 Launch the template
To launch this template, you need some details about your AWS Control Tower environment. To get those details, do the following:
- Sign in to the AWS Management Console and open the AWS Service Catalog console.
- In the navigation pane, choose Portfolios.
- On the Local tab, copy the value for Portfolio ID for AWS Control Tower Account Factory Portfolio.
- To get the value of the Product ID for AWS Control Tower Account Factory, select the portfolio name. Copy the Product ID.
- To get the value of the Version ID for AWS Control Tower Account Factory, select the product name. Copy the Version ID.
- To get the account number for the account that has AWS Control Tower deployed, in the AWS Management Console’s navigation bar, choose the account name. Open the dropdown menu and copy the account number.
1.3 Create the stack using the template
To start the creation process, review the parameters you entered and choose Create Stack. If the stack is successful, the status should read Create_Complete.
Step 2: Test Kion account creation
2.1 Confirm an account was created in the Kion portal
To confirm that the stack created from the
control-tower-account.json template is functional, create an account in the Kion portal. To do that, follow these steps:
- Sign in to your Kion portal using the unique URL created when installing the application and validating your license.
- On the left pane, under Accounts, select the Account Cache tab, and choose Add New.
- Select Create a new AWS Account.
- Enter an account name.
- From the dropdown list, select the billing source.
- Keep the default value for Linked Role (
- Choose Create.
When the status in the portal is Accessible, confirm that the account was created in the Kion portal.
2.2 Confirm the corresponding account has been enrolled in AWS Control Tower
To confirm the corresponding account has been enrolled in AWS Control Tower do the following:
- In Kion, under the Account cache section, note the name and number of the new account.
- In a new browser tab, open the AWS Control Tower console.
- In the navigation pane, choose Accounts.
- Note the name and number of the new account.
- Confirm that the two accounts have the same name and account number.
Congratulations, the integration from Kion to AWS Control Tower was successful!
Step 3: Generate API keys
- To successfully send API requests to Kion, you must create a Kion service user and generate API keys for it. Following the steps in section 3.2 of the AWS Implementation Guide, set up the user with the permissions outlined in the guide and save the API key that is generated.
- You must now tell AWS what that API key is so that you can place Lambda calls to Kion when necessary. You can save the key using AWS Systems Manager by following these steps.
- Open the Systems Manager console.
- In the navigation pane, under Application Management, choose Parameter Store.
- To save the plaintext key, select Create Parameter.
Step 4: Integrate AWS Control Tower Lifecycle to Kion
To complete the integration to and from Kion, you must enroll accounts from AWS into the Kion portal. The AWS CloudFormation template authored by Kion, cloudtamer-io-account.json, triggers a Lambda function watching for a CloudWatch event rule. That rule triggers when an AWS Service Catalog lifecycle event for account creation is logged. This lifecycle event from AWS Service Catalog occurs any time a new account is provisioned in AWS Control Tower.
To set up this integration, do the following:
- Open the AWS CloudFormation console.
- Upload the JSON template you downloaded above.
- Fill in the required fields with information from your AWS management account, as detailed in the AWS Implementation Guide, and wait for the stack to complete. And you’re done!
Step 5: Test AWS Control Tower Account Factory
Make sure that the solution is functional by testing the integration. To do this, do the following:
- Create an AWS account from AWS Control Tower by navigating to the AWS Control Tower console and selecting Account Factory, then select Enroll Account.
- When the status of the new account in AWS Service Catalog changes to Available, the new account details should have been sent to Kion. You should see the account in the portal under Accounts in the Account Cache section.
With the integrations complete, you can access Kion’s governance tools.
- Use the budget enforcement features to see what each account in AWS Organizations is spending and allocate funds at varying levels.
- In the Kion portal, track in near-real time the amount being spent by AWS accounts in your account cache and plan ahead with embedded forecasting tools. Take this even further by identifying opportunities where you can save costs. For example, determine which resources that have been underutilized or abandoned but are still consuming funds.
- Take a proactive approach to budget enforcement. Create alarms for accounts that are getting close to their fund allotment and automatically prevent the creation of resources.
In this blog post, I showed you how to enhance your governance posture and mitigate the challenges in managing a multi-account environment by integrating Kion (formerly cloudtamer.io) with AWS Control Tower. I walked through how to use the AWS Implementation Guide to onboard a new account from AWS Control Tower to Kion. I also showed how to onboard a new Kion account into AWS Control Tower. Finally, I suggested account management and budget control features that help keep your account spending under control with minimal day to day intervention.
If you are interested in learning more about AWS environment best practices, the AWS Management and Governance Lens includes answers to key questions, recommended guardrails, and AWS services and solutions from AWS Partners. It can help you build environments that scale regardless of the stage of cloud adoption you are in.
About the Author
Laura Salinas is a Solutions Architect with Amazon Web Services. She is passionate about guiding her customers on their cloud journey and finding solutions that help them innovate and inspire adoption of cloud technologies. Outside of work she loves cycling, kayaking and watching the latest movie at the theater.