AWS Cloud Operations Blog
Automate account customization using Account Factory Customization in AWS Control Tower
Before customers can build, migrate and operate their workloads at scale, they must build a foundation to enable a multi-account architecture that supports the growing needs of their organization. With this foundation in place, customers can create AWS accounts to enable workload isolation within their organizations. As customers build their AWS account structure to group and isolate workloads based on business purpose and ownership, they must customize accounts to meet their organizational requirements. Cloud Operations teams are often challenged with developing these repeatable account configurations and making sure that they are applied consistently at scale. While AWS Control Tower has helped customers to automate account creation with a baseline security posture, account customization and maintenance can be a complex process.
In this post, we will introduce the Account Factory Customization (AFC) feature in AWS Control Tower and show you how you can leverage AWS Control Tower blueprints to automate and customize accounts without incurring additional tech debt. AFC allows you to use AWS Control Tower and AWS Service Catalog to define account blueprints or use predefined AWS Partner blueprints that scale your multi-account provisioning and immediately start using the account after it is provisioned. Cloud Operations teams now have a simplified and repeatable process for applying custom configurations to newly vended AWS accounts.
AWS services and features discussed in this blog post
- AWS Organizations offers policy-based management for multiple AWS accounts. With AWS Organizations, you can create groups of accounts, automate account creation, apply, and manage policies for those groups.
- AWS Control Tower simplifies AWS experiences by orchestrating multiple AWS services on your behalf while maintaining the security and compliance needs of your organization.
- Account Factory Customization is a feature of AWS Control Tower enabling account customization during provisioning, enrolling, or updating accounts.
- AWS Service Catalog lets you centrally manage deployed IT services, applications, resources, and metadata to achieve consistent governance of your infrastructure as code (IaC) templates.
- AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. AWS CloudFormation allows you to use a basic text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
Terms used in this blog post
- Custom blueprint – A custom configuration used with AFC that describes the specific resources and configurations applied during account provisioning.
- Hub account – AWS account designated as your Service Catalog central repository of blueprints to be used by AFC.
- Partner blueprint – An account configuration created by an AWS Partner which defines the resources and configurations required to work with their solution.
- Management account – The single AWS account used to create your organization. AWS Control Tower Account Factory operations are run from the management account.
- Service Catalog Getting Started Library (GSL) – A library of solutions that include well-architected, best practice templates to help you get started using AWS products.
Walkthrough
In this post, we’ll show you how to:
- Create a custom blueprint
- Deploy a custom blueprint to a new AWS Control Tower account
- Deploy a ready-to-use Partner blueprint to a new AWS Control Tower account
- Update an existing AWS Control Tower account with a blueprint
- Enroll a non-AWS Control Tower account with a blueprint
- Manage your custom accounts post-provisioning
Prerequisites
- Access to an AWS Control Tower environment deployed and available. Follow the AWS Control Tower quick start guide if you need to launch AWS Control Tower.
- A designated hub account within the same organization where your centralized blueprints will be stored. Customers are required to create the AWSControlTowerBlueprintAccess role in the hub account before using AFC.
- The AWSControlTowerExecution role must be added to existing, unmanaged accounts before enrollment with AWS Control Tower.
- Partner blueprints with AWS Marketplace subscription requirements must be configured at the management account level before deployment with AFC.
Create a custom blueprint
You can create your own custom blueprints in Service Catalog and then deploy them to your AWS Control Tower accounts to meet your requirements.
- Start by downloading a sample CloudFormation template from the Service Catalog reference architecture repository. For the purposes of this post, we’ll use a template that establishes a set of backup plans with the AWS Backup service to configure automated backups for a number of different AWS resources in your account.
- Log in to the AWS hub account, where you’ve centralized storage of your curated Service Catalog products. As a reminder, best practices recommend that you do not use the management account to store Service Catalog products.
- Navigate to the Service Catalog service and select the Product list feature in the left navigation pane.
- Choose Create product and in the Product details pane, provide product details as shown in the following screenshot.
- Further down in the Version details pane, select the radio button labeled Use a template file and select the Choose file button. Select the CloudFormation template that you downloaded in Step 1.
- Select the Create product button at the bottom of the console page.
- You should see the newly created product that will be used as a custom blueprint in next steps.
For additional information on creating products, see the AWS Service Catalog Administrator Guide.
Deploy a custom blueprint to a new AWS Control Tower account
Now that you have created a custom blueprint, you can use it to create a customized account with AWS Control Tower account factory. The following steps will let you deploy your custom blueprint to a new AWS account:
- Log in to the AWS Control Tower management account.
- Navigate to the AWS Control Tower service in the AWS Management Console.
- Select Account factory from the left navigation pane and select the Create account button
- In the Account details section provide details for Display name and a unique Account email address.
- In the Access configuration section provide details for IAM Identity Center user email and IAM Identity Center username.
- In the Organizational unit section, select an Organizational unit to add your account to.
- Expand the Account factory customization section.
- Enter the hub account ID that contains your AWS Service Catalog products and select Validate account.
- Select a product from the dropdown and product version to use. To follow along with this post, select the blueprint you created earlier in the Create a custom blueprint section.
- If your blueprint contains parameters, they will display for you to populate. Default values will be pre-populated.
- Finally, select either Home Region or All governed Regions to deploy your blueprint to. Global resources such as Route 53 or IAM may only need to be deployed to a single Region, while regional resources such as EC2 instances or S3 buckets could be deployed to all governed regions.
- Once all fields are completed, select Create account.
- You can view the status of your account progress by navigating to the Organization feature of AWS Control Tower in the left navigation pane. When your account completes provisioning, the blueprint will be deployed within it.
Deploy a ready-to-use Partner blueprint to a new AWS Control Tower Account
You may also use pre-defined blueprints built and managed by AWS Partners to customize your accounts for specific use cases. As of March 2023, eleven launch Partners have developed ready-to-use account blueprints that simplify how users configure their accounts to work with partner infrastructure and security product offerings.
For a complete list of ready-to-use AWS Control Tower blueprints, navigate to Service Catalog service in the console, and select the Getting Started Library in the left navigation pane. Filter by the Control Tower Blueprints source type.
Here are the steps to deploy a partner blueprint:
- Log in to the AWS hub account, where you’ve centralized storage of your curated Service Catalog products.
- Navigate to the Service Catalog service, and select the Getting Started Library feature in the left navigation pane.
- Search for Control Tower blueprints. This will display all available Partner products available to use with AFC.
- For the purpose of this post, select the Datadog AWS Integration product.
- Once you review the product details, select Add to portfolio at top right, and select a new or existing portfolio to use.
- This Partner blueprint will now display in the selected portfolio as well as the Product List and is ready to use with AFC.
- Log in to the AWS Control Tower management account and follow the steps in the previous section titled “Create a new account with a custom blueprint using AFC”. Be sure to select the Datadog product you just added to your portfolio from the Getting Started Library.
- Go to the Product details section for a link to the documentation describing the required parameters for launching the product
Alternatively, you can review any of the following partner blogs which provide a detailed overview of the partner blueprint including specific instructions on how to deploy them with AFC: Cloud Storage Security, Datadog, Cisco, Cribl.
Update an existing AWS Control Tower account with a blueprint
Pre-existing, enrolled accounts in your AWS Control Tower environment that either lack a current blueprint or that requires a modified blueprint can be updated as follows:
- Log in to the AWS Control Tower management account and navigate to the AWS Control Tower service.
- Select the Organization feature from the left navigation pane.
- Select the radio button next to the account you would like to update. Select the Actions dropdown from the top right section of the console and select Update.
- Update the Account factory customization section as required and select Update account
- You can view the status of your account progress on the Organization page. When your account completes updating successfully, the blueprint will be deployed. To view the content and details of the account and blueprint, go to the Account Details page by selecting the account name within the Organization page.
Enroll a non-AWS Control Tower account with a blueprint
Pre-existing, accounts in an organization that are not enrolled in AWS Control Tower can be updated with a blueprint during the enrollment process as follows:
- Log in to the AWS Control Tower management account and navigate to the AWS Control Tower service.
- Select the Organization feature from the left navigation pane.
- Identify the account you would like to enroll with a custom blueprint. The State column should reflect the account in a Not enrolled status.
- Select the radio button to the left of the account and select the Actions dropdown from the top right section of the console. Select the Enroll option.
- Select a registered OU to add your account to.
- Update the Account factory customization section as required and select Enroll account.
- You can view the status of your account progress on the Organization page. When your account completes updating successfully, the blueprint will be deployed. To view the content and details of the account and blueprint, go to the Account Details page by selecting the account name within the Organization page.
Manage your custom accounts post-provisioning
You may need to make updates to blueprints in your accounts post-deployment. To do so, you will update your CloudFormation template with the required changes and save it as a new version in AWS Service Catalog. You can filter by blueprint name and version in the AWS Control Tower Organization page and then use the update account process to update the blueprint version in your account to deploy the most recent configurations.
If you must remove a blueprint from an account, or repurpose the account for another use case, you can use the update account process to remove the blueprint and return the account to the AWS Control Tower default configurations. Unmanaging an account will remove the resources deployed from the blueprint and any AWS Control Tower managed resources within the account. You can then close the account through AWS Organizations if needed. To add a new blueprint, you can re-run the Update workflow and choose a new blueprint to add to the account. Newly provisioned accounts will not be enrolled in your AWS Control Tower environment if the associated blueprint fails during execution. The process to enroll accounts after a blueprint failure can be found in the AWS Control Tower user guide.
Conclusion
In this post, you learned how Account Factory Customization can help simplify your account customization process. With Control Tower Blueprints you can define fully custom resources that meet your unique business needs or use pre-defined AWS Partner blueprints to launch customizations to new accounts natively in AWS Control Tower. You also learned how you can update an existing AWS Control Tower account or enroll a non-AWS Control Tower account with a blueprint.
AFC enables you to define requirements in modular and reusable mechanisms and deploy the customizations at any point in the account lifecycle. This helps you streamline your account customization activities within AWS Control Tower, and reduces your overhead to maintain your own solutions and pipelines. For more information, see the Account Factory Customization User Guide.