AWS Cloud Operations Blog

Automate account customization using Account Factory Customization in AWS Control Tower

Before customers can build, migrate and operate their workloads at scale, they must build a foundation to enable a multi-account architecture that supports the growing needs of their organization. With this foundation in place, customers can create AWS accounts to enable workload isolation within their organizations. As customers build their AWS account structure to group and isolate workloads based on business purpose and ownership, they must customize accounts to meet their organizational requirements. Cloud Operations teams are often challenged with developing these repeatable account configurations and making sure that they are applied consistently at scale. While AWS Control Tower has helped customers to automate account creation with a baseline security posture, account customization and maintenance can be a complex process.

In this post, we will introduce the Account Factory Customization (AFC) feature in AWS Control Tower and show you how you can leverage AWS Control Tower blueprints to automate and customize accounts without incurring additional tech debt. AFC allows you to use AWS Control Tower and AWS Service Catalog to define account blueprints or use predefined AWS Partner blueprints that scale your multi-account provisioning and immediately start using the account after it is provisioned. Cloud Operations teams now have a simplified and repeatable process for applying custom configurations to newly vended AWS accounts.

AWS services and features discussed in this blog post

  • AWS Organizations offers policy-based management for multiple AWS accounts. With AWS Organizations, you can create groups of accounts, automate account creation, apply, and manage policies for those groups.
  • AWS Control Tower simplifies AWS experiences by orchestrating multiple AWS services on your behalf while maintaining the security and compliance needs of your organization.
  • Account Factory Customization is a feature of AWS Control Tower enabling account customization during provisioning, enrolling, or updating accounts.
  • AWS Service Catalog lets you centrally manage deployed IT services, applications, resources, and metadata to achieve consistent governance of your infrastructure as code (IaC) templates.
  • AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. AWS CloudFormation allows you to use a basic text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.

Terms used in this blog post

  • Custom blueprint – A custom configuration used with AFC that describes the specific resources and configurations applied during account provisioning.
  • Hub account – AWS account designated as your Service Catalog central repository of blueprints to be used by AFC.
  • Partner blueprint – An account configuration created by an AWS Partner which defines the resources and configurations required to work with their solution.
  • Management account – The single AWS account used to create your organization. AWS Control Tower Account Factory operations are run from the management account.
  • Service Catalog Getting Started Library (GSL) – A library of solutions that include well-architected, best practice templates to help you get started using AWS products.

Walkthrough

In this post, we’ll show you how to:

  • Create a custom blueprint
  • Deploy a custom blueprint to a new AWS Control Tower account
  • Deploy a ready-to-use Partner blueprint to a new AWS Control Tower account
  • Update an existing AWS Control Tower account with a blueprint
  • Enroll a non-AWS Control Tower account with a blueprint
  • Manage your custom accounts post-provisioning
Cloud Architect workflow for creating a custom blueprint, getting partner blueprint from the Getting Started Library, and launching them with the Control Tower Account Factory to create a new custom account. Workflow described in more detail in the following sections.

Figure 1: End-to-end workflow of creating a custom account with AFC

Prerequisites

  • Access to an AWS Control Tower environment deployed and available. Follow the AWS Control Tower quick start guide if you need to launch AWS Control Tower.
  • A designated hub account within the same organization where your centralized blueprints will be stored. Customers are required to create the AWSControlTowerBlueprintAccess role in the hub account before using AFC.
  • The AWSControlTowerExecution role must be added to existing, unmanaged accounts before enrollment with AWS Control Tower.
  • Partner blueprints with AWS Marketplace subscription requirements must be configured at the management account level before deployment with AFC.

Create a custom blueprint

You can create your own custom blueprints in Service Catalog and then deploy them to your AWS Control Tower accounts to meet your requirements.

  1. Start by downloading a sample CloudFormation template from the Service Catalog reference architecture repository. For the purposes of this post, we’ll use a template that establishes a set of backup plans with the AWS Backup service to configure automated backups for a number of different AWS resources in your account.
  2. Log in to the AWS hub account, where you’ve centralized storage of your curated Service Catalog products. As a reminder, best practices recommend that you do not use the management account to store Service Catalog products.
  3. Navigate to the Service Catalog service and select the Product list feature in the left navigation pane.
  4. Choose Create product and in the Product details pane, provide product details as shown in the following screenshot.

    On the create product page, you must define the Product name, Product description, and the owner or organization of this product.

    Figure 2: Creating a new product

  5. Further down in the Version details pane, select the radio button labeled Use a template file and select the Choose file button. Select the CloudFormation template that you downloaded in Step 1.

    In the Version details page, select “Use a template file” as the method, then click the Choose file button to upload the template file.

    Figure 3: Uploading a CloudFormation template to your new Service Catalog product

  6. Select the Create product button at the bottom of the console page.
  7. You should see the newly created product that will be used as a custom blueprint in next steps.
    You can view your newly created custom product in the Service Catalog Product list page.

    Figure 4: Newly created product

    For additional information on creating products, see the AWS Service Catalog Administrator Guide.

    Deploy a custom blueprint to a new AWS Control Tower account

    Now that you have created a custom blueprint, you can use it to create a customized account with AWS Control Tower account factory. The following steps will let you deploy your custom blueprint to a new AWS account:

    1. Log in to the AWS Control Tower management account.
    2. Navigate to the AWS Control Tower service in the AWS Management Console.
    3. Select Account factory from the left navigation pane and select the Create account button

      Navigate to the AWS Control Tower Account Factory page, and click the Create account button to create a new account.

      Figure 5: Creating a new account with Account Factory

    4. In the Account details section provide details for Display name and a unique Account email address.
    5. In the Access configuration section provide details for IAM Identity Center user email and IAM Identity Center username.
    6. In the Organizational unit section, select an Organizational unit to add your account to.

      On the Create account page, specify the account email and the name of the account in the Account details section. In the Access configuration section, designate an IAM Identity Center user and a first and last name for the user. In the Organizational unit section select an OU.

      Figure 6: Account Details section in the Create Account workflow

    7. Expand the Account factory customization section.
    8. Enter the hub account ID that contains your AWS Service Catalog products and select Validate account.
    9. Select a product from the dropdown and product version to use. To follow along with this post, select the blueprint you created earlier in the Create a custom blueprint section.
    10. If your blueprint contains parameters, they will display for you to populate. Default values will be pre-populated.
    11. Finally, select either Home Region or All governed Regions to deploy your blueprint to. Global resources such as Route 53 or IAM may only need to be deployed to a single Region, while regional resources such as EC2 instances or S3 buckets could be deployed to all governed regions.
    12. Once all fields are completed, select Create account.

      In Account factory customization section, specify the account that has the product in its portfolio then select the product, select the product version, and Home Region as the deployment region.

      Figure 7: New AFC fields shown in the create account workflow

    13. You can view the status of your account progress by navigating to the Organization feature of AWS Control Tower in the left navigation pane. When your account completes provisioning, the blueprint will be deployed within it.

    Deploy a ready-to-use Partner blueprint to a new AWS Control Tower Account

    You may also use pre-defined blueprints built and managed by AWS Partners to customize your accounts for specific use cases. As of March 2023, eleven launch Partners have developed ready-to-use account blueprints that simplify how users configure their accounts to work with partner infrastructure and security product offerings.

    Logos for the launch partners Cisco, Cloud Story Security, Cribl, f5, Datadog, Effectual, Fortinet, Lacework, Snyk, Splunk, and SysDig.

    Figure 8: Launch partners for Account Factory Customization

    For a complete list of ready-to-use AWS Control Tower blueprints, navigate to Service Catalog service in the console, and select the Getting Started Library in the left navigation pane. Filter by the Control Tower Blueprints source type.

    On the Service Catalog Getting Started Library, search for Control Tower Blueprints in the Products section to view all partner blueprints that can be deployed with Account Factory Customization.

    Figure 9: Getting Started Library and new Control Tower Blueprints source type

    Here are the steps to deploy a partner blueprint:

    1. Log in to the AWS hub account, where you’ve centralized storage of your curated Service Catalog products.
    2. Navigate to the Service Catalog service, and select the Getting Started Library feature in the left navigation pane.
    3. Search for Control Tower blueprints. This will display all available Partner products available to use with AFC.
    4. For the purpose of this post, select the Datadog AWS Integration product.
    5. Once you review the product details, select Add to portfolio at top right, and select a new or existing portfolio to use.
    6. This Partner blueprint will now display in the selected portfolio as well as the Product List and is ready to use with AFC.
    7. Log in to the AWS Control Tower management account and follow the steps in the previous section titled “Create a new account with a custom blueprint using AFC”. Be sure to select the Datadog product you just added to your portfolio from the Getting Started Library.
    8. Go to the Product details section for a link to the documentation describing the required parameters for launching the product
    You can obtain a link to the documentation of each partner product in the Product details section.

    Figure 10: Link for Product Parameter Information

    Alternatively, you can review any of the following partner blogs which provide a detailed overview of the partner blueprint including specific instructions on how to deploy them with AFC: Cloud Storage Security, Datadog, Cisco, Cribl.

    Update an existing AWS Control Tower account with a blueprint

    Pre-existing, enrolled accounts in your AWS Control Tower environment that either lack a current blueprint or that requires a modified blueprint can be updated as follows:

    1. Log in to the AWS Control Tower management account and navigate to the AWS Control Tower service.
    2. Select the Organization feature from the left navigation pane.
    3. Select the radio button next to the account you would like to update. Select the Actions dropdown from the top right section of the console and select Update.
    4. Update the Account factory customization section as required and select Update account
    5. You can view the status of your account progress on the Organization page. When your account completes updating successfully, the blueprint will be deployed. To view the content and details of the account and blueprint, go to the Account Details page by selecting the account name within the Organization page.

    Enroll a non-AWS Control Tower account with a blueprint

    Pre-existing, accounts in an organization that are not enrolled in AWS Control Tower can be updated with a blueprint during the enrollment process as follows:

    1. Log in to the AWS Control Tower management account and navigate to the AWS Control Tower service.
    2. Select the Organization feature from the left navigation pane.
    3. Identify the account you would like to enroll with a custom blueprint. The State column should reflect the account in a Not enrolled status.
    4. Select the radio button to the left of the account and select the Actions dropdown from the top right section of the console. Select the Enroll option.
    5. Select a registered OU to add your account to.
    6. Update the Account factory customization section as required and select Enroll account.
    7. You can view the status of your account progress on the Organization page. When your account completes updating successfully, the blueprint will be deployed. To view the content and details of the account and blueprint, go to the Account Details page by selecting the account name within the Organization page.

    Manage your custom accounts post-provisioning

    You may need to make updates to blueprints in your accounts post-deployment. To do so, you will update your CloudFormation template with the required changes and save it as a new version in AWS Service Catalog. You can filter by blueprint name and version in the AWS Control Tower Organization page and then use the update account process to update the blueprint version in your account to deploy the most recent configurations.

    If you must remove a blueprint from an account, or repurpose the account for another use case, you can use the update account process to remove the blueprint and return the account to the AWS Control Tower default configurations. Unmanaging an account will remove the resources deployed from the blueprint and any AWS Control Tower managed resources within the account. You can then close the account through AWS Organizations if needed. To add a new blueprint, you can re-run the Update workflow and choose a new blueprint to add to the account. Newly provisioned accounts will not be enrolled in your AWS Control Tower environment if the associated blueprint fails during execution. The process to enroll accounts after a blueprint failure can be found in the AWS Control Tower user guide.

    Conclusion

    In this post, you learned how Account Factory Customization can help simplify your account customization process. With Control Tower Blueprints you can define fully custom resources that meet your unique business needs or use pre-defined AWS Partner blueprints to launch customizations to new accounts natively in AWS Control Tower. You also learned how you can update an existing AWS Control Tower account or enroll a non-AWS Control Tower account with a blueprint.

    AFC enables you to define requirements in modular and reusable mechanisms and deploy the customizations at any point in the account lifecycle. This helps you streamline your account customization activities within AWS Control Tower, and reduces your overhead to maintain your own solutions and pipelines. For more information, see the Account Factory Customization User Guide.

About the Authors

Ellie Ray

Ellie Ray is a Senior Product Manager, Technical supporting AWS Control Tower. She has 8+ years of product experience building and delivering transformative software and Cloud solutions to market. She is passionate about expediting the customer journey of AWS service adoption and Cloud migration. Ellie spends her free time planning her next international adventure.

Jim McDonald

Jim McDonald is a Solutions Architect for AWS. He is passionate about cloud architecture and helping customers and partners solve tough challenges in creative ways. Jim has more than 30 years of technology experience working in Oil and Gas, Energy, Financial Services, Healthcare, and professional services. He enjoys spending his free time with family, getting outdoors, listening to great music, and reading a good book.

Adrian David

Adrian David is a Technical Program Manager with Amazon Web Services, focusing on AWS partner integrations. Adrian works with AWS technology partners to build solutions that accelerate a customers migration journey to the cloud. On his free time he enjoys video gaming, traveling, kayak fishing, and most of all spending quality time with his family.