AWS Cloud Operations Blog

AWS Service Catalog Account Factory-Enhanced

Many enterprise customers who use AWS Control Tower to create accounts want an uncomplicated way to extend the next steps in the account creation process. These next steps cover common business use cases, including creating networks, security profiles, governance, and compliance. Executing these processes for every new account created manually is cumbersome and challenging to manage. Using third-party service providers to address the process can be expensive.

There is the option to use Customizations for Control Tower to help alleviate some of these pain points. This solution lets you add customizations to AWS Control Tower and deploy your customizations to existing and new accounts. However, customers are looking for a more simplified way to create AWS accounts with enhancements unique to each account.

This is where AWS Account Factory Enhancements come in. This solution leverages AWS Service Catalog to present an AWS Account Factory product to the End User to create an AWS account and, in the creation process, add enhancements that they would like. The enhancements are based on AWS CloudFormation templates launched in the newly created account. The templates can perform fundamental tasks in the new accounts, like creating networks, security roles, storage profiles, configuring threat detection, and more.

This particular post will show how you can add an Amazon Simple Storage Service (Amazon S3) for storage and/or Amazon GuardDuty for intelligent threat detection to the AWS account configuration process. Although we’re only showing a few options, this blog will also show you how to extend this capability by adding additional CloudFormation templates to address other business requirements.

This post will show you how to use the Service Catalog Account Factory Enhance product to create accounts and perform several template deployments as additional steps.

Prerequisites­

  • AWS Control Tower must be launched in your account
  • You must have access to create portfolios and products within Service Catalog

To follow the steps in this post, you need an AWS account with permissions to create resources in these services:

Concepts and terminology

The following AWS Service Catalog concepts are used in this post

  • A product is a blueprint for building the AWS resources necessary to make it available for deployment on AWS, along with the configuration information. Create a product by importing an AWS CloudFormation template, or, in case of AWS Marketplace-based products, by copying the product to the AWS Service Catalog. A product can belong to multiple portfolios.
  • A portfolio is a collection of products, together with the configuration information. Use portfolios to manage user access to specific products. You can grant portfolio access for an AWS Identity and Access Management (IAM) user, IAM group, or IAM role level.
  • A provisioned product is an AWS CloudFormation stack. In other words, the AWS resources that are created. When an end-user launches a product, AWS Service Catalog provisions the product from an AWS CloudFormation stack.
  • Constraints control the way that users can deploy a product. Launch constraints let you specify a role that the AWS Service Catalog can assume to launch a product.

Solution overview

The following diagram maps out the solution architecture.

The administrator launches the deployment process which creates the components needed for the solutions. The admin or end user then uses a service catalog product to deploy templates in a spoke account

Diagram

A

A Service Catalog administrator will manage and launch the AWS CloudFormation template that includes the enhancements required by the business.

B

When an Account Factory Enhanced account product is launched, this kicks off an AWS Step Functions workflow that will add in the enhancements desired.

Gather the prerequisites

You will also need these prerequisites:

  • Portfolio ID containing the ‘AWS Control Tower Account Factory’ product
  • Service Catalog product name of ‘AWS Control Tower Account Factory’ product. It should be the same.
  1. Log in to the AWS Console using the management account in your AWS Control Tower environment.
  2. Navigate to the Service Catalog landing page.
  3. Select Portfolios under Administration on the left.
  4. Search for AWS Control Tower Account Factory Portfolio.
  5. Select the AWS Control Tower Account Factory Portfolio link.
  6. Copy the Portfolio ID.
  7. Copy the Product Name.

this screen shows how the user can find and copy the portfolio ID

Configure the environment

Download the CloudFormation template and upload this to an Amazon S3 bucket.

  1. Download the content in this zip file.
  2. Extract the zip file, and it will create a folder called content.
  3. Log in to your AWS account as an administrator that can create AWS resources.
  4. Create an Amazon S3 bucket and note this name.
  5. Upload the content folder to your newly created S3 bucket.
  6. Drill down into the content/scenhanceaf folder.
  7. Choose the checkbox next to scenhanceaf_setup.json.
  8. Right-click and copy the Object URL.

Deploy the CloudFormation template

  1. Navigate to CloudFormation console.
  2. Select Stacks on the left navigation pane. Select Create stack and choose with new resources (standard).
  3. On the ‘Create stack’ page, under ‘specify template’ add in the Amazon S3 URL from step 8. Choose Next.
  4. On the ‘Specify stack details’ page, enter a stack name.
  5. Under Parameters:
    1. Copy the portfolio ID from the prerequisites step
    2. AccountFactoryPortfolioId. Enter product id from prerequisites step
    3. Scproductname enter the Service Catalog product name, e.g., [AWS Control Tower Account Factory] from prerequisites step.
    4. Under SourceBucket, enter in the S3 bucket name that you created.
  6. On Configure stack options page choose Next.
  7. On the Review page, select the check boxes that acknowledge that AWS CloudFormation might create IAM resources with custom names and that it might require the CAPABILITY_AUTO_EXPAND.
  8. Choose Create stack.
  9. Wait for Create Complete.

Launch the Account Factory Enhanced product(s): Account Factory and templates

This will create an account and deploy up to five stacks into the new account.

Prerequisites­

  • A role/user with administrative permission to create an account, for example, the management account in the AWS Control Tower environment.

Provide access to the new Portfolio

    1. Log in to the AWS Console using the management account in your AWS Control Tower environment.
    2. Navigate to CloudFormation console that you just created.
    3. Choose the Resources tab.
    4. Choose the EnhanceAFPortfolio URL.
    5. Choose Group, roles, and users tabthe user selects grup and add group and user
    6. Choose Add groups, roles, users button
    7. Select the Group, Role or Users depending on how you logged in, in step 1
    8. Select the check box next to your Group, Role or userthe admin selects a user
    9. Select the Add access button

Launch the Account Factory Enhanced product

  1. Choose Products from the top left
  2. Choose the AccountFactoryEnhanced product.
  3.  Choose Launch Product.
  4. Select the check box next to Generate Namethe admin selects the parameters
  5. For Parameters:
    1. AccountEmail enter the account email
    2. AccountName enter the account name
    3. ManageOrganizationalUnit select one from the dropdown
    4. SSOUserEmail enter the SSOUserEmail
    5. SSOUserFirstName
    6. SSOUserLastName
  6. For Enhancement Steps parameters:
    1. Select a stack from the dropdown. You can run up to five stacks in the new account. Select None to skip the stack run per step.
  7. Choose Launch product

The Account factory Service Catalog product will launch, followed by a StepFunction which will launch each selected stack in sequence in the newly created account. Now you’ve created an AWS account customized with enhancements!

Verify Account creation and stack deployment

Account creation

  1. Navigate to the AWS Control Tower Console
  2. Choose Organization
  3. Choose the manage organization unit (OU) to which you added the account

The account should be listed with an Enrolled state.

Stack Deployment

  1. Log in to the newly created manage account
  2. Navigate to CloudFormation console

A stack for each selection that you choose should be listed.

Launch the Account Factory Enhanced product(s): Templates only deployed in a managed account.

This will deploy up to five stacks into an existing manage account created by Account Factory. The stack will also create an IAM role with console access

  1. Navigate to the Service Catalog Console
  2. Choose Products from the top left
  3. Choose the AccountFactoryEnhancedTemplate product
  4. Choose Launch Product
  5. Select the check box next to Generate Name
  6. For TargetAccount select the account to deploy the stack into.
  7. For Enhancement Steps parameters:
    1. Select a template from the dropdown. You can run up to five stacks in the manage account. Select None to skip the stack run per step.
  8. Choose Launch product

The StepFunction will launch each selected stack in sequence in the managed account.

Verify Account creation and stack deployment

Stack Deployment

  1. Log in to the newly created manage account
  2. Navigate to CloudFormation console

Updating the Service Catalog Account Factory Enhanced product.

The Account Factory Enhanced product is automatically updated when new accounts are created by the AWS Control Tower Account factory process.

Adding new CloudFormation templates to be deployed after the account is created.

Prerequisites­

  • Create and test the new CloudFormation template. The template should be able to run without parameters in a new account.

Uploading the new template

  1. Log in to the AWS Console using the management account in your AWS Control Tower environment.
  2. Navigate to the CloudFormation console and the stack used to deploy the solution.
  3. Choose the Outputs tab.
  4. Choose the TemplateLibraryFolder URL
  5. Choose the Upload button
  6. Choose the Add files button
  7. Select the new template
  8. Choose the Upload button

The Service Catalog Account Factory Enhanced product will be updated, and the new CloudFormation template will be available to deploy during the account creation step.

Cleanup

You must close any AWS accounts created that you don’t plan to continue to use, as well as remove the Service Catalog product and portfolio created.

Conclusion

AWS Service Catalog enables organizations to create and manage catalogs of approved IT services for use on AWS. In this post, we showed how Service Catalog can extend the capabilities of the account creation process in AWS Control Tower, addressing standard business requirements when creating AWS accounts.

About the authors:

Kenneth Walsh

Kenneth Walsh

Kenneth Walsh is a New York-based Solutions Architect whose focus is AWS Marketplace. Kenneth is passionate about cloud computing and loves being a trusted advisor for his customers. When he’s not working with customers on their journey to the cloud, he enjoys cooking, audio books, movies, and spending time with his family and dog.

Devi Paulvannan Chapman

Devi Paulvannan Chapman is a Solutions Architect with AWS. She enjoys working with customers to provide architectural and technical guidance on their cloud journey. Outside of work, she loves spending time outdoors rock climbing, hiking, and traveling to new places.

Ayo Omosebi

Ayo is a Sr. Business Services SDM at AWS. He is passionate about building and promoting integrations between AWS services and customers business platforms. Outside of work, he enjoys spending time with his family outdoors, running and mountain hiking.