AWS Cloud Operations Blog

Customizing account configuration with AWS Control Tower lifecycle events

Customers in the cloud have increasingly adopted a multi-account architecture to manage their workloads. Services like AWS Control Tower simplify multi-account governance and account provisioning, but creating new accounts is the beginning of the cloud journey. Many customers have asked to customize account settings that are specific to their business needs. These customizations include custom detective and preventive policies driven by regulatory requirements and custom network configurations according to the organization’s policies.

With AWS Control Tower, customers can use lifecycle events to customize new AWS accounts as they are created. In this blog post, we show how to customize the networking configuration in an AWS account. Specifically, we customize the default network configuration by:

  • Deleting the default VPCs in all AWS Regions.
  • Using AWS Resource Access Manager to share the appropriate VPC subnets.
  • Using AWS Firewall Manager to apply security groups to VPCs in the account.

Services used in this post:

Solution overview

In this solution, we show you how to use AWS Control Tower lifecycle events to automate the configuration of network settings in an AWS account created using Account Factory. The network configurations we perform are as follows:

  • Delete the default VPCs in all AWS Regions during new account provisioning. AWS Control Tower deletes the default VPC in each supported Region and keeps the default VPC in all other Regions. Customers have told us that they do not want to leave the default VPCs in any AWS Region.
  • Use AWS RAM to share VPC subnets with the newly created account. One of the networking policies customers use in their organization is to share VPCs and subnets using RAM and require developers to launch their resources in the shared subnets.
  • Use AWS Firewall Manager to apply security groups to VPCs in the account. The Firewall Manager uses the Amazon VPC security group policy to duplicate standard security groups to the target account. A non-default security group in the shared network account is selected as a primary security group and replicated to every VPC instance within the policy scope.

This solution creates the following four Lambda functions in the management account:

  • Network-Configurator
  • VPC-Remover
  • RAM-Activator
  • FMS-Activator

The following diagram shows how each customization is implemented.

1.CreateManagedAccount lifecycle event invokes the Network-Configurator Lambda function. 2.Network-Configurator Lambda triggers three separate Lambda. 3.VPC-Remover Lambda function deletes the default VPC. 4.RAM-Activator Lambda function adds the new account ID as a member of the shared network account's resource share. 5.Resource Access Manager shares the VPC to the new account. 6.FMS-Activator Lambda function adds the new account ID into the primary security group policy. 7.Firewall Manager creates the security group on each VPC in the new account automatically.

  1. New AWS account provisioning triggers the AWS Control Tower CreateManagedAccount lifecycle event, which invokes the Network-Configurator Lambda function.
  2. Network-Configurator Lambda function triggers three separate Lambda functions in the management account.
  3. VPC-Remover Lambda function assumes an IAM role into the new account and deletes the default VPC. The default VPC is deleted only in the AWS Regions where AWS Control Tower is not yet available.
  4. RAM-Activator Lambda function adds the new account ID as a member of the shared network account’s resource share.
  5. Resource Access Manager in the shared network account shares the VPC to the new account automatically.
  6. FMS-Activator Lambda function adds the new account ID into the primary security group policy in the shared network account.
  7. Firewall Manager creates the security group on each VPC in the new account automatically.

Prerequisites

Before you deploy the solution, here are the prerequisites.

  1. Enable AWS Control Tower on the AWS Organization management account. If you haven’t already set up AWS Control Tower, follow the steps in Getting started with AWS Control Tower.
  2. Create an AWS account using Account Factory. Follow the steps described Provision and manage accounts with Account Factory. Or, you can choose one of the AWS Control Tower managed accounts to designate as your shared network account. Make a note of the shared network account ID displayed in the AWS Control Tower console.
  1. Ensure that the shared network account contains a non-default VPC with a minimum of two subnets (private or public) and a non-default security group. If a non-default VPC doesn’t exist, use the guide to create a new VPC. The security group will be the primary security group.
  2. On the Settings tab of the AWS Organizations console, find the AWS Organizations ID (format o-text).
  3. Enable trusted access for AWS RAM and AWS Firewall Manager to access your AWS Organizations information and perform actions in your organization’s accounts.
  4. Enable sharing with AWS Organizations on AWS RAM to share resources across members of AWS Organizations without invitation.
  5. Follow the steps to set the Firewall Manager administrator account and associate it with the shared network account.

Step 1 – Setting up the shared network account

First, we use the AWS CloudFormation template to create the RAM resource share and Firewall Manager’s primary security group policy in the shared network account.

  1. Sign in to your shared network account. Confirm that your console session is in the same Region where AWS Control Tower is deployed.
  2. Use this launch stack link to load the AWS CloudFormation stack template, and then click Next.
  3. Under the Parameters section, enter the following parameters:
    • Choose the security group ID that you want to use as the primary security group.
    • Choose two subnet IDs (public or private) that you want to share.
  1. On the Configure stack options page, you can choose to add tags and other options. Click Next to continue.
  2. On the Review page, validate your parameters, and then click Create Stack.

The stack deploys the AWS RAM resource share with two subnets as the shared resource and a Firewall Manager primary security group policy.

View the resource share to list the AWS accounts to which the resource is shared. You won’t have any AWS accounts included yet. Also, review the Firewall Manager policy and list the accounts within the policy scope. You will not see any accounts on the list yet.

In the next step, we set up the AWS Control Tower lifecycle event to trigger the automation on a newly created account.

If you want to deploy this automation across multiple Regions, repeat the preceding steps for each Region, and then move on to step 2.

Step 2 – Setting up the lifecycle event in the management account

Deploying the Lambda functions to automate the customization based on the lifecycle event from AWS Control Tower.

  1. Sign in to your AWS Control Tower management account and confirm that your console session is in the Region where you deployed AWS Control Tower.
  2. Use the launch stack link to load the AWS CloudFormation stack template, and then select Next.
  3. On the Specify Stack Details page, provide a name for your stack (for example, CT-Customization-ManagementAcct).
  4. Under the Parameters section, enter the following parameters:
    • OrgId: AWS Organizations ID value, which was listed earlier in the prerequisites.
    • RegionScope: Comma-delimited list of AWS Regions where you deployed the AWS CloudFormation stack in the shared network account.
    • SharedNetworkAccount: Shared network account ID, which was listed earlier in the prerequisites.
  1. On the Configure stack options page, you can choose to add tags and other options. Click Next to continue.
  2. On the Review page, validate your parameters, and then click Create Stack.

This stack creates an SSM Parameter Store and saves the parameters that you entered as inputs. This stack deploys four Lambda functions. The functionality of each Lambda function is described in the Solution overview section.

From this point forward, whenever you create an AWS account using Account Factory, the customizations are deployed automatically.

Testing the solution

Now with the customization in place, we can proceed with the test. This automation will initiate after you create a new account using the AWS Control Tower Account Factory. It takes about 20-30 minutes to complete the provisioning of a new account.

  1. Sign in to your newly created AWS account.
  2. Open the Amazon VPC console.
  3. In the Subnets section, locate the shared subnets. You can verify the subnets by referring to the Owner column.

VPC console that shows the new AWS account uses the shared VPC and subnets created in the Prerequisites Section

  1. In the Security Groups section, locate the security groups created by Firewall Manager. You can filter the list by tag (for example, fms-policy-name = CorporateDefaultSGPolicy).

Amazon VPC console displays the security group, FMManagedSecurityGroup65223f8, created by the Firewall Manager.

  1. Navigate to AWS Control Tower AWS Regions where the service is not yet supported.
  2. In the VPC section, confirm that the default VPC no longer exists.

Validating the resource share

From the shared network account, let’s validate the shared subnets on the new account.

  1. Sign in to your shared network account, and then open the AWS Resource Access Manager console.
  2. Find the resource shares created by the stack. Click the {Stack Name}-Shared Subnets resource share.
  3. Under Shared principals, locate the new account ID.

AWS Resource Access Manager console displays the shared subnets and the newly created AWS accounts that are added as shared principals to the resource share.

To add more subnets to the resource share, follow the steps in Updating a Resource Share. AWS RAM will share the new subnet to existing and any future accounts automatically.

Validating the Firewall Manager policy

Let’s check the Firewall Manager’s primary security group policy for the new account’s account ID.

  1. Sign in to your shared network account, and then open the AWS Firewall Manager console.
  2. Follow the steps in Viewing resource compliance for a policy and click CorporateDefaultSGPolicy.
  3. On Accounts and resources, locate the new account ID displayed under Accounts within policy scope.

AWS Firewall Manager console displays the newly created AWS account listed in the security policy. Its status is Compliant.

By default, there is no auto-remediate action configured for the primary security group. You can use sample use cases and the security group policies described in the developer guide to customize according to your organization’s needs.

Optional: Selecting the modules

Optionally, you can add or remove the customization modules to suit your organization’s needs.

  1. Sign in to your AWS Control Tower management account and confirm that your console session is in the AWS Region where you deployed AWS Control Tower.
  2. Navigate to the AWS System Manager console and search for a parameter named /ct/shared/network/modules.
  3. To change the value of the parameter, click Edit.
  4. Each value represents the Lambda function name. Add or remove the Lambda function name as required. Make sure to keep the values in the comma-delimited format.
  5. If you included a new Lambda function, ensure that the Lambda function is deployed in the Region where AWS Control Tower is deployed.
  6. If you included a new Lambda function, don’t forget to add permission in the IAM role (LifeCycleLambdaRole) to allow the Network-Configurator Lambda function to invoke your new function.

When the AWS Control Tower lifecycle event is triggered, the Network-Configurator Lambda function checks the SSM parameter and invokes each Lambda function.

Cleaning up

To avoid incurring future charges, remove the example resources by deleting the AWS CloudFormation stack. Remember to delete the stack from both the management and shared network account.

Conclusion

In this blog post, we demonstrated how to extend AWS Control Tower lifecycle events to add customization to AWS Control Tower accounts. We showed you how to integrate AWS services such as AWS Resource Access Manager, AWS Firewall Manager, and AWS Lambda to automate tasks during account provisioning.

 

About the authors

Welly Siauw

Welly Siauw is a Senior Technical Account Manager at AWS. Welly enjoys working with AWS customers in solving architectural, operational, and cost optimization challenges.

Brandon BouierBrandon Bouier is a Senior Solutions Architect helping customers of all sizes harness the power of AWS to transform their business. He’s also a subject matter expert on AWS Control Tower.
Kishore VinjamKishore Vinjam is a partner solutions architect focusing on AWS Service Catalog, AWS Control Tower, and AWS Marketplace. He is passionate about working in cloud technologies, and working with customers and building solutions for them. When not working, he likes to spend time with his family, hike, and play volleyball and ping-pong.