Enabling self-service provisioning of AWS resources with AWS Control Tower

Customers provision new accounts in AWS Control Tower whenever they are on-boarding new business units or setting up application workloads. In some cases, organizations also want their cloud users, developers, and data scientists to deploy self-service standardized and secure patterns and architectures with the new account. Here are a few examples:

• A developer or cloud engineer wants to launch an Amazon EC2 instance from a golden AMI.
• A data scientist wishes to launch Amazon EMR clusters with approved AMIs and instance types.
• A database administrator must launch an approved Amazon RDS database in a newly provisioned AWS account.

In this post, we show how you can use the Account Factory in AWS Control Tower to provision new AWS accounts. We also demonstrate how you can share custom products, such as a portfolio of RDS databases, to the new account with AWS Service Catalog. Additionally, we cover how you can use AWS Control Tower’s guardrails to enforce governance in your new account.

This solution uses the following AWS services:

• AWS Control Tower
• AWS Service Catalog
• AWS CloudFormation
• Amazon CloudWatch
• Amazon RDS
• AWS Organizations

Background

This post references the following concepts:

1. AWS Control Tower offers customers a mechanism to easily provision new accounts in a secure and compliant environment, built according to AWS best practices.
2. Customers can create new accounts using AWS Service Catalog through its UI interface or the CLI.
3. AWS Control Tower guardrails are high-level rules providing ongoing governance for your AWS environment.
4. An AWS Service Catalog product is an IT service you want to make available for deployment. You can create a product by importing an AWS CloudFormation template.  Portfolios are a collection of products, together with configuration information.
5. Amazon RDS sets up, operates, and scales a relational database in the cloud.
6. AWS Organizations allows you to govern access to AWS services, resources, and Regions.

Before getting started, it helps to understand why you need a new account. Here are some questions to consider:

• Will the new account help with managing account limits for a large application?
• Are you trying to maintain billing separation at the account level?
• Is this a test, development, or production account?
• Are you building a sandbox environment for your developers?
• Which AWS Organizations business unit should the account fall under?

Solution overview

The following diagrams map out the solution architecture.

Figure 1. Create a new account in AWS Control Tower with policies in place.

Figure 2. Creating and sharing an AWS Service Catalog portfolio to the new account

Here we walk through the basic steps from setting up an AWS Organization unit and applying AWS Control Tower guardrails to developing and sharing a portfolio to a newly provisioned account.

Walkthrough

Create a new account in AWS Control Tower with policies in place:

Step 1: Add a new organizational unit.

Step 2: Apply the AWS Control Tower guardrails.

Step 3: Create a new account.

Create and share an AWS Service Catalog portfolio to the new account:

Step 1: Create and share a portfolio in the master account.

Step 2: Generate the local portfolio in the spoke account.

Step 3: Launch the product from the spoke account.

Step 4: Validate guardrail detection.

Prerequisites

This post assumes that you have already set up an AWS Control Tower environment.

Creating a new account in AWS Control Tower

For this post, we create a new account under the Data Analytics organizational unit.

Step 1: Add a new organizational unit

In the AWS Control Tower console, choose Organizational units, Add an OU.

Once the OU is created, select the OU and make a note of the organizational unit ID. You need it for the CloudFormation script used in the Creating and sharing an AWS Service Catalog portfolio to the new account section.

Step 2: Apply the AWS Control Tower guardrails

The AWS Control Tower data security guardrails provide ongoing detective governance to any account under this OU. AWS highly recommends that you apply all of these guardrails to all accounts.

Data security guardrails do the following:

• Disallow public access to RDS database instances.
• Disallow public access to RDS database snapshots.
• Disallow RDS database instances that are not storage-encrypted.

In the left navigation pane, choose Guardrails. Select Disallow RDS database instances that are not storage encrypted. On the Enable guardrail on OU page, enable the guardrail for the Data Analytics OU.

Step 3: Create a new account

The next step is to provision the new account using Account Factory. Account Factory is an AWS Service Catalog product created during the setup of AWS Control Tower. For more information, see Configuring and Provisioning Accounts Through AWS Service Catalog.

The new account creation process typically takes 30–60 minutes to finish.

After completing account creation, confirm that the account is under the Data Analytics unit.

Creating and sharing an AWS Service Catalog portfolio to the new account

Here, we create a portfolio of self-service products in the master account, which is then shared with the newly created account. Feel free to substitute your own AWS Service Catalog products.

Step 1: Create and share portfolio in the master account

The template for the products used in this post is configure_ct_portfolio.yaml.

This CloudFormation template shares the AWS Service Catalog portfolio with the Data Analytics OU that you created earlier. Follow these steps:

1. Use the following button to launch the AWS CloudFormation stack.
   
2. Choose Next.
3. For Organization Unit to Share, enter the organizational unit ID that you noted earlier.
4. Choose Next, then Next again.
5. Select I acknowledge that AWS CloudFormation might create IAM resources.
6. Choose Create.

Make a note of the output values of the stack. You enter these as input parameters in the next step.

Output values of the stack

This creates a Service Catalog portfolio in the AWS Control Tower master account, which contains the products listed earlier. It also shares the portfolio with all the AWS accounts in the OU that you specified.

AWS Service Catalog portfolio on master account

Step 2: Generate a local portfolio in the spoke account

The second step is to run  an AWS CloudFormation stack set from the master account and deploy it on the portfolio organizational unit that you shared from the master account. You will enter the output values that you noted from the previous step as the parameter fields for this AWS CloudFormation stack set.

This stack generates a local portfolio, adds the self-service products from the organization, and adds appropriate launch constraints and tags.

You can also choose to add template constraints to provide additional preventive measures, including limiting launches to only certain instance types or database versions.

1. Use the following button to launch the AWS CloudFormation stack set.
   
2. Under Specify Template type https://marketplace-sa-resources.s3.amazonaws.com/ct_spoke_setup_sc.yaml and choose Next.
3. Provide a StackSet name and for MasterPortfolio type in the MasterPortfolioId value from outputs of previous stack.
4. In Configure StackSet options page, under Permissions enter following values:
   – For IAM admin role ARN – optional select AWSControlTowerStackSetRole from drop down
   – For IAM execution role name – type in AWSControlTowerExecution and choose Next.
5. Choose Deploy stacks in organizational units, type in the Organization Unit ID that you shared the master portfolio with (in step-1).
6. For Specify regions, select the region where you deployed the Master Portfolio and choose Next.
7. Scroll down in the Review page and select I acknowledge that AWS CloudFormation might create IAM resources and click Submit.

Step 3: Launch product from the spoke account

Configure AWS Single Sign-On (AWS SSO) to allow the end user to access the spoke accounts with required permissions. The AWS SSO user should have minimum AWS Service Catalog end-user permissions. Grant access to the user on the local portfolio of the spoke account. After you complete the CloudFormation deployment in the new account, end users can now launch RDS products.

List of available products in the spoke account

Step 4: Validate guardrail detection

The detective RDS guardrails now govern the database resources in the new AWS account. If users launch an RDS instance with no encryption, the AWS Control Tower guardrail detects the non-compliant resource. AWS Control Tower’s dashboard will provide visibility across the multi-account environment, highlighting the accounts with a non-compliant status.

An example of a non-compliant database resource from the AWS Control Tower dashboard

Conclusion

This post guided you through creating a new account with AWS Control Tower and applying guardrails to it. We also showed you how to share a standardized portfolio of AWS Service Catalog products with the new account. Finally, we showcased how AWS Control Tower guardrails can quickly detect non-compliant resources.

We welcome your feedback. Please let us know if you have any comments or questions on this.

Further Reading

• Account Factory
• Portfolio Sharing
• Guardrails in AWS Control Tower

About the authors

Nivas Durairaj is a senior business development manager for AWS Service Catalog and AWS Control Tower. He enjoys guiding and helping customers on their cloud journeys. Outside of work, Nivas likes playing tennis, hiking, doing yoga and traveling around the world.

Kishore Vinjam is a partner solutions architect focusing on AWS Service Catalog, AWS Control Tower, and AWS Marketplace. He is passionate about working on cloud technologies, working with customers, and building solutions. When not working, Kishore likes to spend time with family, hike, and play volleyball and ping-pong.