AWS Cloud Operations Blog
Using AWS Control Tower and AWS Service Catalog to automate Control Tower lifecycle events
Many enterprise customers who use AWS Control Tower to create accounts want a way to extend the account creation process. They want this process to cover common business use cases including the creation of networks, security profiles, governance, and compliance. A manual process manually is cumbersome and makes it difficult for the organization to respond to the needs of its business. It might also be expensive if the organization pays another party to manage this process.
In this blog post, we will show you how to automate steps after an account is created. Each step can be unique to an organizational unit (OU) by placing the name of a template or infrastructure as code (IaC) in a tag on the OU. An OU can have multiple tags, one per Control Tower lifecycle event. After each lifecycle event, the template in the tag is executed to support the customer’s use case.
This solution we describe in the post uses the following AWS services. Most of the resources are set up for you with an AWS CloudFormation stack:
- AWS CloudFormation
- AWS Service Catalog
- AWS Lambda
- AWS Control Tower
- AWS Organizations
- Amazon S3
- Amazon CloudWatch
- Amazon EventBridge
Solution overview
The following diagram shows the solution architecture for automation account management, after an organization has been created through Control Tower.
Figure 1: Solution architecture diagram
Administrator process
The administrator deploys a CloudFormation template that creates resources in the management account. These resources include an AWS Service Catalog product, an Amazon EventBridge rule, and an AWS Lambda function. At this step in the process, tags are created on each Control Tower OU. These tags values are the Amazon Simple Storage Service (S3) locations of CloudFormation templates which are deployed when the life cycle event is triggered.
The administrator also creates or updates an account using Account Factory. When a create or update event takes place, the backend processes trigger a CloudFormation stack deployment in the managed account, using the value of the organizational unit tags.
End-user process
End users use an AWS Service Catalog product to update the S3 locations of templates in the organizational unit tags.
Solution prerequisites
This solution assumes that you have AWS Control Tower already configured, and that you have AWS Organizations defined and registered within AWS Control Tower. For help with configuring AWS Control Tower visit Setting up – AWS Control Tower. For help with creating AWS Organizations visit Creating and managing an organization – AWS Organizations
Download automation content
Download the ctautomation.zip file and extract its content. It creates the content folder.
Create an S3 bucket and upload the folder
- Sign in to your AWS account as an administrator. Make sure that you have an AdministratorAccess IAM policy attached to your role so you can create AWS resources.
- Open the Amazon S3 console and create a bucket. For instructions, see Creating a bucket in the Amazon S3 User Guide.
- In the Buckets list, choose the name of the bucket you just created, and then choose Upload.
- Choose Add Folder, choose the content folder, and then choose Upload.
- In the Amazon S3 console, open the content/ctautomation/ folder and choose the ctautomation_setup.json file.
- Copy the object URL.
Deploy the CloudFormation template
- Sign in to your AWS account as an administrator with permission to create resources.
- Open the CloudFormation console and choose Create Stack with new resources (standard).
- Choose Amazon S3 URL, paste the URL you copied earlier, and choose Next.
- In Specify stack details, for Stack name, enter CTSetup.
- In Parameters, for SCenduser, enter a user, group or role. The user must have administrator permissions.
- For SourceBucket, paste the S3 URL and edit it to include the bucket name only. For example, if the URL is https://${testbucket}.s3.amazonaws.com/content/ctautomation/config/sc_ct_tag_automation.json, enter <testbucket>, and then choose Next.
Figure 2: Specify stack details
- On the Configure stack options page, choose Next.
- On the Review page, select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box and then choose Create stack.
- Wait for the stack status to change to CREATE_COMPLETE.
- Alternatively, you can use Amazon CloudWatch to check on deployment progress or events associated with the creation of the resources.
View the tag report
- In the CloudFormation console, choose the stack you just created.
- Choose the Outputs tab and then right-click and open the OuTagReport tag.
This will open a report that shows the tags associated with the various OUs. The values are CloudFormation templates that are stored in an S3 bucket. The bucket was created during the stack deployment.
Figure 3: Tag report
Update your templates
- In the CloudFormation console, on the Outputs tab of the stack you created, choose the value of the Scproduct key.
- In the AWS Service Catalog console, choose Launch product.
- Under Product Actions, choose UpdateTags.
- Find the name of the OU that you want to modify and update the location of the CloudFormation template.
Figure 4: Update OU tag values
Clean up
To avoid ongoing charges in your account, delete the resources you created. Use the AWS Service Catalog console to delete the AWS Service Catalog product. Choose Provisioned products, and from Actions, choose Terminate. Use the CloudFormation console to delete the stack that you created. For instructions, see Deleting a stack on the AWS CloudFormation console.
Use the Amazon S3 console to delete the bucket contents, and then delete the bucket. For instructions, see Deleting a bucket.
Conclusion
In this blog post, we showed you how to use AWS Control Tower to automate the services setup as part of the account creation process in your organization. We shared a streamlined method for creating resources that offers users more agility, but also provides the organization with tighter control on governance, compliance, and costs associated with these resources.