AWS Cloud Operations Blog
Automate account creation, and resource provisioning using AWS Service Catalog, AWS Organizations, and AWS Lambda
As an organization expands its use of AWS services, there is often a conversation about the need to create multiple AWS accounts to ensure separation of business processes or for security, compliance, and billing. Many of the customers we work with use separate AWS accounts for each business unit so they can meet the different needs of their organization. Although creating multiple accounts has simplified operational issues and provided benefits like security and resource isolation, a smaller blast radius, and simplified billing, it takes a lot of time to create, bootstrap and configure baseline settings. Customers want to manage account creation and bootstrapping in a scalable and efficient manner so that new accounts are created with a defined baseline and some governance guardrails are in place. Most importantly, customers want automation, to save time and resources.
In this blog post, we’ll show you how to automate account creation and configuration by automating common guardrails and setting up tasks such as creating default users, configuring custom networks, and provisioning products with a curated set of AWS services into existing AWS environments. This blog extends the implementation described in a previous blog post, How to Use AWS Organizations to Automate End-to-End Account Creation.
AWS services discussed in this blog post:
- AWS Organizations offers policy-based management for multiple AWS accounts. With AWS Organizations, you can create groups of accounts, automate account creation, apply and manage policies for those groups.
- AWS Service Catalog allows you to create and manage catalogs of services that are approved for use on AWS.
- AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. AWS CloudFormation allows you to use a simple text file to model and provision, in an automated and secure manner, all the resources needed for your applications across all regions and accounts.
- AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume. There is no charge when your code is not running.
Terms used in this blog post:
- Root Account – The single AWS account from which the account builder is launched as an AWS Service Catalog product. All the newly-built accounts will be created under the root of the AWS Organization running in this account.
- Baseline template – This template has the list of AWS services that will be made available as AWS Service Catalog products in the newly-built account’s AWS Service Catalog portfolio.
- Source Bucket – Amazon S3 bucket in the master account holding the baseline template.
- Provisioned product – A provisioned product in AWS is one or more cloud resources (compute instances, databases, networking components, etc.) that you manage as a single unit.
- Payload – AWS Lambda code for building accounts and provisioning AWS Service Catalog Products.
The account builder is an AWS Service Catalog product that uses AWS Lambda and AWS Organizations APIs to create AWS accounts. On each invocation, the AWS Lambda function used in this sample solution does the following:
- Creates a new AWS account.
- If provided, creates an organization unit under the root account in AWS Organizations.
- Moves the newly created account from the organization root to the newly created organizational unit.
- Creates a service control policy and attaches it to the new account.
- Assumes the role OrganizationAccountAccessRole in the new account for the following:
- Creating an IAM user with the provided password.
- Adding the IAM user to a new group with admin permissions.
- Deploying baseline templates for creating AWS Service Catalog portfolio and products.
- Deleting the default VPCs in all AWS Regions.
- Deploying a custom VPC using the provided parameters.
- Creating AWS Service Catalog products and portfolio inside the newly created account.
- Adding the provided IAM user and IAM role as principals to the created AWS Service Catalog portfolio.
This approach of bootstrapping accounts will reduce operational overhead and standardize account configurations across the provisioned AWS accounts. The following architecture outlines the process flow involved with account building :
In this blog post, we’ll demonstrate how to:
- Create an AWS Service Catalog Product that builds new AWS accounts.
- Create an IAM user, IAM role, and IAM group all within the new account using custom parameters.
- Delete the default VPCs in all AWS Regions.
- Create AWS Service Catalog products and portfolio as defined in the baseline template and add them to the created AWS account.
Step 1 – Prerequisites
- Download the following files:
- The user creating the account builder as an AWS Service Catalog product, should have the AWSServiceCatalogEndUserFullAccess role for managing AWS Service Catalog portfolios and products.
- This product should only be deployed in the AWS Organizations root account.
- Enable all features in AWS Organizations in the ROOT account.
Step 2 – Create an AWS Service Catalog product for building new AWS accounts:
-
- In the AWS Management Console, log into the ROOT account.
- Create an Amazon S3 bucket and upload the AccountCreationLambda.zip and Accountbaseline.yml files. The account building process doesn’t require either the source bucket or the files to be public.
- The Accountbaseline.yml file defines the baseline configuration the new account should have when it is available.
- Navigate to the AWS Service Catalog console and choose portfolio list.
- Choose Create Portfolio and enter the portfolio name as AccountFactory. Specify a Description and an Owner before choosing Create. For more information on creating and deleting portfolios, see Creating and Deleting Portfolios.
- You will see a new portfolio in the list of portfolios.
- 7. Upload a new product to the AccountFactory portfolio using the accountbuilder.yml file following these steps:
- Navigate to the AccountFactory portfolio and choose UPLOAD NEW PRODUCT.
- Provide appropriate details:
- Product Name: AccountBuilder
- Description: Account building product
- Provided by: MyOrg
- Vendor: Choose Next
- Email Contact:<Specify a valid email address>
- Support Link: Optional
- Support Description: Optional
- Select Template: Select the accountbuilder.yml file downloaded to your computer
- Version Title: 1.0
- Description: Account building product.
- Choose Next.
- Review the provided details and choose Create.
For more instructions on creating Service Catalog Products refer to the Adding Products topic in the documentation
Step 3 – Grant access to users to launch the AWS Service Catalog Product
Add all the end users who have the necessary privileges to create an AWS account using Account Builder as Principal for launching the created product following these steps.
- Navigate to the AccountFactory portfolio.
- Expand the Add user, group or role section.
- Choose the Add user, group or role section.
- Navigate to the Users tab.
- Grant the logged-in user access to the AccountFactory Portfolio.
For more instructions on granting access to users see Granting Access to users.
Step 4 – Launch the AccountBuilder product
- To create an AWS account by using the AccountBuilder product created earlier:
- Choose the first Products List link in the left navigation bar.
- Choose Launch product next to the AccountBuilder product.
- On the Launch – AccountBuilder page do the following:
- Provide the Product name as New-AWS-Account.
- Select the 1.0 version.
- Choose Next.
- On the Parameters page specify the following parameters:
- accountemail: admin@example.com
- Note: Make sure you have access to the above provided email address for receiving future notifications.
- Make sure to provide a unique email address because it can be used to sign in as the root user of the account.
- organizationunitname : NewDevOU
- Note: The default value is None but if provided, the new account will be moved to this AWS Organization – Organization Unit.
- accountname: New-AWS-Account
- adminusername: <IAM user to be created in the account>
- adminpassword : <Password for the adminusername>
- stackname: <provide a name for the baseline stack in the newly built account>
- stackregion: <Region to deploy AWS solutions from the baseline template. Note: Make sure the AWS Region is same as the Region in which you have created the S3 bucket (Step 2).>
- sourcebucket :Name of the source bucket holding the AccountCreationLambda.zip and Accountbaseline.yml files created in Step 2.
- baselinetemplate: The template containing the baseline configuration to be applied in the new account. It is Accountbaseline.yml in the example.
- newrole: <Name of the new role that will be created in the account >
- newrolepolicy:
{"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": "*","Resource": "*"}]}
- Note: This policy will be applied to the created new role. Json is the only valid format
- The sample policy provided here will give administrative access to the users assuming the created newrole.
- accountemail: admin@example.com
By default the role OrganizationAccountAccessRole, is created as part of account creation process. Any root account user with appropriate permissions should be able to assume this role in the newly built accounts for performing further configurations, if needed.
-
- Choose the Availability Zone where you want to create the custom VPC. These Availability Zones should be in the same AWS Region chosen in the stackregion parameter earlier. For example, if you have selected stackregion as us-west-2, select us-west-2a, us-west-2b or us-west-2c as the Availability Zones (any 2).
- Note: You might encounter an error if the AWS Region selected in the stackregion parameter is different than the Region in which the Availability Zone Exists
- Note: You might encounter an error if the AWS Region selected in the stackregion parameter is different than the Region in which the Availability Zone Exists
- You can define the IP address range by specifying the CIDR range for parameters under VPC Configuration. You have the option to specify the VPC CIDR block and CIDR ranges for Public and Private Subnets:
- Choose the Availability Zone where you want to create the custom VPC. These Availability Zones should be in the same AWS Region chosen in the stackregion parameter earlier. For example, if you have selected stackregion as us-west-2, select us-west-2a, us-west-2b or us-west-2c as the Availability Zones (any 2).
-
- Click Next.
- Optional: Provide tag values on the TagOptions page.
- Click Next.
- Click Next on the Notifications page. Please refer to Amazon Simple Notification Service documentation if you want to setup notifications
- Review the entered details and Choose Launch.
- After it is launched, the accountbuilder product creates an AWS Lambda function named AccountbuilderLambda. It also creates an IAM role called LambdaExecuteRole and attaches it to AccountbuilderLambda.
- The LambdaExecuteRole is a service-role that grants permissions to AccountbuilderLambda for accessing AWS Organizations and AWS Lambda in the master account.
- AccountbuilderLambda is set to invoke itself resulting in the creation of a new AWS account.
-
- As part of the self-invocation, AccountbuilderLambda calls the AWS Organizations API in the master account for creating the new AWS account.
-
- OrganizationAccountAccessRole is created as part of account creation.
- Once the new account is ready, the AccountbuilderLambda assumes the OrganizationAccountAccessRole while grabbing the Accountbaseline.yml file from the source Amazon S3 bucket.
- With the assumed role, the AccountbuilderLambda makes baseline networking configuration updates:
- Deletes default VPCs in all regions.
- Creates a custom VPC with the provided parameters.
- Creates IAM role and attaches the provided custom policy
-
- After baselining the account, the AccountbuilderLambda works through deploying these custom resources:
- Creates an IAM user.
- Adds the user to the group with administrator rights.
- Creates the AWS Service Catalog Portfolio and Products.
- Adds the created products to the portfolio.
- Adds the IAM user as a principal for launching the products created within the AWS Service Catalog Portfolio.
- After the accountbuilder product launches successfully, you will see the output screen describing the provisioned product details.
- After baselining the account, the AccountbuilderLambda works through deploying these custom resources:
-
- You can log into the newly created AWS account by clicking the LoginURL.
After you have logged in, you can view the portfolio and Service Catalog products by clicking the URL https://console.aws.amazon.com/servicecatalog. Navigate to the Region in which the stack was deployed to see the portfolio and Service Catalog products.
- You can log into the newly created AWS account by clicking the LoginURL.
- At the end of the process, the newly created AWS Service Catalog Portfolio will have:
- Amazon EMR product
- Amazon RDS product
- Amazon S3 products
- Amazon VPC product
The AWS Service Catalog products deployed are based on custom AWS CloudFormation templates. You can add AWS Marketplace products to your portfolios for making them available to end users. AWS Marketplace is an online store that includes products from database, application servers, testing tools, monitoring tools, content management tools, and business intelligence software.
AWS Service Catalog also provides reference blueprints of sample products through the AWS Service Catalog in a box option. AWS Service Catalog in a box lets the Service Catalog portfolio owner pick and share products from its collection that are based on specific use cases for AWS services. No matter how you choose your products, launching an AWS resource as an AWS Service Catalog product makes it a one-click action for end users. In addition, it supports infrastructure standardization.
Conclusion
This blog post provides a method to enable on-demand creation of AWS accounts that can be customized to the requirements of an organization. Administrators and/or teams who are required to provision new accounts can use this approach to standardize the networking configuration and the resources that be provisioned when the new account is ready for use.
Further reading
About the Authors
Vinay Kuchibhotla is a Consultant in the Pacific NorthWest AWS Professional Services Team. Vinay enjoys interacting with and solving AWS customers’ architectural challenges leveraging cloud native services. His core focus is in the areas of Storage, Compute and Networking in the Cloud. Travel and photography are his favorite spare time activities.
Sandeep Kashyap is a Sr Business Development Manager with AWS Service Catalog. Sandeep enjoys helping customers optimize their cloud operating model by building innovative solutions that help scale their operations.