What does this AWS Solutions Implementation do?

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices. Before deploying this solution, you must have an AWS Control Tower landing zone deployed in your account.

You can easily add customizations to your AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization. This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account's OUs will be automatically deployed.

AWS Solutions Implementation overview

The diagram below presents the architecture you can automatically deploy using the solution's implementation guide and accompanying AWS CloudFormation template.

Customizations for AWS Control Tower | Architecture Diagram
 Click to enlarge

Customizations for AWS Control Tower solution architecture

This solution includes an AWS CloudFormation template you deploy in the account where AWS Control Tower landing zone is deployed. The template launches an AWS CodePipeline, AWS CodeBuild projects, AWS Step Functions, AWS Lambda functions, an Amazon EventBridge event rule, an AWS Simple Queue Service (Amazon SQS) queue, and an Amazon Simple Storage Service (Amazon S3) bucket which contains a sample configuration package. The solution can also create an AWS CodeCommit repository to contain the sample configuration package, instead of the Amazon S3 bucket.

Once the solution is deployed, the custom resources are packaged and uploaded to the CodePipeline source using Amazon S3, and triggers the service control policies (SCPs) state machine and the AWS CloudFormation StackSets state machine to deploy the SCPs at the organizational units (OUs) level or stack instances at the OU and/or account level.

The solution deploys two workflows: an AWS CodePipeline workflow and an AWS Control Tower lifecycle event workflow. The AWS CodePipeline workflow configures AWS CodePipeline, AWS CodeBuild projects, and AWS Step Functions to orchestrate the management of AWS CloudFormation StackSets and SCPs in your organization. When a new managed account is created in AWS Control Tower, the AWS Control Tower lifecycle event triggers the AWS CodePipeline workflow. You can customize the configuration package using this workflow which consists of an Amazon EventBridge event rule, an Amazon SQS first-in first-out queue, and an AWS Lambda function.

Customizations for AWS Control Tower

Version 1.2.1
Last updated: 10/2020
Author: AWS

Estimated deployment time: 15 min

Use the button below to subscribe to solution updates.

Note: To subscribe to RSS updates, you must have an RSS plug-in enabled for the browser you are using. 

Did this Solutions Implementation help you?
Provide feedback 

Features

Customizations

Use the included AWS CloudFormation template and service control policies to easily customize AWS Control Tower landing zone.

Integrate with AWS Control Tower lifecycle events

Verify that resource deployments stay in sync with the customer's landing zone, and all resources attached to the account's organizational units are automatically deployed.

Set up a secure, multi-account AWS environment

Leverage AWS Control Tower and other highly-available, trusted AWS services to more quickly set up a secure, multi-account AWS environment using AWS best practices.

Solving with AWS Solutions: Customizations for Control Tower
Build icon
Deploy a Solution yourself

Browse our library of AWS Solutions Implementations to get answers to common architectural problems.

Learn more 
Find an APN partner
Find an APN Partner

Find AWS certified consulting and technology partners to help you get started.

Learn more 
Explore icon
Explore Solutions Consulting Offers

Browse our portfolio of Consulting Offers to get AWS-vetted help with solution deployment.

Learn more