Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 

Customizations for AWS Control Tower (CFCT) Setup

Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0

Table of Contents

Introduction

The SRA Customizations for Control Tower (CFCT) Solution deploys the Customizations for AWS Control Tower (CFCT) solution. This provides a method to simplify the deployment of SRA solutions and customer customizations within an AWS Control Tower environment.

The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices. Before deploying this solution, you must have an AWS Control Tower landing zone deployed in your account.

You can easily add customizations to your AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization. This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account's OUs will be automatically deployed.

Deployed Resource Details

Architecture

1.0 Organization Management Account

1.1 AWS CloudFormation

  • All resources are deployed via AWS CloudFormation as a Stack within the management account.
  • For parameter details, review the AWS CloudFormation templates.

1.2 Lambda Execution IAM Role

  • IAM role used by the Lambda function to perform the start operation for the sra-codebuild AWS CodeBuild project.

1.3 AWS Lambda Function

The Lambda function to perform the start operation for the sra-codebuild AWS CodeBuild project.

1.4 Lambda CloudWatch Log Group

  • All the AWS Lambda Function logs are sent to a CloudWatch Log Group </aws/lambda/<LambdaFunctionName> to help with debugging and traceability of the actions performed.
  • By default the AWS Lambda Function will create the CloudWatch Log Group with a Retention (Never expire) and are encrypted with a CloudWatch Logs service managed encryption key.

1.5 AWS CodeBuild Project Created

The sra-codebuild AWS CodeBuild project is designed and created to download the latest customizations-for-aws-control-tower.template template from GitHub and upload it to the AWS SRA code library staging S3 bucket.

1.6 CodeBuild IAM Role

  • IAM role used by the CodeBuild project.

1.7 Customizations for AWS Control Tower CloudFormation Template

Implementation Instructions

Prerequisites

  • AWS Control Tower is deployed.
  • aws-security-reference-architecture-examples repository is stored on your local machine or pipeline where you will be deploying from.
  • Ensure the SRA Prerequisites Solution was deployed.

Solution Deployment

  1. In the management account (home region), launch an AWS CloudFormation Stack using the sra-common-cfct-setup-main.yaml template file as the source.

    aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml --stack-name sra-common-cfct-setup-main --capabilities CAPABILITY_NAMED_IAM
  2. For CodeCommit setup follow these steps: AWS CodeCommit Repo

Solution Delete Instructions

In the management account (home region), delete the AWS CloudFormation Stack created in step 2 of the solution deployment. Note: On a Delete Event, the solution will not:

  • Delete below Customizations for Control Tower (CFCT) resources:
  • CodeCommit Repo (e.g., custom-control-tower-configuration)
  • S3 Buckets (e.g., buckets names containing custom-control-tower or customcontroltower)

References