AWS Control Tower .com

[Pages:1117]AWS Control Tower

User Guide

AWS Control Tower User Guide

AWS Control Tower: User Guide

Copyright ? 2022 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon.

AWS Control Tower User Guide

Table of Contents

What Is AWS Control Tower? ............................................................................................................... 1 Features .................................................................................................................................... 1 How AWS Control Tower interacts with other AWS services ............................................................. 2 Are You a First-Time User of AWS Control Tower? .......................................................................... 2 How It Works ............................................................................................................................ 2 Structure of an AWS Control Tower Landing Zone .................................................................. 3 What happens when you set up a landing zone ..................................................................... 3 What Are the Shared Accounts? ........................................................................................... 3 How controls work ............................................................................................................. 9 How AWS Control Tower Works With StackSets .................................................................... 10

Terminology .................................................................................................................................... 11 Pricing ............................................................................................................................................ 13

.............................................................................................................................................. 13 Setting up ....................................................................................................................................... 14

Sign up for AWS ...................................................................................................................... 14 Set up MFA ............................................................................................................................. 14 .............................................................................................................................................. 14 Next step ................................................................................................................................ 14 Getting started ................................................................................................................................ 15 Quick start guide ..................................................................................................................... 15 Pre-launch checks ..................................................................................................................... 16

Considerations for AWS IAM Identity Center (successor to AWS Single Sign-On) (IAM Identity Center) customers ............................................................................................................ 17 Step 1: Create your shared account email addresses ..................................................................... 18 Expectations for landing zone configuration ................................................................................ 18 Step 2. Configure and launch your landing zone .......................................................................... 19 Step 2a. Review pricing and select your AWS Regions ........................................................... 19 Step 2b. Configure your organizational units (OUs) ............................................................... 20 Step 2c. Configure your shared accounts, logging, and encryption .......................................... 20 Step 3. Review and set up the landing zone ................................................................................ 22 Next steps ............................................................................................................................... 23 Limitations and quotas ..................................................................................................................... 24 Limitations in AWS Control Tower .............................................................................................. 24 Quotas for Integrated Services ................................................................................................... 25 Best practices for administrators ........................................................................................................ 26 Explaining Access to Users ......................................................................................................... 26 Explaining Resource Access ........................................................................................................ 26 Explaining Preventive Controls ................................................................................................... 27 Plan your landing zone ............................................................................................................. 27 Compare functionality ...................................................................................................... 28 Launch AWS Control Tower in an Existing Organization ......................................................... 28 Launch AWS Control Tower in a New Organization ............................................................... 29 Best practices: Set up an AWS multi-account landing zone ............................................................. 29 Align with AWS multi-account guidance .............................................................................. 30 Guidelines to set up a well-architected environment ............................................................. 30 Example of AWS Control Tower with a complete multi-account OU structure ............................ 32 About the Root ................................................................................................................ 33 Administrative tips for landing zone setup ................................................................................... 33 Recommendations for setting up groups, roles, and policies ........................................................... 34 Guidance for creating and modifying AWS Control Tower resources ................................................ 34 When to Sign in as a Root User ................................................................................................. 35 AWS Organizations Guidance ..................................................................................................... 36 AWS IAM Identity Center (successor to AWS Single Sign-On) Guidance ............................................ 37 Account Factory Guidance ......................................................................................................... 37

iii

AWS Control Tower User Guide

Guidance on Subscribing to SNS Topics ....................................................................................... 37 Guidance for KMS keys ............................................................................................................. 38 Configuration update management ............................................................................................ 38

About Updates ................................................................................................................. 39 Update Your Landing Zone ................................................................................................ 40 Resolve drift with Repair and Re-register ............................................................................. 40 Provision and update accounts using automation ................................................................. 41 Automate tasks ................................................................................................................................ 42 AWS CloudShell and the AWS CLI ............................................................................................... 43 Obtaining IAM permissions for AWS CloudShell .................................................................... 43 Interacting with AWS Control Tower using AWS CloudShell .................................................... 44 AWS CloudFormation resources .................................................................................................. 46 AWS Control Tower and AWS CloudFormation templates ....................................................... 46 Learn more about AWS CloudFormation .............................................................................. 46 Resource identifiers for APIs and controls .................................................................................... 47 ...................................................................................................................................... 47 ...................................................................................................................................... 47 ...................................................................................................................................... 48 Controls that cannot be changed with the AWS Control Tower APIs ........................................ 48 Find identifiers for OUs ..................................................................................................... 49 Control API examples ........................................................................................................ 49 Enable controls with AWS CloudFormation .......................................................................... 51 Customize your landing zone ............................................................................................................. 53 .............................................................................................................................................. 53 Customize from the AWS Control Tower console .......................................................................... 53 Automate customizations outside the AWS Control Tower console .................................................. 54 Benefits of Customizations for AWS Control Tower (CfCT) ............................................................. 54 Additional CfCT examples .......................................................................................................... 55 Customizations for AWS Control Tower (CfCT) overview ................................................................ 55 Architecture ..................................................................................................................... 56 Cost ................................................................................................................................ 57 Component services ................................................................................................................ 57 Amazon Simple Storage Service ......................................................................................... 57 AWS CodeCommit ............................................................................................................ 58 Amazon Simple Queue Service ........................................................................................... 58 AWS CodePipeline ............................................................................................................ 58 AWS Key Management Service ........................................................................................... 58 AWS Lambda ................................................................................................................... 58 AWS Systems Manager Parameter Store .............................................................................. 58 Amazon Simple Notification Service ................................................................................... 59 Deployment considerations ........................................................................................................ 59 Prepare for deployment .................................................................................................... 59 To update Customizations for AWS Control Tower ................................................................ 60 Template and source code ......................................................................................................... 60 Source code ..................................................................................................................... 60 Deploy CfCT ............................................................................................................................ 60 Prerequisites .................................................................................................................... 60 Deployment steps ............................................................................................................ 61 Step 1. Launch the stack ................................................................................................... 61 Step 2. Create a custom package ....................................................................................... 63 Update the stack .............................................................................................................. 63 Delete a stack set ............................................................................................................. 64 Set up Amazon S3 as the configuration source ............................................................................. 65 Operational metrics .................................................................................................................. 65 CfCT customization guide .......................................................................................................... 66 Code pipeline overview ..................................................................................................... 66 Define a custom configuration ........................................................................................... 68

iv

AWS Control Tower User Guide

Root OU .......................................................................................................................... 72 Nested OU ...................................................................................................................... 73 Build your own customizations ........................................................................................... 73 Manifest version upgrades ................................................................................................. 78 Networking ...................................................................................................................................... 80 VPCs and AWS Regions in AWS Control Tower ............................................................................. 80 Overview of AWS Control Tower and VPCs .................................................................................. 80 ...................................................................................................................................... 80 CIDR and Peering for VPC and AWS Control Tower ............................................................... 81 Required Roles ................................................................................................................................. 83 Roles and account creation ........................................................................................................ 83 ...................................................................................................................................... 83 Optional conditions for your role trust relationships ..................................................................... 84 AWS Control Tower ConfigRecorderRole ...................................................................................... 86 How AWS Control Tower aggregates AWS Config rules in unmanaged OUs and accounts .................. 103 Programmatic roles and trust relationships for the AWS Control Tower audit account ....................... 104 Automated Account Provisioning With IAM Roles ........................................................................ 107 Configure Regions .......................................................................................................................... 109 Configure your AWS Control Tower Regions ............................................................................... 109 Configure the Region deny control ........................................................................................... 111 Accounts ........................................................................................................................................ 112 Methods of provisioning .......................................................................................................... 112 What happens when AWS Control Tower creates an account ........................................................ 113 Permissions required ............................................................................................................... 113 ............................................................................................................................................ 113 About accounts ...................................................................................................................... 113 View your accounts ......................................................................................................... 114 About the shared accounts .............................................................................................. 114 About member accounts .................................................................................................. 116 Enroll an existing AWS account ................................................................................................ 116 What happens during account enrollment ......................................................................... 117 Enrolling existing accounts with VPCs ............................................................................... 117 Prerequisites for enrollment ............................................................................................. 118 Enroll an account ........................................................................................................... 119 What if the account does not meet the prerequisites? ......................................................... 121 .................................................................................................................................... 121 Example AWS Config CLI commands for resource status ...................................................... 122 Manually add the required IAM role to an existing AWS account and enroll it .......................... 122 Automated enrollment of AWS Organizations accounts ....................................................... 124 Enroll accounts that have existing AWS Config resources ............................................................. 125 Step 1: Contact customer support with a ticket, to add the account to the AWS Control Tower allow list ....................................................................................................................... 126 Step 2: Create a new IAM role in the member account ......................................................... 126 Step 3: Identify the AWS Regions with pre-existing resources ............................................... 126 Step 4: Identify the AWS Regions without any AWS Config resources ..................................... 127 Step 5: Modify the existing resources in each AWS Region ................................................... 127 Step 5a. AWS Config recorder resources ............................................................................ 127 Step 5b. Modify AWS Config delivery channel resources ...................................................... 127 Step 5c. Modify AWS Config aggregation authorization resources ......................................... 128 Step 6: Create resources where they don't exist, in Regions governed by AWS Control Tower ..... 128 Step 7: Register the OU with AWS Control Tower .............................................................. 129 Account Factory ..................................................................................................................... 129 Permissions for Configuring and Provisioning Accounts ........................................................ 130 Create and provision an account ....................................................................................... 130 Account considerations .................................................................................................... 131 Update and move accounts .............................................................................................. 131 Change email address of an enrolled account ..................................................................... 133

v

AWS Control Tower User Guide

Change the name of an enrolled account .......................................................................... 133 Configure Amazon VPC settings ....................................................................................... 133 Unmanage an account .................................................................................................... 134 Close an account ............................................................................................................ 135 Account Factory resources ............................................................................................... 136 Account Factory Customization (AFC) ........................................................................................ 137 Set up for customization ................................................................................................. 138 Create a customized account from a blueprint .................................................................... 142 Enroll and customize accounts ......................................................................................... 142 Add a blueprint to an AWS Control Tower account .............................................................. 142 Update a blueprint ......................................................................................................... 143 Remove a blueprint from an account ................................................................................ 143 Partner blueprints .......................................................................................................... 143 Considerations for Account Factory Customizations (AFC) .................................................... 143 In case of a blueprint error .............................................................................................. 144 Customizing your policy document for AFC blueprints ......................................................... 145 Account Factory for Terraform (AFT) ......................................................................................... 146 Prerequisites .................................................................................................................. 146 Provision a new account with AFT .................................................................................... 146 Update an existing account .............................................................................................. 147 Multiple account requests ................................................................................................ 148 Deploy AFT .................................................................................................................... 148 AFT overview ................................................................................................................. 150 Versions supported ......................................................................................................... 152 Enable feature options .................................................................................................... 155 Resources for AFT ........................................................................................................... 156 Required roles ................................................................................................................ 159 Component services ........................................................................................................ 161 AFT account provisioning pipeline .................................................................................... 162 Account customizations ................................................................................................... 164 Alternative VCS .............................................................................................................. 167 Data protection .............................................................................................................. 169 Remove an account ........................................................................................................ 169 Operational metrics ........................................................................................................ 170 Troubleshooting guide .................................................................................................... 171 Drift .............................................................................................................................................. 174 Detecting drift ....................................................................................................................... 174 Resolving drift ....................................................................................................................... 175 Considerations about drift and SCP scans .................................................................................. 175 Types of drift to repair right away ............................................................................................ 176 Repairable changes to resources ............................................................................................... 177 Drift and New Account Provisioning .......................................................................................... 177 Types of Governance Drift ....................................................................................................... 177 Moved Member Account .................................................................................................. 178 Removed Member Account .............................................................................................. 179 Unplanned Update to Managed SCP ................................................................................. 180 SCP Attached to Managed OU ......................................................................................... 180 SCP Detached from Managed OU ..................................................................................... 181 SCP Attached to Member Account .................................................................................... 181 Deleted Foundational OU ................................................................................................ 182 If you manage resources outside of AWS Control Tower ............................................................... 183 Referring to resources outside of AWS Control Tower .......................................................... 183 Externally changing AWS Control Tower resource names ...................................................... 184 Deleting the Security OU ................................................................................................. 184 Removing an account from the Security OU ....................................................................... 185 External changes that are updated automatically ................................................................ 186 Organizations ................................................................................................................................. 188

vi

AWS Control Tower User Guide

Video Walkthrough ................................................................................................................. 188 ............................................................................................................................................ 188 Extend governance to an existing organization ........................................................................... 188

Video: Enable a Landing Zone in existing AWS Organizations ............................................... 189 Considerations for IAM Identity Center and existing organizations ......................................... 190 Access to other AWS services ........................................................................................... 190 Nested OUs ........................................................................................................................... 190 Video Walkthrough ......................................................................................................... 190 Expand from flat OU structure to nested OU structure ........................................................ 190 Nested OU registration pre-checks .................................................................................... 191 Nested OUs and roles ..................................................................................................... 191 What happens during registration and re-registration of nested OUs and accounts .................. 191 Considerations for nested OU registration ......................................................................... 192 Nested OU limitations ..................................................................................................... 192 Nested OUs and compliance ............................................................................................ 192 Nested OUs and drift ...................................................................................................... 192 Nested OUs and controls ................................................................................................. 193 Nested OUs and the root ................................................................................................ 194 Register an OU to enroll multiple accounts ................................................................................ 194 Register an existing OU ................................................................................................... 195 Create a new OU ............................................................................................................ 196 Common causes of failure during registration or re-registration ............................................ 196 Update organizations .............................................................................................................. 198 When to update OUs and accounts ................................................................................... 198 Update multiple accounts in one OU ................................................................................ 198 What happens during re-registration ................................................................................. 198 Update a single account .................................................................................................. 199 Controls reference guide ................................................................................................................. 200 ............................................................................................................................................ 200 Control behavior and guidance ................................................................................................. 200 Considerations for controls and OUs ......................................................................................... 201 Exception to controls for the management account .................................................................... 201 Considerations for controls and accounts ................................................................................... 202 View control details ................................................................................................................ 202 List of control objectives ................................................................................................. 203 Enable controls on an OU ....................................................................................................... 204 Concurrent deployment for optional controls ..................................................................... 204 Controls and compliance ......................................................................................................... 205 How can administrators review compliance? ....................................................................... 206 Compliance status in the console ..................................................................................... 207 Drift prevention and notification ...................................................................................... 208 Compliance notifications by SNS and email ........................................................................ 210 Controls library ...................................................................................................................... 210 Mandatory controls ......................................................................................................... 211 Proactive controls ........................................................................................................... 225 Security Hub standard ..................................................................................................... 971 Data residency controls ................................................................................................... 972 Optional controls ............................................................................................................ 988 Integrated services ........................................................................................................................ 1005 AWS CloudFormation ............................................................................................................ 1005 CloudTrail ............................................................................................................................ 1005 CloudWatch ......................................................................................................................... 1006 AWS Config .......................................................................................................................... 1006 IAM ..................................................................................................................................... 1007 AWS Key Management Service ............................................................................................... 1007 AWS Lambda ........................................................................................................................ 1007 AWS Organizations ............................................................................................................... 1007

vii

AWS Control Tower User Guide

Considerations .............................................................................................................. 1008 Amazon S3 .......................................................................................................................... 1008 Security Hub ........................................................................................................................ 1008 AWS Service Catalog ............................................................................................................. 1008 IAM Identity Center ............................................................................................................... 1008

.................................................................................................................................. 1009 Things to Know About IAM Identity Center Accounts and AWS Control Tower ........................ 1010 IAM Identity Center Groups for AWS Control Tower ........................................................... 1010 Amazon SNS ........................................................................................................................ 1012 Step Functions ..................................................................................................................... 1013 Security ....................................................................................................................................... 1014 Data Protection .................................................................................................................... 1014 Encryption at Rest ........................................................................................................ 1015 Encryption in Transit ..................................................................................................... 1015 Restrict Access to Content ............................................................................................. 1015 Identity and Access Management ............................................................................................ 1015 Authentication .............................................................................................................. 1016 Access Control .............................................................................................................. 1017 Overview of Managing Access ........................................................................................ 1017 Prevent confused deputy attacks .................................................................................... 1020 Using Identity-Based Policies (IAM Policies) ...................................................................... 1020 Compliance Validation ........................................................................................................... 1027 Resilience ............................................................................................................................. 1028 Infrastructure Security ........................................................................................................... 1028 Logging and monitoring ................................................................................................................ 1030 Monitoring ........................................................................................................................... 1031 Logging AWS Control Tower Actions with AWS CloudTrail .......................................................... 1031 AWS Control Tower Information in CloudTrail ................................................................... 1031 Example: AWS Control Tower Log File Entries ................................................................... 1033 Monitoring resource changes with AWS Config ......................................................................... 1034 Managing AWS Config costs in AWS Control Tower ........................................................... 1034 View the AWS Config recorder data on enrolled accounts ................................................... 1035 Troubleshooting AWS Config in AWS Control Tower .......................................................... 1036 Lifecycle Events .................................................................................................................... 1037 CreateManagedAccount .............................................................................................. 1039 UpdateManagedAccount .............................................................................................. 1039 EnableGuardrail ....................................................................................................... 1040 DisableGuardrail ..................................................................................................... 1041 SetupLandingZone ..................................................................................................... 1042 UpdateLandingZone ................................................................................................... 1043 RegisterOrganizationalUnit .................................................................................. 1044 DeregisterOrganizationalUnit ............................................................................... 1045 PrecheckOrganizationalUnit .................................................................................. 1046 Walkthroughs ............................................................................................................................... 1048 Walkthrough: Move from ALZ to AWS Control Tower ................................................................. 1048 Walkthrough: Automate Account Provisioning in AWS Control Tower by AWS Service Catalog APIs ... 1048 Sample provisioning input for Service Catalog API ............................................................ 1050 Video Walkthrough ....................................................................................................... 1051 Walkthrough: Configure AWS Control Tower Without a VPC ....................................................... 1051 Delete the AWS Control Tower VPC ................................................................................. 1051 Create an Account in AWS Control Tower Without a VPC .................................................... 1052 Walkthrough: Set Up Security Groups in AWS Control Tower With AWS Firewall Manager ................ 1053 Set Up Security Groups With AWS Firewall Manager .......................................................... 1053 Walkthrough: Decommission an AWS Control Tower Landing Zone .............................................. 1053 Overview of the decommissioning process ....................................................................... 1054 Resources not removed during decommissioning .............................................................. 1054 How to decommission a landing zone ............................................................................. 1061

viii

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.