Link to the Chinese version of this article.

The original purpose of Cloud Foundations (Hereinafter also called as “System”)was to bridge service gaps between Amazon Web Services in China and Global Regions, using automation technology to quickly build a secure and standardized cloud landing zone and manage it effectively with best practices. Over more than two years of development, the solution closely follows the technological advancement of Amazon Web Services, and has always simultaneously been supporting both domestic and foreign regions to achieve the goal of “one set of codes that runs everywhere”. Notwithstanding, Global Regions provide richer services and functions. In response to customer feedback and practical needs, we also develop and improve the solution to ensure that it is always secure, updated, standardized and easy to use in Global Regions.

AWS Control Tower (Control Tower) is a popular managed service for creating a landing zone to manage organizational units (OU), accounts, and controls, currently available in some Global Regions and it has not yet been launched in China Regions. Cloud Foundations provides the same or similar functionalities to Control Tower in many aspects, therefore, it can be used as an alternative solution in China Regions. In Global Regions, it can be used alone or in parallel with Cloud Foundations to complement each other’s strengths and weaknesses. Effectively collaborating both of them to manage the cloud environment is challenging, and some users are sometimes confused with concerns. To address them, we compose this blog post to explain and discuss common and important issues to help users efficiently operate and maintain the cloud environment.

Manage organizations

There are three models for managing organizations and multiple accounts with Cloud Foundations, as shown in the following figure:

The main differences among the three models are as follows:

Commonly used models are B and C. Model A has two main application scenarios. One is for situations where it is inconvenient to use Amazon Organizations, such as when different accounts cannot be placed in the same organization due to regulatory restrictions; the other is to manage a single account situation, where all workloads are placed in a single account. This article mainly introduces mode C.

Since Control Tower is a managed service, it is actually configured and managed like any other managed service from the Cloud Foundations perspective. To properly enable it, when deploying Cloud Foundations, in addition to turning on the ControlTower switch, you also need to set the following service switches:

1. Enable Amazon Organizations: Amazon Organizations is the foundation of Control Tower;
2. Enable Amazon CloudTrail: This service is managed by the system and turned off when configuring Control Tower;
3. Disable Amazon Config: the service can currently only be managed by Control Tower;
4. Disable Amazon IAM Identity Center: the service is managed by the system;

During deploying Cloud Foundations, the system configures Control Tower as below table where some parameters cannot be changed according to best practices. In terms of core accounts, Cloud Foundations has one more Infrastructure Account than Control Tower, and the others, such as regions and accounts, are consistent with each other. During the initial deployment, Control Tower generally takes about half an hour to build and deploy in the management/admin build of the setup pipeline. If the Control Tower needs to be adjusted later (such as adding a governed region), the changes are also carried out in the same build.

If Control Tower is not enabled while deploying Cloud Foundations and it needs to be enabled later, do the following steps:

1. Change parameter: /prefix/parameter/baseline/disabled, disable config, config_rule;
2. Release the setup pipeline, await it completes. Then AWS Config service and the configuration rules detection product are turned off;
3. Change parameter: /cf/services, enable controltower;
4. Change parameter: /prefix/parameter/baseline/disabled, enable config_rule;
5. Release the setup pipeline, await it completes. Then Control Tower is turned on and manages AWS Config service;
6. Release the extra pipeline, await it completes. Then the configuration rules detection product is turned on;

Create a new account

Once deployed, Control Tower comes with an Account Factory in its console for creating new accounts. At the same time, Cloud Foundations also creates an Account Factory product in the Amazon Service Catalog portfolio. There is an account creation portal in the Amazon Organizations console as well. Generally speaking, if Control Tower is enabled, it is fine to simply create an account directly through its Account Factory according to its documentation; there is no need to go create an account via the Amazon Organizations console. Similarly, once Cloud Foundations manages Control Tower, creating an account only needs to be done through the system Account Factory; there is no need to go create an account via Control Tower or Amazon Organizations.

The diagram above shows the Cloud Foundations Account Factory architecture. Note the key resources such as Account Factory service catalog product, account state machine, and provision state machines. When you launch the system Account Factory product, the system creates or enrolls/invites an account based on whether you provide the 12-digit ID of the Amazon Web Services account. Depending on whether Control Tower is enabled, the system may call the Control Tower Account Factory, or directly call the API to create or enroll an account. In addition, when creating an account, the Account Factory will also create a system manager role, enable regions that are opt-out by default, execute the initial pipeline, etc. The new account will not be ready until all governing pipelines have been executed successfully. The entire process usually takes between 30 and 60 minutes, depending on the number of accounts and regions. When the product is terminated, the account will be closed or deregistered. Depending on whether Control Tower is enabled, the system calls the Control Tower Account Factory or the API directly. Technically, execution is scheduled through the Amazon Step Functions account state machine in the Infrastructure Account. Refer to the figure below for the detailed process.

Once Control Tower is enabled, you can only create or enroll one account at a time instead of a maximum of five. The steps for creating an account are as follows:

1. Launch the Cloud Foundations Account Factory service catalog product in the Infrastructure Account;
2. Provisioned product name: Enter the name, such as a description of the account created;
3. Account Ids: Leave blank;
4. Account Emails: Enter 1 account email address, also used as the user email of the Identity Center;
5. Account Names: Enter 1 account name, also used as the user name of the Identity Center. The surname is set to Admin;
6. Organizational Unit: Enter an enrolled organizational unit name or ID; default to the Sandbox organizational unit;
7. Launch product: Find the launched product in the list of provisioned products and wait for its status to be available;
8. Account state machine: Monitor the account state machine in Step Functions and confirm successful execution;
9. Provision state machine: Monitor the provision state machine in Step Functions and confirm successful execution;

After the provision state machine is completed, a new account is created and enrolled in Control Tower, effectively governed by Cloud Foundations, and can be used safely. When the above product is terminated, Cloud Foundations calls the Control Tower Account Factory to close the account. You may also refer to the fourth demo video on new account creation ^[2].

Enroll an account

Control Tower provides the function to enroll existing accounts, so that accounts within an organization can be governed by Control Tower. Like creating a new account, enrolling an account is done through Cloud Foundations Account Factory, without having to go through the Control Tower console. Because in addition to governance by Control Tower, accounts must also be managed by Cloud Foundations. Registration requires that an existing account is within the Amazon Organizations organization and has authorized to trust the Management Account, i.e., the OrganizationAccountAccessRole exists. During enrollment, the system will create the AWSControlTowerExecution role required by Control Tower, and there is no need to create one manually. Similarly, you can only enroll for one account at a time. The steps for enrolling an account are as follows:

1. Launch the Cloud Foundations Account Factory service catalog product in the Infrastructure Account;
2. Provisioned product name: Enter the name, such as a description of the batch account creation;
3. Account Ids: Enter 1 account ID;
4. Account Emails: Leave blank and dynamically read through the organization;
5. Account Names: Leave blank and dynamically read through the organization;
6. Organizational Unit: Enter an enrolled organizational unit name or ID; default to the Sandbox organizational unit;
7. Launch product: Find the launched product in the list of provisioned products and wait for its status to be available;
8. Account state machine: Monitor the account state machine in Step Functions and confirm successful execution;
9. Provision state machine: Monitor the provision state machine in Step Functions and confirm successful execution;

After the provision state machine is completed, the new account is enrolled in Control Tower and is effectively governed by Cloud Foundations as well, and can be used safely. When the above product is terminated, Cloud Foundations calls the Control Tower Account Factory to deregister the account, and it will not be closed. The account is still active in the organization but is deregistered.

Customize an account

Control Tower provides a wide range of tools to customize accounts, mainly the following:

1. AFC: Store account blueprints as Service Catalog products in a dedicated account. Select the blueprint to customize the new account when creating it. The blueprint product is actually an Amazon CloudFormation template, which defines the resources to be deployed for the account customization;
2. AFT: Use a dedicated organizational unit and a dedicated account to deploy the AFT environment including codebases, pipelines, state machines, etc. Create and configure one or more accounts by account request Terraform files based on the GitOps model;
3. CfCT: Customize the Control Tower landing zone through CloudFormation templates and service control policies (SCP), integrated with Control Tower lifecycle events. Therefore, it can also be used to automatically deploy resources within a new account when Account Factory creates it. Similar to AFT, this feature requires the deployment of a series of CICD resources to support operation. However, the CfCT architecture can only be deployed in the Management Account rather than a dedicated account, which we don’t think is a best practice.

Cloud Foundations provides similar account customization functionality through the Product Factory^[1]. Centrally define templates and products similar to “account creation blueprints” in the Infrastructure Account, and automatically deploy resources to specified accounts and regions through Cloud Foundations built-in CICD engine. The Infrastructure Account can be viewed as a dedicated blueprint management account.

Enable controls

One of the main functions of Control Tower is the continuous governance of the cloud environment through controls (previously known as “guardrails”). A control is a high-level rule described in natural language to govern cloud resources and monitor account compliance. The controls are divided into three categories: preventive, detective, and proactive. The controls apply to organizational units, effective for accounts contained within the unit except for the Management Account and the Security organizational units. All control identifiers are listed in the Control Tower documentation.

The system supports the deployment and configuration of Control Tower controls through the Product Factory. For example, the following code snippet defines two controls for applying EBS-optimized instances and encrypted volumes in a specified organizational unit. The organizational unit is dynamically passed in through the variable OU. Control Tower control resources are specific resources that are designated to be deployed in the main region and the Management Account. More information on automated management and deployment of cloud resources with Product Factory can be found on the blog post [1].

{
  "service": "controltower",
  "controls": {
    "safeguard-${OU}": {
      "ou": "${OU}",
      "controls": ["AWS-GR_EBS_OPTIMIZED_INSTANCE", "AWS-GR_ENCRYPTED_VOLUMES"]
    }
  }
}

Govern a new region

When governing a new region, similar to creating a new account, you do not need to log in the Control Tower console to operate, rather, you complete all operations regarding to new region enabling and configuring by Cloud Foundations. When the provision pipelines are executed, the system will pass in the new region to Control Tower to complete the corresponding regional configurations. The steps for governing a new region are as follows:

1. Log in the Infrastructure Account in the main region as role parameter-editor, modify the parameter /prefix/parameter/regions, add new region codes separated by commas at the end, such as us-west-1;
2. Log in the Infrastructure Account in the main region as role pipeline-approver, publish the initial pipeline;
3. Monitor the provision state machine in the Step Functions console and wait for all pipelines to complete execution.

Conclusion

As a managed service for landing zone, Control Tower provides rich and powerful functions for security governance and customized account management in the cloud environment. Many customers choose to enable this service by default. Cloud Foundations has always been emphasizing on sound support for important infrastructural services. Based on actual project experiences and summary of deliveries, we have optimized and strengthened the support for Control Tower from deployment to operation and maintenance, especially in terms of creating new and enrolling existing accounts by Account Factory, governing new regions, and managing controls by Product Factory. In particular, creating account creation blueprint products through Product Factory enables customized account configurations to a deep extent, where cloud resources can be flexibly defined and uniformly deployed. In conclusion, most of the core functions of Control Tower can be completed by Cloud Foundations practically. It further simplifies the operation and maintenance of the cloud environment. By making each other’s control boundary clear, it further assists your efficient, standardized, and secure system governance.

References

1. Blog post: Use Cloud Foundations Product Factory to plan, design and one-click deploy infrastructural cloud resources such as multi-account access control and permission policies, March 2024
2. Blog post: Cloud Foundations demo videos part one: from deployment to daily operations, August 2024

Authors