Landing Zone
Overview
The Landing Zone component is focused on creating an initial best-practice AWS multi-account setup
Extending AWS Control Tower
Gruntwork's suggested Landing Zone / Account Factory builds on AWS Control Tower to add important new functionality.
What is AWS Control Tower?
AWS Control Tower helps you set up and govern AWS accounts, and gives you a centralized way to manage compliance and configuration across your AWS accounts. But Control Tower is fundamentally a Platform-as-a-Service (PaaS) paradigm where you use "ClickOps" to create and configure AWS accounts. That stands in contrast to the vision behind IaC tools like Terraform, which are built on the philosophy that all Cloud resources are described in code. It can also be challenging to customize Control Tower and maintain it over time.
Additional functionality
Gruntwork's Account Factory directly addresses these limitations by extending Control Tower with the following functionality:
- Configure and customize new AWS accounts using Terraform/OpenTofu
- Via the Gruntwork Account Factory:
- Have all new AWS accounts meet the CIS AWS Foundations Benchmark out of the box
- (Via Gruntwork Account Factory) Request new AWS accounts using a simple YAML file, GitHub Actions, or any system that can trigger a GitHub Action (e.g. ServiceNow)
- Review and customize all new AWS account requests using GitHub Pull Request functionality
- Define a customized account baseline unique to your organization
- Enable AWS account baselines to stay up to date automatically using Patcher
Prerequisites
The first step to using Gruntwork Account Factory is to use AWS Control Tower to create a new multi-account setup, which requires that you meet the following prerequisites:
-
A new AWS Account and a user with administrator permissions. (We recommend using an IAM user with admin permissions rather than the root user)
infoThis account will become the root of your multi-account setup after enabling Control Tower.
-
Three new unique email addresses for your logs, shared, and security (audit) accounts. It's important to note that these email addresses cannot be already associated with an AWS root login. "+" emails are acceptable, such as root+logs@acme.com, root+security@acme.com etc.
-
A home region selection where your Control Tower configuration will reside.
cautionYour home Region is the AWS Region in which you'll run most of your workloads or store most of your data. It cannot be changed after you've set up your AWS Control Tower landing zone. For more information about how to choose a home Region, see Administrative tips for landing zone setup.
-
A KMS Key for encrypting Control Tower Resources with a suitable permissions policy
Step by Step Instructions to create the Control Tower KMS Key
infoFor more help setting up KMS see the AWS docs: Guidance for KMS keys
-
Logged in as an admin user, navigate to KMS in your root AWS account to create KMS Keys
-
Ensure you are in your home region and click Create Key
-
Configure a key with the default parameters (shown in screenshot below)
Screenshot
KMS Key Defaults
-
Give the key a descriptive alias like
control_tower_key
Screenshot
KMS Key Alias
-
Select your admin user as a key administrator
-
Select your admin user as a key user
-
Click Finish to create the key
-
-
On the next screen, find the key you just created and click on it to edit the following:
-
In the key policy tab, click edit
Screenshot
Edit Key Policy
-
Add the following config policy statement to the list of Statements, replacing
YOUR-HOME-REGION
,YOUR-MANAGEMENT-ACCOUNT-ID
andYOUR_KMS_KEY_ID
with values from your own account.{
"Sid": "Allow Config to use KMS for encryption",
"Effect": "Allow",
"Principal": {
"Service": "config.amazonaws.com"
},
"Action": ["kms:Decrypt", "kms:GenerateDataKey"],
"Resource": "arn:aws:kms:YOUR-HOME-REGION:YOUR-MANAGEMENT-ACCOUNT-ID:key/YOUR-KMS-KEY-ID"
} -
Add the following CloudTrail policy statement to the list of Statements, replacing
YOUR-HOME-REGION
,YOUR-MANAGEMENT-ACCOUNT-ID
andYOUR_KMS_KEY_ID
with values from your own account.{
"Sid": "Allow CloudTrail to use KMS for encryption",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": ["kms:GenerateDataKey*", "kms:Decrypt"],
"Resource": "arn:aws:kms:YOUR-HOME-REGION:YOUR-MANAGEMENT-ACCOUNT-ID:key/YOUR-KMS-KEY-ID",
"Condition": {
"StringEquals": {
"aws:SourceArn": "arn:aws:cloudtrail:YOUR-HOME-REGION:YOUR-MANAGEMENT-ACCOUNT-ID:trail/aws-controltower-BaselineCloudTrail"
},
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:YOUR-MANAGEMENT-ACCOUNT-ID:trail/*"
}
}
}
-
-
Click Save Changes
-
Configure Control Tower
Setting up control tower for the first time can take over an hour to complete, most of that time will be spent waiting on Control Tower Operations at the conclusion of the setup flow.
Start Control Tower Setup
-
Sign in to the AWS management console with your administrator user credentials.
-
Navigate to the AWS Control Tower console.
-
Verify that you are working in your desired home Region.
Your home Region is the AWS Region in which you'll run most of your workloads or store most of your data. It cannot be changed after you've set up your AWS Control Tower landing zone. For more information about how to choose a home Region, see Administrative tips for landing zone setup.
- Click Set up landing zone.
Review pricing and select Regions
-
Under Region deny setting select Enabled
- This ensures Control Tower policies and controls are unable to be bypassed by using a non-governed region
-
Under Select additional Regions for governance select all regions where you plan to operate.
Screenshot
Region Selections
-
Click Next to continue
Configure Organizational Units (OUs)
-
Rename the "Additional OU" to "Pre-prod" (Note the casing of the name here).
Screenshot
Configure Organizational Units
-
Click Next to continue.
Configure shared accounts
-
Under Logs archive account Enter an email address and rename the
Logs Archive
account toLogs
-
Under Audit account Enter an email address and rename the
Audit
account toSecurity
cautionAccount names cannot be changed after setting up the landing zone. Ensure the accounts are named appropriately.
Screenshot
Configure Shared Accounts
-
Click Next to continue
Additional configurations
-
Ensure your settings match the screenshot below (These are the defaults)
Screenshot
Additional Configuration
-
Under KMS Encryption Check the box for
Enable and customize encryption settings
-
Select the KMS Key you created following the guide in prerequisites above.
-
Click Next to continue
Finish Control Tower Setup
Control Tower Creation will take around an hour to complete
-
Review your choices and check the box accepting permissions at the bottom of the screen
-
Choose Set up landing zone.
-
Setting up the landing zone can take up to one hour. You will see a notification like the one below with the estimated time it will take for all the resources to be created.
Landing Zone Setup Status
tipYou can safely close your browser tab once you see this notice. The setup process will proceed unaffected in the background.
-
Emails will be sent out as the accounts are being created and the Root user will be invited to sign in using the AWS IAM Identity Center and designated the Control Tower Admin. Once the invite is accepted; the Root user will be able to access 3 accounts; Root, Logs, and Security using Identity Center's Access Portal URL contained in the email invite.
Root User's Access Portal
Post Setup Configuration
Now that Control Tower is enabled in your root account, there are a few configuration changes that need to be made to prepare for Gruntwork Account Factory.
-
Turn off the default VPC created for new accounts. Gruntwork VPCs will be created for each account using terraform.
-
Create a Shared account in a Prod OU
-
Navigate to the AWS Control Tower Organization Dashboard
-
Choose Create Resources and select
Create organizational unit
. -
Create a Prod OU. Select the Root OU as the Parent OU when prompted. Each OU registration takes a couple of minutes.
-
Choose Create Resources again and select
Create account
-
Name the account
Shared
, use the shared email address from the Prerequisites, and set the Organizational Unit toProd
tipThe shared account is meant to house resources shared with all other accounts. Examples might include KMS Keys, AMIs, or ECR repositories.
-
Grant your IAM Identity Center user access to the
Shared
account-
Navigate to IAM Identity Center, then click AWS accounts under Multi-account permissions in the side menu
-
Select the
Shared
account from theProd
OU dropdown and click Assign users or groups -
Switch to the
Users
tab, select your management user from the list and click Next -
Select
AWSAdministratorAccess
from the list of Permission Sets, then click Next -
Click
Submit
to finish assigning access to your user
-
-
Next Steps
Control Tower is now configured! Next you should consider:
- Configuring IAM Identity Center for Access Control.
- Configuring any controls or SCPs your organization requires.
- Set up Gruntwork Pipelines
- Set up Gruntwork Account Factory