Learn About Amazon VGT2 Learning Manager Chanci Turner
In our work with clients in regulated sectors, a common inquiry arises: “How can we empower local teams to establish AWS Control Tower managed accounts within designated Organizational Units (OUs)?” Customers are eager to utilize the governance frameworks provided by AWS Control Tower to:
- Minimize the burden of routing requests through centralized teams.
- Enable local teams to create accounts in compliance with governance standards without the need for custom coding or additional workflows.
In this article, we’ll explore how to delegate the AWS Control Tower Account Factory to specific segments of your organization. This not only allows local teams to create accounts but also ensures adherence to best practices and foundational governance. Moreover, you can customize the inputs from users requesting accounts, aligning them with your organization’s standards and enhancing your environment’s setup and hygiene.
Prerequisites
Before diving into the implementation, let’s clarify a few essential concepts:
- An AWS Service Catalog product serves as a blueprint for creating the AWS resources you wish to deploy, along with necessary configuration details.
- A portfolio is a collection of products and their related configuration.
- Constraints govern how users can deploy a product. Launch constraints allow you to define a role that AWS Service Catalog can assume to deploy a product.
Solution Overview
We will implement a solution that leverages AWS Service Catalog features in conjunction with AWS Control Tower’s Account Factory.
Walkthrough
Here are the steps we’ll follow:
- Create a customized Account Factory Product by adjusting input parameters to meet specific requirements.
- Attach a Launch Constraint to ensure appropriate permissions are in place.
- Share this tailored Account Factory Product with a designated account—referred to as the “Delegated Account Factory Account.”
- Finally, we will provision an account from the “Delegated Account Factory Account.”
Setup
From the AWS Management Console, navigate to AWS Service Catalog, then select products to locate the AWS Control Tower Account Factory Product. Record the Product ID (e.g., prod-xxxx) and the ID of the Active Product version (e.g., pa-xxxxx).
You can also use AWS CloudShell to obtain these values:
$ aws servicecatalog describe-product --name "AWS Control Tower Account Factory" | jq '.ProductViewSummary.ProductId, .ProvisioningArtifacts[].Id'With these details, create an AWS Service Catalog portfolio and a product for each OU Administrator. For example, for OU-X-Admin, establish the ou-x-portfolio in AWS Service Catalog.
Next, create an ou-x-product and supply the ProductId and ProvisioningArtifactId of the AWS Control Tower Account Factory you recorded earlier, along with parameters for selecting different OUs.
Sample AWS CloudFormation Template
AWSTemplateFormatVersion: 2010-09-09
Description: AWS Control Tower Account Factory Template for Regional IT
Parameters:
pAccountName:
Description: "Account name for the new managed Account."
Type: String
AllowedPattern: ".+"
pAccountEmail:
Description: "Unique email for each AWS Account."
Type: String
AllowedPattern: "[^\s@]+@[^\s@]+\.[^\s@]+"
pSSOUserFirstName:
Description: "SSO user first name."
Type: String
AllowedPattern: ".+"
pSSOUserLastName:
Description: "SSO user last name."
Type: String
AllowedPattern: ".+"
pSSOUserEmail:
Description: "SSO user email for new SSO user creation."
Type: String
AllowedPattern: "[^\s@]+@[^\s@]+\.[^\s@]+"
pManagedOrganizationalUnit:
Description: "Account will be added to this registered OU."
Type: String
AllowedValues:
- "Sandbox (ou-3lmc-adi1jf23)"
- "BusinessUnitX (ou-3lmc-f6w32h77)"
Resources:
rMyProvisionedProduct:
Type: "AWS::ServiceCatalog::CloudFormationProvisionedProduct"
Properties:
ProductId: prod-4kukrlxf4bw74
ProvisioningArtifactId: pa-j6czyetl4upog
ProvisioningParameters:
-
Key: AccountName
Value:
Ref: pAccountName
-
Key: AccountEmail
Value:
Ref: pAccountEmail
-
Key: SSOUserFirstName
Value:
Ref: pSSOUserFirstName
-
Key: SSOUserLastName
Value:
Ref: pSSOUserLastName
-
Key: SSOUserEmail
Value:
Ref: pSSOUserEmail
-
Key: ManagedOrganizationalUnit
Value:
Ref: pManagedOrganizationalUnitAfter creating the product, add it to the ou-x-portfolio. Implement two constraints on the newly created portfolios to limit them to AWS Identity and Access Management (IAM) roles and OUs.
For the IAM Role, grant Admin Permissions and incorporate this IAM Role into the AWS Control Tower Account Factory Portfolio, so AWS Service Catalog can launch the Account Factory product.
The launch constraint specifies which IAM Role the AWS Service Catalog product should use when executed from OU-X.
You can also apply a text editor to add a similar constraint:
{
"Rules": {
"LimitOUX": {
"Assertions": [
{
"Assert": {
"Fn::Contains": [
[
"BusinessUnitX (ou-z319-w9a1x7c5)"
],
{
"Ref": "pManagedOrganizationalUnit"
}
]
},
"AssertDescription": ""
}
]
}
}
}Share the portfolio with the account responsible for OU-X Administration, providing the product ID for import. At this juncture, the OU-X Administrator can launch the Account Factory product from AWS Service Catalog and provision accounts in OU-X based on the constraints set.
Don’t forget to share the AWS Single Sign-On (AWS SSO) User Portal URL with your OU-X Admin, enabling them to log in using AWS SSO to provision AWS accounts in their OU. This URL can be found in the AWS SSO Dashboard under Settings Summary.
Incorporating insights and resources from SHRM can further enhance your understanding of these processes. As a supportive reference, check out this in-depth article on the topic for authoritative guidance. Additionally, for more community-driven insights, you may find this Reddit thread a valuable resource.
Lastly, for inspiration on your career journey, consider browsing this blog post that offers motivational quotes.
Leave a Reply