chanciturnervgt2

Amazon Onboarding with Learning Manager Chanci Turner

by

VGT2 Las Vegas
in

Amazon Onboarding with Learning Manager Chanci TurnerLearn About Amazon VGT2 Learning Manager Chanci Turner

In my experience working with Amazon IXD – VGT2, many customers are eager to implement AWS Control Tower’s detective guardrails within their existing AWS accounts before transitioning to Control Tower governance. With the recent capability to launch AWS Control Tower in an established AWS Organization, customers are keen to assess their current accounts for compliance with AWS Control Tower’s detective guardrails. Moreover, we have introduced the option to enroll accounts into Control Tower governance. It’s advisable to understand how Control Tower guardrails may affect your account prior to extending its governance.

In this post, I will explain how to leverage an AWS Config Conformance Pack to enforce Control Tower guardrails for your existing accounts. This will allow you to evaluate the compliance of resources within those accounts before enrolling them in AWS Control Tower. Furthermore, I will demonstrate how to customize the conformance pack to apply a selective range of detective guardrails to your unmanaged accounts. Lastly, I will cover how to utilize the conformance pack to manage resources in accounts located in regions where AWS Control Tower has not been deployed.

Background

Upon activating AWS Control Tower within an existing AWS Organization, new Organizational Units (OUs) created through Control Tower automatically inherit all mandatory Control Tower guardrails. However, accounts established prior to deploying AWS Control Tower remain unmanaged by Control Tower.

Such accounts must be explicitly enrolled in AWS Control Tower. For guidance on this process, please refer to the blog linked here. Enrolling an account into AWS Control Tower introduces baselines and additional guardrails to facilitate ongoing governance over your existing AWS accounts. However, it’s essential to conduct thorough due diligence before proceeding with enrollment. For further details, see the Things to Consider section below.

Here’s a brief overview of some key terms used in this post:

  • AWS Config Conformance Packs: These are collections of AWS Config rules and remediation actions that can be easily deployed as a single entity within an account and a Region, or across an organization in AWS Organizations.
  • Unregistered OU: An organizational unit created directly in AWS Organizations that AWS Control Tower does not manage.
  • Unenrolled Account: An existing AWS account established before the deployment of AWS Control Tower.
  • Registered OU: An organizational unit that is created through Control Tower services.
  • AWS Account Factory Account: An AWS account provisioned using the account factory feature in AWS Control Tower.

Things to Consider

Before enrolling an existing AWS account into AWS Control Tower, it is crucial to move the account from an unregistered OU or from the root of the Organization into a registered OU. Understanding the resources operating in the account is vital. The Conformance Pack evaluates the implications of applying AWS Control Tower guardrails to the resources in that account.

Prerequisites

To begin, follow the instructions in this blog post to enable AWS Config in the Region where most of your account resources are located. Once you reach the step titled “Deploying your first conformance pack,” proceed with the steps outlined below.

Deploying the AWS Control Tower Guardrails Conformance Pack

  1. Download the AWS Control Tower Guardrails conformance pack to your local machine.
  2. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
  3. Navigate to the Conformance packs page and select Deploy conformance pack.
  4. On the Specify template page, choose either a sample template or an existing template.
    • If you select “Template is ready,” specify the template source as “Upload a template file.” If your template exceeds 50 KB, upload it to an S3 bucket and select that location (e.g., s3://bucketname/prefix).
  5. Click Next.
  6. On the Specify conformance pack details page, enter a name for your conformance pack. The name must be unique and can contain a maximum of 256 alphanumeric characters, including hyphens, but no spaces.
  7. Select the option to “Create an S3 bucket” ensuring the name begins with awsconfigconforms. Include your account number to guarantee uniqueness, for example: awsconfigconforms-012345678901.
  8. Click Next.
  9. On the Review and deploy page, review all information; you can edit the template and conformance pack details if necessary by choosing Edit.
  10. Click Deploy conformance pack. AWS Config will then display the conformance pack on the conformance pack page with the appropriate status. If your conformance pack deployment fails, check your permissions, verify prerequisite steps, and try again. Alternatively, you may contact AWS Config support.

Reviewing Resource Status in the AWS Config Dashboard

  1. Sign in to the AWS Management Console and navigate to the AWS Config console at https://console.aws.amazon.com/config/.
  2. In the AWS Management Console menu, ensure the Region selector is set to a Region that supports AWS Config rules. For a list of supported Regions, refer to the AWS Config Regions and Endpoints in the Amazon Web Services General Reference.
  3. In the navigation pane, select Rules. The Rules page will display your rules and the compliance status for each.
  4. Select a rule from the list.
  5. In the navigation pane, click Resource. The Resources page will show your resources and their compliance status.

You can now assess the compliance status of your resources against the various AWS Control Tower guardrails (rules). This will give you insight into the quantity of non-compliant resources across each Region in your existing accounts. At this point, you must determine your next steps. Be aware that non-compliant resources will appear in the AWS Control Tower dashboard once you enroll the account. You may choose to wait until you have remediated all non-compliant resources, or opt to enroll the account while understanding the presence of these issues.

Creating Your Own Guardrails Conformance Pack

The AWS Control Tower detective guardrails conformance pack encompasses all the AWS Config Rules-based guardrails from AWS Control Tower. If you only wish to examine the resources in your accounts for specific guardrails you intend to apply to the governed OU in AWS Control Tower, you can easily modify the conformance pack to suit this need. Below is a snippet from the template that illustrates that a conformance pack is merely a CloudFormation template Resource block containing the defined config rules. You can select which rules to use by removing the commented #Resource block for any rule you don’t require.

Resources:
  CheckForEbsOptimizedInstance:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEbsOptimizedInstance
      Description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized
      Source:
        Owner: AWS

For those seeking more information regarding workplace compliance, I recommend checking out SHRM as they are an authority on this topic. Additionally, if you are interested in refining your resume, you can visit Career Contessa for valuable insights. Finally, for a firsthand perspective on the onboarding experience, consider exploring this Reddit thread which serves as an excellent resource.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *