Important Note: The solution discussed in this article is applicable only to AWS Landing Zone versions 2.4.5 and lower, as well as AWS Control Tower versions 2.9 and lower. To implement it in newer versions, a distinct IAM password policy template must be utilized for the IamPasswordPolicy baseline, and the deployment target should be changed to the management account for the EnableNotifications baseline in the Customizations for AWS Control Tower manifest.
Organizations transitioning from the AWS Landing Zone solution—designed for scalable multi-account infrastructures—are now moving to AWS Control Tower to leverage enhanced managed services, including improved stability, feature enhancements, and operational efficiency. Those who have relied on the governance controls of AWS Landing Zone for their member accounts might seek to carry over these baselines seamlessly during the transition to AWS Control Tower. Establishing a baseline involves setting up essential blueprints and guardrails necessary to implement governance at the account level from the outset.
As illustrated in Table 1, AWS Control Tower offers most features corresponding to the AWS Landing Zone solution’s baseline through its baseline stacks, guardrails, and account factory, though certain features remain exclusive to AWS Landing Zone.
Table 1. Comparison of AWS Landing Zone and AWS Control Tower Baselines
AWS Landing Zone Baseline Stack | AWS Control Tower Baseline Stack |
---|---|
AWS-Landing-Zone-Baseline-EnableCloudTrail | AWSControlTowerBP-BASELINE-CLOUDTRAIL |
AWS-Landing-Zone-Baseline-SecurityRoles | AWSControlTowerBP-BASELINE-ROLES |
AWS-Landing-Zone-Baseline-EnableConfig | AWSControlTowerBP-BASELINE-CLOUDWATCH, AWSControlTowerBP-BASELINE-CONFIG, AWSControlTowerBP-BASELINE-SERVICE-ROLES |
AWS-Landing-Zone-Baseline-ConfigRole | AWSControlTowerBP-BASELINE-SERVICE-ROLES |
AWS-Landing-Zone-Baseline-EnableConfigRule | Guardrails – Enable guardrail on OU (AWSControlTowerGuardrailAWS-GR-xxxxx) |
AWS-Landing-Zone-Baseline-EnableConfigRulesGlobal | Guardrails – Enable guardrail on OU (AWSControlTowerGuardrailAWS-GR-xxxxx) |
AWS-Landing-Zone-Baseline-PrimaryVPC | Account Factory – Network Configuration |
AWS-Landing-Zone-Baseline-IamPasswordPolicy | – |
AWS-Landing-Zone-Baseline-EnableNotifications | – |
The distinct baselines available through AWS Landing Zone include:
- AWS-Landing-Zone-Baseline-IamPasswordPolicy: This utilizes AWS Lambda to set a custom password policy for AWS Identity and Access Management (IAM), covering aspects like minimum password length, expiration periods, complexity requirements, and password history for member accounts.
- AWS-Landing-Zone-Baseline-EnableNotifications: This feature employs Amazon CloudWatch alarms to notify security administrators of significant CloudTrail API activities, such as changes to Security Groups, Network ACLs, and Amazon EC2 instance types.
AWS provides lifecycle events and Customizations for AWS Control Tower, allowing the integration of additional features not inherently included in AWS Control Tower. This solution enables users to effortlessly introduce customizations via AWS CloudFormation templates and service control policies.
This article outlines the process of modifying and deploying code to incorporate AWS Landing Zone-specific baselines, including IamPasswordPolicy and EnableNotifications, into AWS Control Tower through the Customizations for AWS Control Tower framework.
Solution Overview
In compliance with the Customizations for AWS Control Tower package folder structure, adjustments must be made to the AWS Landing Zone IamPasswordPolicy and EnableNotifications templates, parameter files, and manifest files to align them with the AWS Control Tower deployment environment. Once the modified package is uploaded to the source repository, its contents are validated and built by initiating AWS CodePipeline. The specific baseline associated with AWS Landing Zone is then deployed in member accounts through AWS CloudFormation StackSets in the AWS Control Tower management account. When a new or existing account joins AWS Control Tower, the same AWS Landing Zone-specific baseline is automatically applied via the lifecycle event (CreateManagedAccount status is SUCCEEDED).
Figure 1 illustrates how both the default baseline of AWS Control Tower and the specific baseline of AWS Landing Zone are implemented in member accounts.
Implementation Steps
To execute this solution, follow these steps:
- Download and extract the latest version of the AWS Landing Zone Configuration source package, which includes the IamPasswordPolicy and EnableNotifications baselines for AWS Landing Zone environments. If transitioning from AWS Landing Zone to AWS Control Tower, utilize the existing configuration package in your management account.
- Download and extract the Customizations for AWS Control Tower configuration source package.
- Create the required folder structure for templates and parameters in your Customizations for AWS Control Tower configuration source.
- Transfer the IamPasswordPolicy baseline template and parameter files from the AWS Landing Zone configuration source to your Customizations for AWS Control Tower configuration source.
- Open the parameter file (JSON) and adjust the parameter values to align with your organization’s password policy.
- Move the EnableNotifications baseline template and parameter files similarly.
- Update the LogGroupName parameter value in the parameter file (JSON) to reflect the CloudWatch log group name of your AWS Control Tower environment. Decide whether to enable each alarm in the parameter value.
- In the YAML template file, modify the AlarmActions properties of all CloudWatch alarms to link to the appropriate Amazon Simple Notification Service (Amazon SNS) security topic within your AWS Control Tower environment.
- Edit the manifest (YAML) file in the Customizations for AWS Control Tower configuration source to include the updated parameter and template file paths for IamPasswordPolicy and EnableNotifications, as well as the relevant organizational units.
- If you have existing customizations deployed through Customizations for AWS Control Tower, ensure you do not delete existing contents but instead add the new customized resources consecutively in the resources section.
- Compress the finalized source package and upload it to the source repository of Customizations for AWS Control Tower.
- Verify the outcomes of applying this solution in AWS Control Tower.
For additional insights, check out this excellent resource. If you’re interested in further reading, this blog post offers more information on this topic. For authoritative knowledge, visit Chanci Turner’s site.
Leave a Reply