chanciturnervgt2

Amazon VGT2 Las Vegas: Enrolling Existing AWS Accounts into AWS Control Tower

by

VGT2 Las Vegas
in

Amazon VGT2 Las Vegas: Enrolling Existing AWS Accounts into AWS Control TowerMore Info

Originally published on April 21, 2020, and updated in August 2020 with new prechecks for the account enrollment script. Revised on April 8, 2021, to reflect modifications in the AWS Organizations service. The latest update on September 29, 2022, introduced the capability to enroll existing accounts or register an organizational unit directly from the AWS Control Tower console. This guide is also applicable for programmatic account enrollment.

Since the introduction of AWS Control Tower, users have inquired about deploying it within their existing AWS Organizations and extending governance to those accounts. We are pleased to announce that AWS Control Tower can now be deployed in your established AWS Organizations. Accounts created prior to the deployment of AWS Control Tower, referred to as unenrolled accounts, are not automatically governed by AWS Control Tower. Enrolling these accounts must be done explicitly.

When you enroll an account in AWS Control Tower, it applies baselines and additional guardrails to ensure ongoing governance over your existing AWS accounts. However, it is crucial to undertake thorough due diligence before proceeding with the enrollment. Please refer to the “Things to Consider” section below for more information.

In this post, I will guide you on how to programmatically enroll your existing AWS accounts and those within unregistered organizational units (OUs) into AWS Control Tower.

Background

Let’s review some key terms referenced in this article:

  • The provided Python script interacts with various AWS services to identify, validate, and enroll existing unmanaged accounts into AWS Control Tower.
  • An unregistered organizational unit (OU) is established through AWS Organizations and is not managed by AWS Control Tower.
  • An unenrolled account is an AWS account that was created outside of AWS Control Tower’s governance.
  • A registered organizational unit (OU) is one that is created within the AWS Control Tower service and is subject to its management.
  • An AWS Account Factory account refers to an AWS account provisioned using the Account Factory feature in AWS Control Tower.
  • Amazon Elastic Compute Cloud (Amazon EC2) provides secure and resizable computing capacity in the cloud.
  • AWS Service Catalog enables centralized management of commonly deployed IT services. In this context, the Account Factory utilizes AWS Service Catalog for provisioning new AWS accounts.
  • AWS Organizations allows centralized governance as you scale your workloads on AWS.
  • AWS Single Sign-On (SSO) simplifies access management across multiple AWS accounts, granting users single sign-on access to all their assigned accounts from a single interface.

Things to Consider

Enrolling an existing AWS account into AWS Control Tower involves transitioning an unenrolled account into a registered OU. The provided Python script facilitates this enrollment process, but it lacks context regarding the resources operating within these accounts. It is assumed that you have validated the services in the account prior to running this script.

Here are several guidelines to consider before enrolling accounts into AWS Control Tower:

  1. An AWSControlTowerExecution role must be established in each account. If you utilize the provided script, it will automatically create the role for you.
  2. If AWS Config was previously enabled on the account you are enrolling, a default config recorder and delivery channel will have been created. You must delete these prior to successful account enrollment.
  3. Start by enrolling your development or staging accounts to better understand any dependencies or impacts on your environment.
  4. Create a new Organizational Unit in AWS Control Tower without enabling any additional guardrails until the enrollment is complete. You can then enable guardrails incrementally to assess their impact.
  5. Additionally, you may apply AWS Control Tower’s detective guardrails to an existing AWS account before transferring it under AWS Control Tower governance. For detailed instructions, refer to this blog post on extending AWS Control Tower governance using AWS Config Conformance Packs.

To learn more about the topic, check out this excellent resource on how Amazon fulfillment centers train associates.

Prerequisites

Before enrolling your existing AWS account into AWS Control Tower, verify the prerequisites outlined in the AWS Control Tower documentation. The Python script discussed here supports enrolling all accounts within an unregistered OU into AWS Control Tower, as well as enrolling a single account using either the email address or account ID of the unenrolled account.

There are various important points to note regarding this solution:

  • Ensure trust access is enabled with AWS Organizations for AWS CloudFormation StackSets.
  • The email address associated with the AWS account is utilized as the AWS SSO username, defaulting to “Admin User.”
  • Accounts positioned at the root of AWS Organizations can only be enrolled individually.
  • When enrolling an entire OU using this script, the AWSControlTowerExecution role is automatically created across all accounts within that OU.
  • The script checks for the AWSControlTowerExecution role in the account when enrolling a single account within an unregistered OU. If the role does not exist, it is created for all accounts in that OU.
  • By default, accounts at the organization’s root cannot be enrolled unless an additional flag is provided to initiate a role creation stack set across the organization.
  • During the enrollment of a single account at the organization’s root, the process prompts for the additional flag to launch the role creation stack set.

How it Works

The following diagram illustrates the solution overview:

  1. From your AWS Control Tower environment, access an Amazon EC2 instance running in the management account of the AWS Control Tower home Region.
  2. Obtain temporary credentials for AWSAdministratorAccess from the AWS SSO login screen.
  3. Download and execute the enroll_script.py script.
  4. The script creates the AWSControlTowerExecution role on the target account using the Automatic Deployments for Stack Set feature.
  5. Upon successful validation of the role and organizational units provided as input, the script launches a new product in Account Factory.
  6. The enrollment process generates an AWS SSO user using the same email address as the AWS account.

Setting Up the Environment

Enrolling each AWS account into AWS Control Tower can take up to 30 minutes, and accounts can only be enrolled one at a time. Depending on the number of accounts being migrated, be sure to maintain an open session for the duration. This section outlines one method to keep these long-running jobs uninterrupted using Amazon EC2 and the screen tool. Alternatively, you may utilize your own compute environment, ensuring that it has Python 3 and the screen utility available.

For a deeper dive into this topic, refer to this other blog post, which provides further insights.

Related Topics:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *