Lab B2 – Using Account Factory
Josh is a member of the Cloud Center of Excellence (CCoE) team at organization-A, responsible for architecting the cloud infrastructure in the most secured way and at the same time without slowing down the business users. CCoE team is also accountable to provision AWS accounts to multiple Line of Businesses (LOBs) across the organization. Sally is one of the web developers in a LOB team who is responsible for maintaining the web-apps across the organization.
Josh decided to take advantage of Account Factory feature in AWS Control Tower to Provision new accounts for LOBs. Provisioning accounts through Account Factory allow Josh to create new AWS accounts with all the AWS best practices in place along with proper governance from the start of the day.
Sally develops and uses Infrastructure as Code templates to deploy web services on the new AWS accounts. Josh and his team will use AWS Control Tower to watch out for any violations that the LOB teams may cause unintentionally and take corrective actions.
This lab will walk you through the steps involved in configuring an AWS account which conforms to your company-wide policies on creation. We will also deploy a sample web application based on the LAMP stack using Cloudformation template, and see how the AWS Control Tower guardrails will watch out and report any policy violations
We will perform the following activities in this lab:
- Create an Organizational Unit (OU) and enable a guardrail from the AWS Control Tower dashboard.
- Modify the network baseline settings of Account Factory.
- Launch a new AWS account using Account Factory as an AWS Control Tower Admin user.
- [Optional] Designate a user/group with non- admin permissions to use Account Factory.
- Launch a Web application based on the LAMP stack, which by default opens SSH ports for the entire world.
- Investigate the violation captured by the AWS Control Tower and take corrective action.
1. AWS Control Tower environment setup
In this section, we will walk through various AWS Control Tower operations that you could do before provisioning an account. Please note that AWS Organization structure could change depending on the needs of each Company.
In this lab, we are going to configure the AWS Organization structure that fits the web-apps use case we discussed earlier.
1.1 Create an Organizational Unit
1.1.1 With AWS SSO, log into the AWS Control Tower management console in the Master account.
- When you launch AWS Control Tower, you will receive an email notification with User portal URL and Username (referred to as admin user).
- The email notification will have instructions to log in to AWS SSO and then to AWS Console on the AWS Control Tower master account.
- Click on the Master account to expand. Select Management console next to AWSAdministratorAccess Role to login AWS Management console of the master account (as shown below).
- Select the service Control Tower under Management & Governance.
1.1.2 Create a new Organization Unit from the AWS Control Tower dashboard
- Login to AWS Control Tower Dashboard and click on Organizational units on the left Sidebar.
- This opens up Organizational units page. Click on Add an OU button.
- Provide a new OU Name (for this lab we will call it as DEVENV) and click on Add button. Wait for green Success notification on top of the page.
1.2 Enable a Strongly recommended Guardrail on the OU we just created
1.2.1 Enable a Strongly recommended Guardrail on new OU
- On AWS Control Tower Dashboard, click on Guardrails on the left Sidebar.
- Search for Disallow internet connection through SSH and click on it.
- Scroll down to Organizational units enabled section and click on Enable Guardrail on OU button.
- Select the name of the OU created on step 2.1.1. (DEVENV for this lab) and click on Enable guardrail on OU button.
- Wait for green Success notification on top of the page.
1.3 Modify Network baseline settings of the Account Factory
1.3.1 Modify network configurations for new accounts
- While you are still on AWS Control Tower Dashboard, Click on Account factory on the left Sidebar and click on Edit button.
- Under Edit account factory configuration, enable Internet-accessible subnet (required for the lab) and change CIDR range if needed(optional for this lab).
- After selecting the required options, click on Save.
- Wait for green Success notification on top of the page.
Please DO NOT SKIP this step. Creating a internet-accessible subnet is required for this lab.
So far we were able to create an OU, enable a Strongly recommended guardrail on that OU and modify network baseline settings. In the next section we will see how to provision a new account in this OU
2. Launch a new AWS account using Account Factory
By default AWS Control Tower admin user will have permissions to launch the account factory. In this section we will walkthrough the steps involved in provisioning a new AWS account as an AWS Control Tower admin user. We will use the Service Catalog product called AWS Control Tower Account Factory, which ships with AWS Control Tower
In the next section we will see how enable an user/group with no admin rights to use Account Factory.
Few thing to keep in mind before proceeding further with the lab.
- While admin user can access the Account Factory directly with AWSAdministratorAccess role, the new non admin user with permissions to Account factory, should login using
AWSServiceCatalogEndUserAccessrole to create new accounts.
- Ensure you are in the same region as AWS Control Tower, this is needed as AWS Service Catalog is a regional service.
- If you login using
AWSServiceCatalogEndUserAccessrole, you won’t be able to access AWS Control Tower dashboard but you can directly access AWS Service Catalog.
- The email IDs used for the accouts in the control tower should be in the same domain. As an example, having master account in @example.com and new AWS account in @noexample.com will NOT work.
- In this lab, we use firstname.lastname@example.org format. This is not supported by all email servers. Please secure an unique email on the same domain to continue with this lab.
2.1 Launch a new AWS Account using Account Factory as an AWS Control Tower Admin user
2.1.1 Go to AWS Service Catalog
- One AWS Console, select Services, Management & Governance, and Service Catalog. PS: Alternatively, you could also type Catalog in the search bar and click on Service Catalog.
2.1.2 Launch an AWS Control Tower Account Factory product
- Select Products list (NOT under Admin), then click the three-dot menu icon for AWS Control Tower Account Factory
- From the context menu that opens, choose Launch product to start creating a new account.
- Under Provisioned product, provide a Name for the new AWS account that you’re creating, and then choose Next.
- Define the Parameters for the new account and click Next. This includes AccountEmail, SSOUserEmail, the ManagedOrganizationalUnit that will contain the new account, and the name for the account. PS: In this lab, we use email@example.com format. This is not supported by all the email servers. You MUST provide unique email IDs for new AWS account you create.
- Choose Next, Review the settings for your new AWS account, and then click Launch.
- Soon, the email address that you provided for the AccountEmail will receive an invite notification to use the new AWS Single Sign-On Account, and to set a new password for the account’s user.
- The status of the launch can be monitored from the AWS Service Catalog dashboard, from the Provisioned products list by clicking on the individual Provisioned Product Name
2.2 [optional] Create a new user and allow access to Account Factory
This is an optional step, use this procedure to deligate new AWS account creation activity to a user/group with no admin rights. We will use a preconfigured AWS SSO group to perform this task.
2.2.1 With AWS SSO, log into the AWS Control Tower management console in the Master account.
- On AWS Control Tower management console, choose Users and Access from the left side navigation panel.
- Under User identity management, choose View in AWS Single Sign-On.
- An AWS SSO page will open. Then choose Directory from the left side navigation panel.
- From Groups, choose AWSAccountFactory, and then choose Add users.
- NEW STEP: Fill the form with the required user details and choose Next: Groups.
- NEW STEP: Select AWSAccountFactory group and choose Add user.
- NEW STEP: The user will receive an email with a link to Accept Invitation, User portal URL, and Username.
- NEW STEP: When the user accepts the invitation in their email, they’ll get to generate a new password./li>
- NEW STEP: The new user can log in to User portal URL with those credentials. The new user will now have the necessary AWSServiceCatalogEndUserAccess permissions to use Account Factory to create new accounts.
3. Launching a PHP portal using LAMP Stack on newly provisioned account
Josh provisioned a new AWS account using Account Factory in AWS Control Tower. The new AWS account is ready to be used by the LOB team. Sally from The LOB team owns a CloudFormation template which she will use to deploy a web-app across the organization.
In this section we will see how Sally deploys their standard web-apps cloudformation template.
3.1 Launch a PHP portal on newly provisioned account
3.1.1 Login to the new AWS account as account owner.
- When a new AWS account was launched by Josh from CCoE team, an email with SSO Portal URL and login information will be sent automatically to the Email-ID (Sally in this case) provided during account creation.
- Using the information provided in the auto-generated email, Sally can setup a password and login to the new AWS account.
- Sally will see an AWS SSO screen identical to Josh, however with only her account listed out with role AWSAdministratorAccess.
3.1.2 Deploy the Cloudformation stack to install a web application
- Login to AWS CloudFormation console screen AWS Console
- Click on Create Stack, under Choose a template select Specify an Amazon S3 template URL and copy-paste below link and click Next.
- Provide a Stack name as PHPSampleWebApp, select VPC which is labelled as aws-controltower-VPC, select WebSubnetId whose label starts with aws-controltower-PublicSubnet and leave other options to defaults for this lab.
- Click Next, review the options you select and click Next again.
- Wait for the Stack Status becomes CREATE_COMPLETE.
- Select Outputs tab and click on the value of WebsiteURL to visit the newly launched PHP website.
4. Investigate violation reported on the AWS Control Tower Dashboard
When Sally deployed the cloudformation stack that they usually run across multiple accounts, she accidentally left the SSH ports opened to the entire world unintentionally. With AWS Control Tower Dashboard, Joshs team can easily trace this and take appropriate corrective actions on it.
In this part of this lab, we will see how the monitor your AWS Control Tower environment using the dashboard.
4.1.1 Check the AWS Control Tower Dashboard
- Login to AWS Control Tower Dashboard with AWSAdministratorAccess using the steps mentioned in 1.1.1
- Scroll down to Noncompliant resources. You would see the Resource causing the violation.
- Click on the Link under Account Name to open complete Account details of the account with violations. Note down the Account ID and Resource ID that is causing the violation (like sg-xxxxxxxxxxxx)
- You could use the account owner information available on this page to notify about this violation.
4.1.2 Switch to LOB account to fix the violation
- Click on Username on top right corner next to the region and select Switch Role.
- Enter the Account ID noted earlier under Account. Type AWSControlTowerExecution under Role and click on Switch Role
- Type http://console.aws.amazon.com/vpc on the browser to access VPCs on the LOB account
- Click on SecurityGroups and select Security Group that starts with PHPHelloWorldSample-xxx
- Select Inbound Rules tab in the bottom panel and click on Edit rules. For SSH type the appropirate internal IP address range. For this lab we will select My IP and Save rules.
4.1.3 Verify that the violations are fixed
- Switch back to the AWS Control Tower Dashboard in the master account by clicking on the username on top right and Back to AWSReservedSSO_AWSAdministratorAccess_*
- Type http://console.aws.amazon.com/controltower on the browser to access Control Tower Dashboard on Master Account
- Note the violation noted earlier is cleared now and all the resources are Compliant. It could take few minutes to get the dashboard updated.
Deleting AWS resources deployed in this lab
- You need to terminate any deployed stacksets to the account.
- Follow directives for Closing an AWS Account
Copyright 2019, Amazon Web Services, All Rights Reserved.