Customising AWS Control Tower with Account Factory Customisations
At AWS re:Invent this year Account Factory Customisations was released. This post will walk you through how to configure and use the new functionality as in my opinion the documentation isn’t particularly clear as to how things work and there were also issues with the implementation steps when I first implemented it.
Use Case
For my specific situation that I’m utilising this for I want to deploy a VPC that leverages the Amazon VPC IP Address Manager (IPAM) for obtaining an IP CIDR Range since I don’t want to have to manually enter one each time and run the risk of overlapping address space. As part of my pre-requisties I’ve already written some automation using CloudFormation to not only setup VPC IPAM for delegated administration in my Organization, but I’ve also set up VPC IPAM so that I have seperate IPAM Pools for different regions and also different environments within those regions. This post won’t go into the details of the automation or the details of the CloudFormation Template that I’ll deploy either but how the Solution ultimately works.
Pre-Requisites
In order to use Account Factory Customisations, we need to determine an account that will be used specifically for the Control Tower Custom Blueprints that will be created. Personally I’d recommend leveraging a Shared Services AWS Account or you could provision a dedicated AWS Account for the purpose. If the account doesn’t exist as of yet then just create one as you would normally using the Account Factory element built in Control Tower.
Once the Account is provisioned, we then need to configure it for Delegated Administration of both Service Catalog and CloudFormation. This can be done by firstly creating an AWS Profile via the AWS CLI and then by using the Profile to run some CLI Commands.
Configure an AWS CLI Profile to the Management Account
- Establish an AWS CLI Profile to the Management Account with administrative credentials via the AWS CLI using either a Command Prompt or from Powershell:
aws configure sso
- In the SSO start URL, type the URL of the SSO Login page. For example., https://d-1234567890.awsapps.com/start This can be found by logging into the IAM Identity Center Console and looking for the AWS access portal URL in the Settings.
- In the SSO Region, type the AWS Region that was used for the Home Region when deploying Control Tower. For example., eu-west-2
A Web Browser will then Open prompting for Login Credentials if you’re not already logged in.
- Login with your Username and Password.
- Click Allow.
- Select the AWS Management Account using the cursor keys.
- Press Return for the default client Region and the default output format.
- For the Profile name use something memorable as this can be anything. For example., ct-mgmt
Delegate Adminstration for Service Catalog to the Shared Services Account
- Open the Amazon CLI.
- Run the register-delegated-administrator command.
aws organizations register-delegated-administrator --service-principal=servicecatalog.amazonaws.com --account-id="SharedServiceAccountId" --profile ct-mgmt
Note: You’ll need to ensure that you use the 12-digit AWS Account ID instead of SharedServiceAccountId
.
- Run the list-delegated-administrators command to verify that the specified member account is successfully registered as a delegated administrator.
aws organizations list-delegated-administrators --service-principal=member.org.stacksets.cloudformation.amazonaws.com --profile ct-mgmt
Delegate Adminstration for CloudFormation to the Shared Services Account
- Open the Amazon CLI.
- Run the register-delegated-administrator command.
aws organizations register-delegated-administrator --service-principal=member.org.stacksets.cloudformation.amazonaws.com --account-id="SharedServiceAccountId" --profile ct-mgmt
Note: You’ll need to ensure that you use the 12-digit AWS Account ID instead of SharedServiceAccountId
.
- Run the list-delegated-administrators command to verify that the specified member account is successfully registered as a delegated administrator.
aws organizations list-delegated-administrators --service-principal=member.org.stacksets.cloudformation.amazonaws.com --profile ct-mgmt
Create the AWSControlTowerBlueprintAccess IAM Role in the Shared Services Account
Next we need to create an IAM Role within the Shared Services Account named AWSControlTowerBlueprintAccess that has a Trust Policy to 2 different principles; AWSControlTowerAdmin IAM Role that is in the Management Account and the other being to the IAM Role that you use for administering Control Tower (in my case I use the SSO Admin Role for simplicity).
The trust policy should look something like this after it’s been created:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::ManagementAccountId:role/service-role/AWSControlTowerAdmin",
"arn:aws:iam::ManagementAccountId:role/YourControlTowerUserRole"
]
},
"Action": "sts:AssumeRole"
}
]
}
Note: You’ll need to ensure that you use the 12-digit AWS Account ID instead of ManagementAccountId
.
The permissions policy of the AWSControlTowerBlueprintAccess IAM Role should have both the AWSServiceCatalogAdminFullAccess and the AmazonS3ReadOnlyAccess AWS Managed Policies attached.
Create the Service Catalog Product for the Control Tower Blueprint in the Shared Services Account.
- Create an AWS CloudFormation template that will become your account blueprint. In my case I had already created a Custom VPC Template to utilise IP Addresses from VPC IPAM.
- Sign in to the Shared Services account where you’ll store the Account Factory blueprints.
- Navigate to the AWS Service Catalog console. Click Product list, and then click Create product and select Create product.
- In the Product details pane, enter details for your blueprint product, such as a name and description.
- Select Use a template file and then select Choose file. Select or paste the AWS CloudFormation template you’ve developed for use as your blueprint.
- Click Create product at the bottom of the console page.
What you’ll notice is that we’ve not had to create a Service Catalog Portfolio like you’d normally need to do so for utilising Service Catalog for deployments.
Provision the Blueprint via Control Towar Account Factory Customisation
We need to determine an account that we’ll deploy the Customisation to. For the purpose of this just provision a new AWS Account using the Account Factory element built in Control Tower. However, before clicking Create Account, you’ll notice that there is a new section for Account Factory Customisation.
- Enter the AWS Account ID for the Shared Services Account that contains your blueprints and Click Validate.
- Select a blueprint product that is available within the Shared Services Account. In my case I used my Custom VPC Template.
- Select the version of the blueprint product (AWS Service Catalog product), if you have more than one version.
- Choose the AWS Region or Regions in which you wish to deploy accounts based on this blueprint product.
- If the blueprint contains parameters, you can enter the values for the parameters into additional fields in the AWS Control Tower workflow. T
- Click Create account.
The new AWS account will firstly be provisioned with all the typical Control Tower aspects implemented such as CloudTrail, Config etc.. and then a Service Catalog Portfolio will be created within the Shared Service Account. This portfolio will then be shared using Resource Access Manager to the newly provisioned AWS Account and will then be imported locally into that Account at which point the Blueprint will be deployed as a Service Catalog Product from within that AWS Account.
Hope this helps.