AWS Landing Zone Accelerator - Part 2: Organizational Units and Account Configuration

In Part 1 of our AWS Landing Zone Accelerator (LZA) series, we introduced the LZA and its benefits. Now, we’ll explore configuring OUs and other essential organizational settings, along with the process of creating AWS accounts within your LZA environment.

Prerequisites

Before we get started, let’s make sure you have the following:

• Access to the AWS Management account: You’ll need the right permissions to make changes to the LZA setup.
• Permissions to update the LZA configuration: This means being able to edit the files that control how the LZA works (e.g., in the aws-accelerator-config repository).
• A brand new email address: This will be used for the new AWS account you’re setting up.
• Git access: You’ll need to be able to download and upload the LZA configuration files from and to the aws-accelerator-config repository.
• AWS CLI ready to go: Make sure you have the AWS Command Line Interface installed and set up on your computer.
• The right permissions in Microsoft Entra ID: You’ll need to be able to create and manage groups in Microsoft Entra ID, and connect them to AWS IAM Identity Center (this is what you use to control who can access your AWS accounts).

Important Note: I’m assuming you’ve already set up the LZA in your AWS environment by following the official guide: https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/step-1.-launch-the-stack.html. This means you’ve got the basic LZA structure in place.

Launching into the Cloud with Confidence: AWS Landing Zone Accelerator - Part 1

Migrating to the cloud can feel like a daunting leap. Where do you even begin? How do you ensure your cloud environment is secure, scalable, and compliant right from the start? Enter the AWS Landing Zone Accelerator (LZA), your trusty launchpad for a smooth and successful cloud journey.

What is the LZA?

The LZA is an open-source solution provided by AWS that helps you quickly build and deploy a well-architected multi-account AWS environment. Think of it as a blueprint for your cloud foundation, complete with pre-configured security controls, network configurations, and account structures.

How to Set Up AWS CDK for Python

In this guide, I’ll walk through setting up AWS CDK with Python, including all the required dependencies and steps, and demonstrate how to deploy a simple app that provisions an Amazon S3 bucket.

What is the AWS CDK?

The AWS Cloud Development Kit (CDK) is an open-source software development framework designed to facilitate the creation and management of cloud infrastructure using familiar programming languages. Here are several important features and concepts associated with AWS CDK.:

Configuring Amazon VPC IP Address Manager (IPAM)

In many enterprise environments a common challenge is to how to handle the allocation of IP CIDR blocks be that to Data Centers, Offices, Subnets so as to ensure that resources don’t end up with IP addresses that have already been assigned to resources on the Network. Duplicate IP Addresses on the Network can cause numerous issues and AWS have previously written the following blog that discusses several solutions to this challenge such as the use of NAT Gateways and AWS PrivateLink or a couple of more manual approaches to workaround the issue.

Customising AWS Control Tower with Account Factory Customisations

At AWS re:Invent this year Account Factory Customisations was released. This post will walk you through how to configure and use the new functionality as in my opinion the documentation isn’t particularly clear as to how things work and there were also issues with the implementation steps when I first implemented it.

Use Case

For my specific situation that I’m utilising this for I want to deploy a VPC that leverages the Amazon VPC IP Address Manager (IPAM) for obtaining an IP CIDR Range since I don’t want to have to manually enter one each time and run the risk of overlapping address space. As part of my pre-requisties I’ve already written some automation using CloudFormation to not only setup VPC IPAM for delegated administration in my Organization, but I’ve also set up VPC IPAM so that I have seperate IPAM Pools for different regions and also different environments within those regions. This post won’t go into the details of the automation or the details of the CloudFormation Template that I’ll deploy either but how the Solution ultimately works.

Creating a Multi-Account CI/CD Pipeline with AWS CodePipeline

Whenever I’ve tried to learn a particular service or functionality within AWS, I find the best way is to do the ClickOps approach (i.e. Good Old Point and Click in the Console). Once I’ve figured out how to get it working via that method, I then go through the process of trying to automate it through Infrastructure as Code and in my case thats using AWS CloudFormation.

One particular example of this was getting a bit more familiar with AWS CodePipeline so that I could try to automate the delivery of CloudFormation Templates across multiple AWS Accounts in a similar manner as to how you would deploy solutions in a Software Delivery Lifecycle (SDLC). When I was learning how to do this through the management console, I found out that its not possible to do it all within the console and therefore you have to also leverage the AWS CLI for specific parts.

Customising AWS Control Tower with CfCT

If you missed the previous posts on Deploying a Landing Zone with AWS Control Tower or you’ve not had much experience with the service, I’d recommend going back through and reading those firstly before continuing.

• Part 1 - Deploying AWS Control Tower
• Part 2 - AWS Control Tower Post Configuration Tasks focusing on Organisational Structure and Guardrails
• Part 3 - AWS Control Tower Post Configuration Tasks focusing on IAM Identity Center and Provisioning New AWS Accounts

In this post, I’m going to walkthrough how you can start customising Control Tower using the Security Reference Architecture (SRA). The SRA utilises Customisations for Control Tower (CfCT) which deploys a DevOps pipeline that works with CloudFormation templates and Control Tower lifecycle events.