Control Tower Setup
This Standard Operating Procedure (SOP) provides a once-off guide for enabling and configuring AWS Control Tower to integrate with the Data Landing Zone (DLZ).
AWS Control Tower provides a streamlined way to set up and govern a multi-account AWS environment, adhering to AWS best practices.
The Data Landing Zone (DLZ) does not manage your Control Tower configuration but requires it to be manually configured. These resources are then passed to the Data Landing Zone CDK construct. This approach ensures DLZ can be adopted in existing Control Tower setups or newly created (greenfield) environments.
Prerequisites
You must have an existing AWS account that can act as or already serves as the head of the AWS Organization/Control Tower. Alternatively, create a new Management AWS account by signing up at https://portal.aws.amazon.com/billing/signup.
- Use an email address not already associated with an AWS account and ensure it is accessible.
- Store the username and password securely.
- You will have to link a Credit card to the account.
This account will be referred to as the Management account.
Additional References:
Enable Control Tower
- Log in to the Management account and navigate to Control Tower
- Make a choice on what you want your
home
/global
region is. This is the region where you CT will be deployed. Not all regions supports all resources. It is recommended to use “major” region, botheu-west-1
orus-east-1
regions are usually good choices. - Choose Set up landing zone.
- Ensure your
home
region is correct and select any other regions you want to manage and govern. - Select “Opt out of creating OU”, we will create them manually after Control Tower is created.
- Provide email addresses for the
Audit
andLog Archive
accounts. These accounts will be created by Control Tower under theSecurity
OU. - Click Set up landing zone.
- The setup process may take up to an hour, although it is often completed more quickly.
Additional References:
Create AWS Organization OUs
- Log in to the Management account and navigate to Control Tower
- Select Organizational Units from the left-hand menu, then click Add an OU.
- Ensure the following OUs are created if not already present:
Workloads
Suspended
- Move any existing accounts into the
Workloads
OU for use with the Data Landing Zone.
Verify IAM Identity Center
- Log in to the Management account and navigate to Control Tower
- In the left-hand menu, navigate to Users and Access.
- Verify that IAM Identity Center is enabled.
Configure Account Factory
The Account Factory will be used to manually create AWS accounts for use with the Data Landing Zone.
Since VPCs will be defined by the DLZ CDK construct, Control Tower’s VPC creation needs to be disabled. Follow the official AWS documentation to disable VPC creation:
- Log in to the Management account and navigate to Control Tower
- In the Control Tower console, select Account Factory.
- Edit the Network configuration:
- Disable Internet-accessible subnet.
- Set Maximum number of private subnets to 0.
- Deselect all Regions for VPC creation.
- Save your changes.
Optionally create workload accounts
Follow the SOP - Add Account to create new accounts or enroll existing accounts under the Workloads
OU.
Gather the required information for DLZ
Gather the following IDs required by the DLZ construct in the AWS Organisation console:
- AWS Organisation ID
- Management account ID
- Security OU ID
- Audit Account ID
- Log Archive Account ID
- Workloads OU ID
- Any additional Account IDs that you want to use with DLZ
Configure the DLZ CDK Construct
After gathering the required information, input the IDs into the DLZ CDK construct. Below is an example configuration
for two accounts in the Workloads
OU. Additional accounts can be added as needed.