Sign in Subscribe

How to Customize Your AWS Landing Zone with Control Tower

Juan Pablo Velasco

5 min read
How to Customize Your AWS Landing Zone with Control Tower
Photo by Jaromír Kavan / Unsplash

In my previous blog post, I showed you how to get started with AWS Control Tower, a service that helps you set up and govern a secure, compliant, and well-architected multi-account AWS environment. If you haven’t read it yet, I recommend you to check it out here.

In this blog post, I will show you how to customize your AWS landing zone with Control Tower. A landing zone is a pre-configured environment that consists of an organizational unit (OU), accounts, and guardrails. Guardrails are high-level rules that enforce best practices for security, compliance, and operations across your accounts.

By customizing your landing zone, you can tailor it to your specific needs and preferences. You can add more accounts and OUs, enable or disable guardrails, configure your account factory, and explore the AWS services and resources that are available in your accounts.

Step 1: Add More Accounts and OUs

One of the benefits of using Control Tower is that it allows you to create new accounts in a standardized and automated way using the account factory. The account factory is a feature that lets you specify some parameters for the account provisioning process, such as the account name prefix, the SSO user email domain, the VPC configuration, and the SNS notification topic.

To add more accounts using the account factory, sign in to the AWS Management Console and open the AWS Control Tower console. In the left navigation pane, choose Account factory. You will see a screen like this:

To create a new account, click on the Enroll account button. You will see a form like this:

On this form, you need to enter some information about the new account, such as the account email, display name, OU assignment, IAM Identity Center user email among other attributes.

Once you fill out the form, click on Create Account and that will create your new account.

The account creation process may take several minutes. You can monitor the progress by clicking on the View details link or by checking your SNS notification topic.

Another way to customize your landing zone is to add more OUs. An OU is a logical grouping of accounts that can have different guardrails applied to them. For example, you can create an OU for your development environment and another OU for your production environment.

To add more OUs using Control Tower, sign in to the AWS Management Console and open the AWS Control Tower console. In the left navigation pane, choose Organization. You will see a screen like this:

On this screen, you can see the list of all the OUs in your landing zone. You can also filter the list by name or state.

To create a new OU, click on the Create resources button and then Create organizational unit. You will see a form like this:

On this form, you need to enter a name for the new OU name and the Parent OU.

Once you fill out the form, click on Add. The OU creation process may take a few minutes.

Step 2: Enable or Disable Guardrails

Another way to customize your landing zone is to enable or disable guardrails. Guardrails are high-level rules that enforce best practices for security, compliance, and operations across your accounts. They are divided into two categories:

  • Mandatory guardrails: These are guardrails that are enabled by default and cannot be disabled. They are essential for ensuring the security and compliance of your landing zone.
  • Strongly recommended guardrails: These are guardrails that are enabled by default but can be disabled. They are based on best practices for well-architected multi-account environments.

To enable or disable guardrails using Control Tower, sign in to the AWS Management Console and open the AWS Control Tower console. In the left navigation pane, choose Controls library/All controls. You will see a screen like this:

On this screen, you can see the list of all the guardrails available in Control Tower, along with their category, description, and compliance status.

To enable a guardrail, select the checkbox next to it and choose Enable control on OU. You will be asked to confirm your action and select the OUs that you want to apply the guardrail to.

Step 3: Explore AWS Services and Resources

The last way to customize your landing zone is to explore the AWS services and resources that are available in your accounts. You can use the AWS Management Console, the AWS Command Line Interface (CLI), or the AWS Software Development Kits (SDKs) to interact with these services and resources.

To access the AWS Management Console, sign in to AWS SSO and choose the account and role that you want to use. You will see a screen like this:

On this screen, you can see the list of all the AWS services that you can use in your account. You can also search for a service by name or category.

To access the AWS CLI, you need to install it on your local machine and configure it with your AWS credentials. You can find the installation and configuration instructions here. Once you have installed and configured the AWS CLI, you can use it to run commands that interact with AWS services and resources. For example, you can run the following command to list all the buckets in Amazon Simple Storage Service (S3):

aws s3 ls

To access the AWS SDKs, you need to choose a programming language that you want to use and install the corresponding SDK on your local machine. You can find the list of supported languages and SDKs here. Once you have installed an SDK, you can use it to write code that interacts with AWS services and resources. For example, you can write the following code in C# to create a new bucket in Amazon S3:

using Amazon.S3;
using Amazon.S3.Model;
using System;
using System.Threading.Tasks;

namespace S3CreateBucketSample
{
    class Program
    {
        private const string bucketName = "my-new-bucket";
        private static readonly RegionEndpoint bucketRegion = RegionEndpoint.USEast1;
        private static IAmazonS3 s3Client;

        static async Task Main(string[] args)
        {
            s3Client = new AmazonS3Client(bucketRegion);
            await CreateBucketAsync();
        }

        static async Task CreateBucketAsync()
        {
            try
            {
                var putBucketRequest = new PutBucketRequest
                {
                    BucketName = bucketName,
                    UseClientRegion = true
                };

                var putBucketResponse = await s3Client.PutBucketAsync(putBucketRequest);

                Console.WriteLine($"Created bucket {bucketName}.");
            }
            catch (AmazonS3Exception e)
            {
                Console.WriteLine($"Error encountered on server. Message: '{e.Message}'");
            }
            catch (Exception e)
            {
                Console.WriteLine($"Unknown error encountered. Message: '{e.Message}'");
            }
        }
    }
}

Conclusion

In this blog post, I have shown you how to customize your landing zone with Control Tower. These steps will help you tailor your landing zone to your specific needs and preferences. You can add more accounts and OUs, enable or disable guardrails, configure your account factory, and explore the AWS services and resources that are available in your accounts.

I hope you found this blog post useful and informative. Until next time, happy coding! 😊

Sign up for more like this.

Enter your email
Subscribe