Scroll Top

AWS Control Tower & Customization for Terraform

Home AWS Control Tower & Customization for Terraform

AWS Control Tower Blog - The Digital Build

By Suraj Solanki, Manish Soni , J. Vimal Prakash Technical Blog January 11, 2022

Co-written by: Vimal Parkash J and Manish Soni

Our experts are thinkers AND doers focused on accelerating business outcomes. To showcase our deep expertise, we created a blog series called “The Digital Build.”

Much has been said and written about the cloud and the benefits it offers. However, with all these benefits, there are challenges with respect to faster cloud adoption, compliance, and security of the overall environment. Every organization that wants to migrate or implement workloads in the cloud has different needs and priorities, which means there’s no one way for adopting cloud best practices. However, a well-designed and documented execution of the AWS Control Tower is one of the recommended approaches.

What is AWS Control Tower and Its Business Need?

AWS Control Tower is the basic building block of AWS cloud adoption environment and will act as an airport runway for your workload migration to the cloud. It renders an easy and secure way to set up and govern an AWS multi-account environment, following AWS best practices, by synthesizing the potential of various other AWS services like AWS Organizations, AWS Single Sign-on and AWS Service Catalog, and constructs a landing zone in just under an hour.

AWS control tower can be adopted as a primary way to provision accounts and infrastructure, which enables you to protect your organization and accounts from drift, facilitates account deployment/ governance, while letting you effortlessly adhere to corporate standards and fulfil regulatory requirements.

Setting up a multi-account environment can take a significant amount of time, involving the configuration of multiple accounts and services. AWS Control Tower helps automate provisioning of accounts and provides a centralized control over security, monitoring and logging.

Key benefits

Centralized Logging: It enables CloudTrail logs in all provisioned accounts to send logs to a centralized S3 bucket in Log Archive account.
Security: Control tower helps us enable a set of mandatory and recommended policies called GuardRails that can enforce rules via AWS Config in an AWS account.
Single Sign-On: It also sets up AWS SSO across all the provisioned accounts. SSO can then be integrated with external IDP for seamless hybrid-user ID management and access.
Cost Management: Consolidates billing across the AWS Organizations.
VPC Provisioning: Automates the provisioning of VPC and its related resources in the newly provisioned AWS account. Control Tower leverages Account Factory and AWS Service Catalog

Our approach towards AWS Control Tower:

As a standard, our Control Tower-based deployment includes the following:

Multi-account architecture with each AWS account specifically designated to the client’s business needs.
“Network” account that consolidates most of the networking components such as Transit Gateway, VPCs, VPN, Direct Connect or Palo Alto
“Shared Services” account that contains services or resources related to Active Directory, DNS and AWS DevOps services such as AWS CodeCommit & AWS CodePipeline. We utilize DevOps and Terraform for deploying resources within an account.
Logs such as CloudTrail and VPC Flow logs are centrally managed in Amazon S3 buckets of “Log Archive” account.
Setup mandatory and recommended Guardrails for compliance.
AWS Security Hub is deployed in “Security” account to perform Cloud Security checks in all accounts. We follow “CIS AWS Foundations Benchmark” as a standard. Security Hub also provides a consolidated view and helps in remediation.
Configure SSO with an existing external Identity Provider and few initial groups to get started.

Control Tower Customization for Terraform:

Based on our experiences with various clients, we have understood that every environment, their requirements, and business needs are different. A standard AWS Control Tower deployment may not be the go-to approach for all the clients we interact with. There were times when we had to customize the network design and other services in each of the accounts.

Customization of Control Tower can be done in a couple of ways, one such solution from AWS is: Customizations for AWS Control Tower. The solution uses Lambda, Step Functions, and CloudFormation StackSets for custom resource build. However, we have witnessed clients with specific preferences towards Terraform, it might be because their existing team has the required skillset, or they are multi-cloud. Hence, we developed a custom solution with Terraform and DevOps practices as its core.

The solution is an event-driven approach where Control Tower events are utilized to automate the necessary base infrastructure services required. The Control Tower event “CreateManagedAccount” from the Master account is sent to a custom bus in “Shared Services” account, where a Lambda is used as a trigger to create AWS CodeCommit repositories to hold the Terraform code and AWS CodePipeline for IaC pipeline.

The Terraform code in the AWS CodePipeline repository can be customized according to the respective account architecture. Every time a new account is provisioned in the Control Tower, either a new repository or a branch can be created automatically. It also creates a respective pipeline to deploy the Terraform code. This gives way for 3 benefits:

Leverage Terraform to deploy AWS infrastructure
Customize the AWS accounts based on the architecture
Having the code repository gives benefits such as lifecycle management and version control of the infrastructure

Conclusion:

Customization of Control Tower deployment becomes necessary when we aim to achieve a specific Architecture Design. With Terraform as the primary IaC in our approach, the journey towards AWS becomes seamless for our customers. There has also been a recent Terraform-based solution from AWS I.e. AWS Control Tower Factory for Terraform. It uses a different approach; however, the core idea remains the same.

Suraj Solanki

+ posts

Manish Soni

+ posts

J. Vimal Prakash

+ posts

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use nonessential cookies that help us analyze and understand how you use this website and enhance your user experience. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
Zoominfo	session	Zoominfo uses technologies to collect and store information when you interact with services it offer to their partners, such as advertising services or analytics. All of those processes are meant to improve your user experience and the overall quality of our services.

Analytics

Analytics cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_111355416_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's pageview limit.
_hjIncludedInSessionSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's daily session limit.
_hjTLDTest	session	Hotjar test cookie to check the most generic cookie path it should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid	session	This cookie is used for storing the session ID of the user who clicked on an okt.to link.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by YouTube and is used to track the views of embedded videos on YouTube pages.

Other

Other uncategorized cookies are those that are being analyzed and have not yet been classified into a category according to their type and purpose.

Cookie	Duration	Description
__gwtCookieCheck	session	This cookie is used to check if the visitors' browser supports cookies.
AnalyticsSyncHistory	1 month	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
li_gc	2 years	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
UserMatchHistory	1 month	LinkedIn - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

AWS Control Tower & Customization for Terraform

Suraj Solanki

Manish Soni

J. Vimal Prakash

UJIMA

VETs

WONDER

PRIDE

Mental Health Matters

KEVIN FLEURIE

Dan O’Brien

BRYAN CALDER

ROBERT KIM

VINCENT TRAMA

WAHEED CHOUDHRY

CHRIS CAGNAZZI

BRID GRAHAM

MICHAEL KELLY

KEVIN WATKINS

JENNIFER JACKSON

MANNY KORAKIS

JUSTIN FILIA

GOPINATHAN PANDURANGAN

STEVEN PALMESE

ELLIOT BRECHER

BARBARA ROBIDOUX

Please select your venue city and
complete registration form below.

Please complete registration
form below.

Dave Hart

CHRIS BARNEY

JOHN HANLON

Greg Hedrick

Courtney Washington

CHRISTINE KOMOLA

VINU THOMAS

JULIETTE AUSTIN