Architecture overview

Deploying CfCT builds the following environment in the AWS Cloud.

Customizations for AWS Control Tower architecture diagram

Figure 1: Customizations for AWS Control Tower architecture

CfCT includes an AWS CloudFormation template that you deploy in your AWS Control Tower management account. The template launches all the components necessary to build the workflows, so you can customize your AWS Control Tower landing zone.

Note

CfCT must be deployed in the AWS Control Tower home Region and in the AWS Control Tower management account, because that is where your AWS Control Tower landing zone is deployed. For information about setting up an AWS Control Tower landing zone, refer to Getting started with AWS Control Tower.

As you deploy CfCT, it packages and uploads the custom resources to the code pipeline source, by means of Amazon Simple Storage Service (Amazon S3). The upload process automatically invokes the service control policies (SCPs) state machine and the AWS CloudFormation StackSets state machine to deploy the SCPs at the OU level, or to deploy stack instances at the OU or account level.

Note

By default, CfCT creates an Amazon S3 bucket to store the pipeline source, but you can change the location to an AWS CodeCommit repository. For more information, refer to Set up Amazon S3 as the configuration source.

CfCT deploys two workflows:

an AWS CodePipeline workflow
and an AWS Control Tower lifecycle event workflow.

The AWS CodePipeline workflow

The AWS CodePipeline workflow configures AWS CodePipeline, AWS CodeBuild projects, and AWS Step Functions that orchestrate the management of AWS CloudFormation StackSets and SCPs in your organization.

When you upload the configuration package, CfCT invokes the code pipeline to run three stages.

Build Stage – validates the contents of the configuration package using AWS CodeBuild.
SCP Stage – invokes the service control policy state machine, which calls the AWS Organizations API to create SCPs.
AWS CloudFormation Stage – invokes the stack set state machine to deploy the resources specified in the list of accounts or OUs, which you've provided in the manifest file.

At each stage, the code pipeline invokes the stack set and SCP step functions, which deploy custom stack sets and SCPs to the targeted individual accounts, or to an entire organizational unit.

Note

For detailed information about customizing the configuration package, refer to CfCT customization guide.

The AWS Control Tower lifecycle event workflow

When a new account is created in AWS Control Tower, a lifecycle event can invoke the AWS CodePipeline workflow. You can customize the configuration package through this workflow, which consists of an Amazon EventBridge event rule, an Amazon Simple Queue Service (Amazon SQS) first-in first-out (FIFO) queue, and an AWS Lambda function.

When the Amazon EventBridge event rule detects a matching lifecycle event, it passes the event to the Amazon SQS FIFO queue, invokes the AWS Lambda function, and invokes the code pipeline to perform downstream deployment of stack sets and SCPs.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Customizations for AWS Control Tower (CfCT) overview

Cost