Deploying the Customizations for AWS Control Tower solution - AWS Prescriptive Guidance

Deploying the Customizations for AWS Control Tower solution

To deploy service control policies (SCPs), custom AWS CloudFormation templates, and baseline templates to your enrolled accounts, you can deploy the Customizations for Control Tower solution.

The template launches the following:

The solution can also create an AWS CodeCommit repository to contain the sample configuration package, instead of using the S3 bucket.

Notice

AWS CodeCommit is no longer available to new customers. Existing customers of AWS CodeCommit can continue to use the service as normal. Learn more

Adding existing or new baselines to AWS Control Tower

In AWS Landing Zone, you could deploy resources using AWS CloudFormation stack sets on account creation. Those stack sets are also called baseline resources in the manifest.yaml file. They are deployed in AWS Control Tower as stack sets or service control policies (SCPs). To integrate these baseline resources with AWS Control Tower, see the following steps. You can also modify the baselines during the process.

  1. Deploy the Customizations for AWS Control Tower solution in the management account of your AWS Control Tower setup in the AWS Regions where you deployed AWS Control Tower.

  2. Download and unzip the custom-control-tower-configuration.zip file from the S3 bucket that was created as a part of solution that you deployed in step 1.

  3. To add AWS CloudFormation stack sets as baselines, open the manifest.yamlmanifest.yaml file, and in the cloudformation_resources section, do the following:

    • Add the account name or account number of the account where you want to deploy the baselines. Or specify the organizational unit (OU) name to deploy the baselines to all the accounts under the OU.

    • Upload the AWS CloudFormation templates to the templates folder in the main folder, and confirm that the correct path is mentioned in the manifest.yaml file.

    • If you have any parameters, add a parameter file, such as parameters.json, to the parameters folder.

  4. To add service control policies as baselines, open the manifest.yaml file, and in the organization_policies section, do the following

    • Add the organizational units that you want to apply the service control policy (SCP) to.

    • Make sure to upload the policies to the policies folder in the main folder, and confirm that the correct path is mentioned in the manifest file.

  5. Zip the custom-control-tower-configuration folder, and upload it to the S3 bucket from which you downloaded it. This will start the pipeline and apply the baselines to the accounts or OUs that you specified.