Adding existing or new baselines to AWS Control Tower

Deploying the Customizations for AWS Control Tower solution

To deploy service control policies (SCPs), custom AWS CloudFormation templates, and baseline templates to your enrolled accounts, you can deploy the Customizations for Control Tower solution.

The template launches the following:

An AWS CodePipeline pipeline
AWS CodeBuild projects
AWS Step Functions workflows
AWS Lambda functions
An Amazon EventBridge event rule
An Amazon Simple Queue Service (Amazon SQS) queue
An Amazon Simple Storage Service (Amazon S3) bucket that contains a sample configuration package

The solution can also create an AWS CodeCommit repository to contain the sample configuration package, instead of using the S3 bucket.

Notice

AWS CodeCommit is no longer available to new customers. Existing customers of AWS CodeCommit can continue to use the service as normal. Learn more

Adding existing or new baselines to AWS Control Tower

In AWS Landing Zone, you could deploy resources using AWS CloudFormation stack sets on account creation. Those stack sets are also called baseline resources in the manifest.yaml file. They are deployed in AWS Control Tower as stack sets or service control policies (SCPs). To integrate these baseline resources with AWS Control Tower, see the following steps. You can also modify the baselines during the process.

Deploy the Customizations for AWS Control Tower solution in the management account of your AWS Control Tower setup in the AWS Regions where you deployed AWS Control Tower.
Download and unzip the custom-control-tower-configuration.zip file from the S3 bucket that was created as a part of solution that you deployed in step 1.
To add AWS CloudFormation stack sets as baselines, open the manifest.yamlmanifest.yaml file, and in the cloudformation_resources section, do the following:
- Add the account name or account number of the account where you want to deploy the baselines. Or specify the organizational unit (OU) name to deploy the baselines to all the accounts under the OU.
- Upload the AWS CloudFormation templates to the templates folder in the main folder, and confirm that the correct path is mentioned in the manifest.yaml file.
- If you have any parameters, add a parameter file, such as parameters.json, to the parameters folder.
To add service control policies as baselines, open the manifest.yaml file, and in the organization_policies section, do the following
- Add the organizational units that you want to apply the service control policy (SCP) to.
- Make sure to upload the policies to the policies folder in the main folder, and confirm that the correct path is mentioned in the manifest file.
Zip the custom-control-tower-configuration folder, and upload it to the S3 bucket from which you downloaded it. This will start the pipeline and apply the baselines to the accounts or OUs that you specified.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Deploy AWS Control Tower

Decommissioning AWS Landing Zone