Deploying the Customizations for AWS Control Tower solution
To deploy service control policies (SCPs), custom AWS CloudFormation templates, and baseline templates to your enrolled accounts, you can deploy the Customizations for Control Tower solution
The template launches the following:
An AWS CodePipeline
pipeline AWS CodeBuild
projects AWS Step Functions
workflows AWS Lambda
functions An Amazon EventBridge
event rule An Amazon Simple Queue Service
(Amazon SQS) queue An Amazon Simple Storage Service
(Amazon S3) bucket that contains a sample configuration package
The solution can also create an AWS CodeCommit
Notice
AWS CodeCommit is no longer available to new customers. Existing customers of AWS CodeCommit can continue to use the service as normal.
Learn more
Adding existing or new baselines to AWS Control Tower
In AWS Landing Zone, you could deploy resources using AWS CloudFormation stack sets on account creation. Those stack sets are also called baseline resources in the manifest.yaml
file. They are deployed in AWS Control Tower as stack sets or service control policies (SCPs). To integrate these baseline resources with AWS Control Tower, see the following steps. You can also modify the baselines during the process.
Deploy the Customizations for AWS Control Tower
solution in the management account of your AWS Control Tower setup in the AWS Regions where you deployed AWS Control Tower. Download and unzip the
custom-control-tower-configuration.zip
file from the S3 bucket that was created as a part of solution that you deployed in step 1.To add AWS CloudFormation stack sets as baselines, open the
manifest.yaml
manifest.yaml file, and in thecloudformation_resources
section, do the following:Add the account name or account number of the account where you want to deploy the baselines. Or specify the organizational unit (OU) name to deploy the baselines to all the accounts under the OU.
Upload the AWS CloudFormation templates to the
templates
folder in the main folder, and confirm that the correct path is mentioned in themanifest.yaml
file.If you have any parameters, add a parameter file, such as
parameters.json
, to the parameters folder.
To add service control policies as baselines, open the
manifest.yaml
file, and in theorganization_policies
section, do the followingAdd the organizational units that you want to apply the service control policy (SCP) to.
Make sure to upload the policies to the
policies
folder in the main folder, and confirm that the correct path is mentioned in the manifest file.
Zip the
custom-control-tower-configuration
folder, and upload it to the S3 bucket from which you downloaded it. This will start the pipeline and apply the baselines to the accounts or OUs that you specified.