Architecture Overview - Customizations for AWS Control Tower

Architecture Overview

Deploying this solution builds the following environment in the AWS Cloud.

        Customizations for AWS Control Tower architecture diagram

Figure 1: Customizations for AWS Control Tower architecture

This solution includes an AWS CloudFormation template you deploy in your AWS account that launches all the components necessary to build the workflows that enable you to customize your AWS Control Tower landing zone.


The solution must be deployed in the same region and account where your AWS Control Tower landing zone is deployed. For information about setting up an AWS Control Tower landing zone, refer to Getting Started with AWS Control Tower in the AWS Control Tower User Guide.

Once the solution is deployed, the custom resources are packaged and uploaded to the code pipeline source using Amazon Simple Storage Service (Amazon S3), and triggers the service control policies (SCPs) state machine and the AWS CloudFormation StackSets state machine to deploy the SCPs at the OU level or stack instances at the OU and/or account level.


By default, this solution creates an Amazon S3 bucket to store the pipeline source, but you can change the location to an AWS CodeCommit repository. For more information, refer to Appendix B.

The solution deploys two workflows: an AWS CodePipeline workflow and an AWS Control Tower lifecycle event workflow. The AWS CodePipeline workflow configures AWS CodePipeline, AWS CodeBuild projects, and AWS Step Functions to orchestrate the management of AWS CloudFormation StackSets and SCPs in your organization.

Uploading the configuration package triggers the code pipeline to run the following stages.

  • Build Stage - validates the contents of the configuration package using AWS CodeBuild.

  • SCP Stage - triggers the service control policy state machine to make AWS Organizations API calls to create SCPs.

  • AWS CloudFormation Stage - triggers the stack set state machine to deploy the resources specified in the accounts and/or OUs list provided in the manifest file.


For information about customizing the configuration package, refer to the Customizations for AWS Control Tower Developer Guide.

Each stage in the code pipeline invokes the stack set and SCP step function, and deploys custom stack sets and SCPs to the target individual accounts or the entire organizational units.

When a new managed account is created in AWS Control Tower, the AWS Control Tower lifecycle event triggers the AWS CodePipeline workflow. You can customize the configuration package using this workflow which consists of an Amazon EventBridge event rule, an Amazon Simple Queue Service (Amazon SQS) first-in first-out (FIFO) queue, and an AWS Lambda function. When a matching lifecycle event is detected by the Amazon EventBridge event rule, it passes the event to the Amazon SQS FIFO queue, triggers the AWS Lambda function, and invokes the code pipeline to perform downstream stack sets and the SCPs deployments.