Solution Components - Customizations for AWS Control Tower

Solution Components

Amazon Simple Storage Service

The solution creates an Amazon Simple Storage Service (Amazon S3) custom-control-tower-configuration-<account-ID>-<region> bucket with a sample configuration _custom-control-tower-configuration.zip file. This zip file provides a sample manifest and the related sample templates for describing the folder structure and developing a custom configuration package that customizes the AWS Control Tower landing zone environment. The sample manifest identifies the stack sets and service control policies (SCPs) configurations to implement into new and existing accounts. You can use this sample configuration package to develop and upload a custom package that will trigger the solution’s configuration pipeline. For information about customizing the configuration file, refer to the Customizations for AWS Control Tower Developer Guide.

AWS CodeCommit

Based on the customer input in the CloudFormation template, the solution can also create an AWS CodeCommitrepository with the sample configuration explained in the Amazon Simple Storage Service section.

Amazon Simple Queue Service

The solution uses an Amazon Simple Queue Service (Amazon SQS) FIFO queue to capture lifecycle events from Amazon EventBridge, and triggers an AWS Lambda function to invoke AWS CodePipeline to deploy AWS CloudFormation StackSets or AWS Organizations SCPs.

AWS CodePipeline

AWS CodePipeline validates, tests, and implements changes based on updates to the configuration package using either the default Amazon S3 bucket or AWS CodeCommit repository. For more information about changing the configuration source control to AWS CodeCommit, refer to Appendix B). The pipeline includes stages to validate and manage the configuration files and templates, core accounts, AWS Organizations service control policies, and AWS CloudFormation StackSets. For more information about the pipeline stages in this solution, refer to the Customizations for AWS Control Tower Developer Guide.

AWS Key Management Service

The solution creates an AWS Key Management Service (AWS KMS) CustomControlTowerKMSKey encryption key. This key is used to encrypt objects in the Amazon S3 configuration bucket, Amazon SQS queue, and sensitive parameters in the AWS Systems Manager Parameter Store. By default, only roles provisioned by the Customizations for AWS Control Tower solution have permission to perform encrypt or decrypt operations with this key. Administrators must be added to the CustomControlTowerKMSKey policy to access the configuration file, FIFO queue, or Parameter Store SecureString values. Automatic key rotation is enabled by default.

AWS Lambda

The solution uses AWS Lambda functions to trigger the installation components during the initial installation and deployment of AWS CloudFormation StackSets or AWS Organizations SCPs during an AWS Control Tower lifecycle event.

AWS Systems Manager Parameter Store

AWS Systems Manager Parameter Store is used to store the solution's configuration parameters. These parameters are used for integrating related configuration templates, such as configuring each account to log AWS CloudTrail data to a centralized Amazon S3 bucket. Additionally, administrators can leverage the Systems Manager Parameter Store to view the solution’s inputs and parameters in one centralized location.

Amazon Simple Notification Service

The solution uses Amazon Simple Notification Service (Amazon SNS) topics to publish notifications during the workflow such as pipeline approval. Amazon SNS is launched only when you choose to receive pipeline approval notifications.