Automated Deployment - Customizations for AWS Control Tower

Automated Deployment

Before you launch the automated deployment, please review the considerations discussed in this guide. Follow the step-by-step instructions in this section to configure and deploy the solution into your account.

Time to deploy: Approximately 15 minutes

Prerequisites

The solution requires AWS Control Tower to be deployed in your AWS account in the same region and account where AWS Control Tower landing zone is deployed. If you do not have a landing zone set up, refer to Getting Started with AWS Control Tower in the AWS Control Tower User Guide.

What We'll Cover

The procedure for deploying this architecture on AWS consists of the following steps. For detailed instructions, follow the links for each step.

Step 1. Launch the Stack

  • Launch the AWS CloudFormation template into your AWS account.

  • Review the template parameters, and adjust if necessary.

Step 2. Create a Custom Package

  • Create a custom configuration package.

Step 1. Launch the Stack

This automated AWS CloudFormation template deploys the Customizations for AWS Control Tower solution in the AWS Cloud.

Note

You are responsible for the cost of the AWS services used while running this solution. Refer to the Cost section for more details. For full details, see the pricing webpage for each AWS service you will be using in this solution.

  1. Sign in to the AWS Management Console and click the button below to launch the custom-control-tower-initiation AWS CloudFormation template.

    
                                Customizations for AWS Control Tower launch button

    You can also download the template as a starting point for your own implementation.

  2. The template launches in the US East (N. Virginia) Region by default. To launch this solution in a different AWS Region, use the Region selector in the console navigation bar.

    Note

    This solution must be launched in the same region and account where you deployed AWS Control Tower landing zone. AWS Control Tower is available in specific AWS Regions only. Therefore, you must launch this solution in a Region where this service is available. For the most current service availability by Region, refer to AWS Control Tower FAQs.

  3. On the Create stack page, verify that the correct template URL shows in the Amazon S3 URL text box and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack.

  5. Under Parameters, review the parameters for the template, and modify them as necessary. This solution uses the following parameters.

    Pipeline Configuration
    Parameter Default Description
    Pipeline Approval Stage No

    Choose whether to change the pipeline configuration from the default automated approval stage to a manual approval stage. For more information, see the Customizations for AWS Control Tower Developer Guide.

    Pipeline Approval Email Address

    <Optional Input>

    The email address for approval notifications. To use this parameter, you must set the Pipeline Approval Stage parameter to Yes.

    AWS CodePipeline Source Amazon S3

    The source for AWS CodePipeline to help customers easily select where they wish to store and configure the solution’s customizations.

    AWS CodeCommit Setup
    Parameter Default Description
    Existing CodeCommit Repository? No

    Choose whether to use an existing CodeCommit Git repository. If you choose Yes, you must set the CodePipeline Source parameter to AWS CodeCommit.

    CodeCommit Repository Name custom-control-tower-configuration

    The Git repository name. To use this parameter, you must set the AWS CodePipeline Source parameter to AWS CodeCommit. This name is used to create a new Git repository, and must be unique. If you provide the name of an existing Git repository, you must set the Existing CodeCommit Repository? parameter to Yes and enter the exact name of that repository.

    CodeCommit Branch Name master

    The Git branch where the customization package is stored. Git repositories can have many branches. This is the default name given to the branch in the Git repository. To use this parameter, you must set the CodePipeline Source parameter to AWS CodeCommit.

  6. Choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources.

  9. Choose Create stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of CREATE_COMPLETE in approximately 15 minutes.

Step 2. Create a Custom Package

You are now ready to set up a secure, multi-account AWS environment using AWS best practices. Using the launched stack, you can easily add customizations to your AWS Control Tower landing zone and service control policies (SCPs) by customizing the included configuration package. For detailed instructions on creating a custom package, refer to the Customizations for AWS Control Tower Developer Guide.

Note

The pipeline will not execute without uploading the custom configuration package.

Update the Stack

If you have previously deployed the solution, follow this procedure to update the Customizations for AWS Control Tower CloudFormation stack to get the latest version of the solution framework.

  1. Sign in to the AWS CloudFormation console, select your existing Customizations for AWS Control Tower CloudFormation stack, and select Update.

  2. Select Replace current template.

  3. Under Specify template:

    1. Select Amazon S3 URL.

    2. Copy the link of the latest template.

    3. Paste the link in the Amazon S3 URL box.

    4. Verify that the correct template URL shows in the Amazon S3 URL text box and choose Next. Choose Next again.

  4. Under Parameters, review the parameters for the template and modify them as necessary. Refer to Step 1. Launch the Stack for details about the parameters.

  5. Choose Next.

  6. On the Configure stack options page, choose Next.

  7. On the Review page, review and confirm the settings. Be sure to check the box acknowledging that the template might create AWS Identity and Access Management (IAM) resources.

  8. Choose View change set and verify the changes.

  9. Choose Update stack to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should see a status of UPDATE_COMPLETE in approximately 15 minutes.