One of the biggest challenges companies face today is managing multiple teams with different workloads, ensuring they follow the best security practices.
AWS Control Tower is a multi-account structure that can manage multiple accounts in different organizational units under a single root account, helping organizations meet the unique needs of each application, team, or business group.
Background
The automation cloud is an ideal alternative for companies that need to create accounts for multiple teams with all the security guardrails and configurations. The following AWS tools can help you achieve that objective:
- AWS CLI
- AWS API
- Account Factory for Terraform
- Account vending through Amazon Lex ChatBot
We will explain how to create an account using AWS CLI and AWS API.
Prerequisites
Before you start, bear in mind the following aspects:
- The AWS control tower setup should be available.
- The AWS control tower account factory template should be available with the required CIDR and subnet configuration.
- The AWS control tower service catalog products should be created and active.
- You will need an access key and a secret key of an in-place admin user.
Creating an account on AWS CLI
Firstly, you need to install AWS CLI to proceed with the account creation. You can follow these steps if you are using Linux OS:
- Setup environment variable with the access key and secret key.
- Retrieve master account value and Define value for admin ARN.
Retrieve the product ID for the account factory product in the region specified earlier.
Retrieve the provisioning artifact for the account factory.
Create a param.json file with the required parameters, as shown in the following screenshots:
Derive the catalog name and email id from params.json. Catalog names can be anything unique. It can be the same as an account name. Here we are adding the prefix “CatalogFor” to the account name.
To create a new account programmatically, you need to write this command:
AWS SDK API
Another way to create AWS Control Tower account is through AWS SDK.
For more details, refer to the AWS document.
Account Status
Now you can view the status of the account created in the AWS Control Tower console.
Then you will receive an email to create the account.
Steps to access AWS Control Tower Account
Go to the AWS Management Console and sign in.
Select root user and then enter the root user email address. Then complete the security check.
Now click forgot password on the emerging window, enter the captcha and email. You will get the link on the root email to reset the password.
Change the password and log in.
By following the steps, you will create an account with all the mandatory guardrails and SCPs (Service Control Policies). There is no additional charge to use AWS Control Tower. However, when you set up AWS Control Tower, you will incur costs for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS Single Sign-On (SSO) come at no additional charge, you will pay for services such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (SNS), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (VPC), based on your usage of these services. You only have to pay for what you use.
Using an AWS Control Tower provides organizations with the flexibility and speed required to manage multiple accounts on a single dashboard. As a result, companies have more control and visibility on their digital environment. Get to know more about our cybersecurity practices here.