In this step your Cloud Administrators will use the AWS Control Tower service in your AWS Organizations management AWS account to establish an initial “landing zone” or a foundation of security guardrails and other resources that will help you manage use of the AWS platform. You can learn more by reviewing AWS Control Tower Features. Show
This step should take about 90 minutes to complete.
1. Log In as Administrator IAM UserLog in as the Administrator IAM user that you created in the last section before you use AWS Control Tower to set up your initial landing zone. 2. Create Landing Zone Using AWS Control TowerBefore using AWS Control Tower to create an initial landing zone, ensure that you review these considerations:
Follow the steps in Getting Started with AWS Control Tower to set up your landing zone. The set up process can take 20-60 minutes to complete. 3. Set AWS Account Root User Password and Enable MFASince AWS Control Tower creates two new member accounts while setting up the initial landing zone, you should follow AWS security best practices by setting the password and enabling MFA for the root user of each of the following accounts:
See Log In as Root User in the AWS Control Tower documentation for instructions to set the root user’s password. See Enable MFA on the AWS Account Root User for instructions to enable MFA. 4. Log In Via Control Tower Administrator UserAs part of the landing zone set up, AWS Control Tower creates a Control Tower Administrator user in the AWS Single-Sign On (AWS SSO) service in your management account. The email address associated with the management AWS account’s root user will receive a message containing an invite to activate the Control Tower Administrator user account. Review the invitation and accept it.  When accepting the invite, you will be directed to set the password for the Control Tower Administrator user. The email message you received contains a portal URL that you should bookmark given that it will be used by human users to access your new AWS accounts. 5. Configure Multi-Factor Authentication (MFA) RequirementsBefore adding any human users to AWS SSO and enabling the users to access your AWS environment in later sections, it’s a best practice to configure AWS SSO to require multi-factor authentication (MFA). In the following steps, you will modify your AWS SSO configuration to align with typical security best practices.
Auditing use of MFA: The configuration shown above does not force the use of MFA, but it does impose an additional overhead of a one-time password sent via email for users that have not yet registered an MFA device. You will likely want to establish either manual or automatic recurring audits to help ensure that your users have registered an MFA device. 6. Enable MFA via AWS SSO for Control Tower Administrator UserFollow the instruction in How to Register a Device for Use with Multi-Factor Authentication. 7. Receive and Process AWS Email MessagesAWS Organizations Email Verification RequestYou will receive one more email with subject AWS Organizations email verification request to the management account email address. Click on Verify your email address to continue with inviting newly created accounts into AWS Organization. AWS Notification Email Messages for Each RegionThe email address you provided for the audit account will receive AWS Notification - Subscription Confirmation emails from every AWS Region supported by AWS Control Tower. To receive compliance emails in your audit account, you must choose the Confirm subscription link within each email from each AWS Region supported by AWS Control Tower. 8. Review Role of New AWS AccountsAWS Control Tower created several new AWS accounts when it set up the landing zone.
9. Disable Account Factory VPC ProvisioningSince you will be provisioning VPCs directly using AWS CloudFormation, you need to ensure that the AWS Control Tower Account Factory network configuration is set to disable creation of a VPC when creating a new AWS account. Otherwise, the Account Factory will attempt to create a VPC each time you provision a new AWS account. See Configuring AWS Control Tower Without a VPC for details on disabling automatic creation of VPCs. 10. Review AWS Control Tower Best Practices for AdministratorsNow that you’ve set up your initial landing zone, take a few minutes to review Best Practices for Account Administrators so that you understand temporary limitations and other considerations when working with AWS Control Tower. Additionally, you should review Managing Resources Outside of AWS Control Tower so that you know how to update your landing zone when you change AWS account names, root user email addresses, and OU names. How do I create a landing zone in AWS?Set Up Landing Zone Using AWS Control Tower. Log In as Administrator IAM User.. Create Landing Zone Using AWS Control Tower.. Set AWS Account Root User Password and Enable MFA.. Log In Via Control Tower Administrator User.. Configure Multi-Factor Authentication (MFA) Requirements.. Which AWS configuration is required when enabling AWS control tower?AWS Control Tower uses AWS Config to implement detective guardrails. AWS Control Tower automatically enables AWS Config in the AWS Control Tower Regions, with configuration history and snapshots delivered to an Amazon S3 bucket located in a centralized Log Archive account.
What is AWS control tower landing zone?A landing zone is a well-architected, multi-account AWS environment based on security and compliance best practices. AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure.
Which AWS control tower components uses AWS service catalog for automated account provisioning?AWS Control Tower automatically sets up AWS Service Catalog as the underlying AWS service to enable provisioning of new accounts through an account factory. While AWS Control Tower provides central governance at an account level, AWS Service Catalog can further provide granular governance at a resource level.
|
