Control Tower LZA Setup¶
The article below contains a step-by-step guide for setting up a Landing Zone via Control Tower and the necessary steps to deploy the Landing Zone Accelerator on AWS.
At the end of this guide you’ll have the following implemented based on the config settings you selected:
- Best Practices
- Organizational Units (OUs)
- Root (contains all OUs and accounts below)
- Root account (Management account)
- Infrastructure
- Contains accounts named: SharedServices, Network
- Security
- Contains accounts named: Audit, LogArchive
- Testing
- Contains accounts named: Testing-Workload
- Root (contains all OUs and accounts below)
- SecurityHub
- AWS Foundational Security Best Practices v1.0.0
- PCI DSS v3.2.1
- CIS AWS Foundations Benchmark v1.4.0
- NIST Special Publication 800-53 Revision 5
- AWS Identity Center (used to be AWS SSO)
- Transit Gateway
- Service Control Policies (SCPs)
- Enforce S3 Encryption
- Blocks creating Internet Gateways with EC2 instances
- Enforce EBS Encryption
- Prevents modification of settings/logs/policies related to LZA
- Prevents termination of Guard Duty or its resources
- Prevents modification of Macie or its resources
- Creates quarantine policy denying all actions on all services as a BreakGlass role
- AWS Macie
- AWS Guard Duty
- AWS Audit Manager
- Cost Usage Reports and Budget Notifications
- AWS Backup Vault in Root OU
- Cloudwatch alarms for any policy changes regarding encryption, logging, vpcs, etc
- Best practices configuration - Landing Zone Accelerator on AWS
- Organizational Units (OUs)
- HIPAA
- Organizational Units (OUs)
- Root (contains all OUs and accounts below)
- Root account (Management account)
- HIS
- HIS-Non-Prod
- Contains accounts named: Pacs-Non_Prod
- HIS-Prod
- Contains accounts named: Pms-Prod
- HIS-Non-Prod
- EIS
- Infrastructure
- Infra-Dev
- Contains accounts named: Network-DEV
- Infra-Prod
- Contains accounts named: Network-Prod
- Infra-Dev
- Security
- Contains accounts named: Audit, LogArchive
- Root (contains all OUs and accounts below)
- SecurityHub
- AWS Foundational Security Best Practices v1.0.0
- PCI DSS v3.2.1
- CIS AWS Foundations Benchmark v1.4.0
- NIST Special Publication 800-53 Revision 5
- Blocks Non-HIPAA Eligible services
- AWS Identity Center (used to be AWS SSO)
- Transit Gateway
- Service Control Policies (SCPs)
- Enforce S3 Encryption
- Blocks creating Internet Gateways with EC2 instances
- Enforce EBS Encryption
- Prevents modification of settings/logs/policies related to LZA
- Prevents termination of Guard Duty or it’s resources
- Prevents modification of Macie or it’s resources
- Creates quarantine policy denying all actions on all services as a BreakGlass role
- Blocks use of all AWS services that are not HIPAA compliant
- AWS Macie
- AWS Guard Duty
- AWS Audit Manager
- Cost Usage Reports and Budget Notifications
- AWS Backup Vault in Root OU
- CloudWatch alarms for any policy changes regarding encryption, logging, vpcs, etc
- https://aws.amazon.com/blogs/industries/introducing-landing-zone-accelerator-for-healthcare/
- Organizational Units (OUs)
Special Notes¶
- Cannot have CloudTrail already configured in the management account.
- All configuration should be done in the management account for the Organization.
- Control Tower will create a new OU with additional accounts in it for security purposes.
- You will need to be an Organization Administrator to complete this
- You will need the ability to create, at a minimum, of Six unique email distribution lists (or individual email addresses) for the additional accounts the instructions will walk through setting up.
Pre-Requisites¶
- AWS CLI Version >= 2.7
- Root access to the account where you want to spin up Control Tower
- Multiple UNIQUE emails will be required in this process. You have 2 options:
- Test if the customer’s email provider allows for + annotation in their email addresses
- Send an email to the Root account’s email address adding a
+test
right before the @ (root+test@domain.com) - If they get the email at root@domain.com, then no additional steps are required
- Send an email to the Root account’s email address adding a
- If + annotation does not work, you must have the customer provision all of the required accounts ahead of time, scroll through the docs and figure out how many/which ones you need. It can be as few as 2 if you’re not running a best practices file, up to 6 if you’re running all of HIPAA.
- Test if the customer’s email provider allows for + annotation in their email addresses
Landing Zone Setup¶
For additional information on how to configure Landing Zone, see the official AWS Docs on Getting started with AWS Control Tower.
-
Log into the Management Account console with an administrator account.
-
Create an IAM role named Admin
- Navigate to IAM in your Root account
- Select Roles on the left hand side of the screen
- Select Create Role
- Select AWS Account
- Click Next
- Type
AdministratorAccess
in the search bar and hit enter - Select the (hopefully first) permission policy named AdministratorAccess
- Click Next
- Name the role
Admin
- Scroll down and click Create role
-
Create an AWS KMS key for AWS Control Tower
-
Navigate to the AWS Key Management Service (KMS) console and ensure you've selected the region in which AWS Control Tower will be deployed
-
Click Create a key
-
In the Configure key step confirm the default settings
- Key type: Symmetric - Key usage Encrypt and decrypt
-
Under Advanced options
- Key Material Origin: KMS - Regionality: Single-Region Key
-
Click Next
-
In the Alias text box enter control-tower/cmk. Add a Description if desired.
-
Click Next
-
On the Define the key administrative permissions step select the IAM Role/User that will perform the AWS Control Tower launch.
1. If your user does not show up, skip this step and click Next
-
Click Next
-
On the Define key usage permissions step click Next
-
On the Review step modify the Key policy JSON and make sure the code generated all 3 of statement blocks below, if not, overwrite it with what’s below and add in your account number where required.. This will allow AWS Config and CloudTrail to use the key.
1.
-
Click Finish
-
-
In the search bar, type Control Tower then select the result.
-
Select Set up landing zone
-
Home Region: us-east-1
-
Region deny setting: Enable. This is helpful to avoid creating resources in regions that are not supported by your organization.
-
Additional AWS Regions for governance: Add additional supported regions for your organization.
-
Foundational OU: Leave it named Security
-
Additional OU: Name it Infrastructure (Not Sandbox, this is required for LZA later. If you miss this step, it’s fixable, just annoying and more steps.)
-
Log archive account: Create a new account or use an existing one. You will need a unique email that has not been used for this account.
-
Audit account: Create a new account or use an existing one. You will need a unique email that has not been used for this account.
-
AWS CloudTrail configuration: Enabled (unless you want to manage CloudTrail logs manually)
-
Log configuration for Amazon S3: I left these as the default values. They can be overridden.
-
KMS Encryption: Enable or disable. Go ahead and enable it now, as the LZA requires it to be enabled. Follow the below steps:
1. Check the Enable box 2. Choose the key made during Step 1
-
Click Next
-
Review the final setup page for AWS Control Tower to ensure all settings are correct
-
Accept the Service permissions
-
Click Set up landing zone
-
Configure your Github creds and patiently wait while Control Tower is created. The landing zone will take over an hour to configure.
Configure Github Credentials to access LZA repository¶
- Follow these instructions Managing your personal access tokens - GitHub Docs
- When creating the token:
- Deselect the checkbox for repo that selects everything under it
- Select the public_repo option
- Copy the token created
- Store the token in Secrets Manager in your Management (Root) Account in AWS
- In the AWS Management Console, navigate to Secrets Manager
- Click Store a new secret
- On the Choose secret type step select Other type of secret
- Select the Plaintext tab
- Completely remove the example text and paste your secret with no formatting no leading or trailing spaces
- Select the aws/secretsmanager encryption key
- Click Next
- On the Configure secret step set the Secret name to
accelerator/github-token
- On the Configure rotation step click Next
- On the Review step click Store
Deploying LZA¶
Setting up the LZA CloudFormation Pipeline¶
- Go to the following URL https://docs.aws.amazon.com/solutions/latest/landing-zone-accelerator-on-aws/step-1.-launch-the-stack.html
- Click the blue button named Launch Solution
- This will automatically take you in to your AWS account, if not you may have to log in, but it will eventually get you to a CloudFormation Create Stack page
- Click Next
- Name the stack
AWSAccelerator-InstallerStack
- Scroll down to the Mandatory Accounts Configuration section
- Add in your root account, log archive account, and audit account emails to their respective boxes
- Click Next
- On the Configure stack options page, click Next
- On the Review page, review and confirm the settings. Check the box acknowledging that the template will create AWS Identity and Access Management (IAM) resources
- Click Submit to deploy the stack
Create personal AWS SSO Account¶
- Navigate to IAM Identity Center in your Root/management account
- Select Users on the left hand side of your screen
- Click the orange Add user button
- Enter your required user info
- Username
- Email address 2x
- First name
- Last name
- Display name automatically populates, everything else can be left blank
- Click Next
- Check the box next to every group that has “Admin” in the name, should be 4 in total
- Click Next
- Double-check the email, scroll to the bottom and click Add user
- Go to your email, find the invitation, and set up your account/password
Configuring AWS Profile¶
Once you have SSO configured, you can set up the AWS CLI for SSO authentication. You will need to do this in order to run the Terraform configuration and provision the AFT and Logging Accounts.
For more information on how to configure SSO with the AWS CLI, see the official docs for Configure the AWS CLI to use AWS IAM Identity Center (successor to AWS Single Sign-On) - AWS Command Line Interface.
Steps:
Choose which section below relates to your use case; Basic, HIPAA, Financial¶
Apply basic Best Practices & deploy with LZA¶
- Clone the repo created in CodeCommit
- If you do not have
python
installed, installpython
Download Python - Make sure
python
is added to your path and can be run in your terminal of choice - Check if
pip
was automatically installed, if not installpip
Installation - pip documentation v23.1.2 - Run the command
pip install git-remote-codecommit
- Navigate to where you want the repository to live on your local machine
- Run the command
git clone codecommit://AWSAdministratorAccess-<your root account id>@aws-accelerator-config
- If you do not have
- Navigate to where you want the sourcefuse best practices repo to live and clone it sourcefuse/arc-lza-config
- Copy all the files from sourcefuse/arc-lza-config over the files cloned from CodeCommit in aws-accelerator-config (replace everything that came from AWS)
- Navigate back to aws-accelerator-config and modify the
accounts-config.yml
file:- Replace the line asking for the Root account email
- Replace the line asking for the Logging account email
- Replace the line asking for the Audit account email
- Replace the line asking for the Shared Services account email (this will be a new unique email, IE. user+sharedservices@email.com)
- Replace the line asking for the Network account email (this will be a new unique email, IE. user+network@email.com)
- Replace the line asking for the Testing Workload account email (this will be a new unique email, IE. user+testingworkload@email.com)
- Save the file
- Modify the
global-config.yaml
file:- Replace the line asking for the Security account email (this will be a new unique email, IE. lzdemo1+security@test.com)
- Replace all 5 of the lines asking for a
UNIQUE EMAIL FOR BUDGET
with the same email (this will be a new unique email, IE. lzdemo1+budget@test.com)
- Git add all the new files/changes, git commit, git push origin main
- This will update everything in CodeCommit with our current best practices
- Create the
Testing
OU- Navigate to ControlTower in your Root/Management account
- Click the orange Create resources button
- Select Create organizational unit
- Name it
Testing
- Set the Parent OU to Root
- Navigate to CodeCommit in your Root/Management account to validate your changes are present
- Navigate to CodePipeline in your Root/Management account, select
AWSAccelerator-Pipeline
- Click the orange Release Change button
- Click Release
- Wait very patiently, as this will take upwards of 2 hours
Apply HIPAA Best Practices & deploy with LZA¶
- Clone the repo created in CodeCommit
- If you do not have
python
installed, installpython
Download Python - Make sure
python
is added to your path and can be run in your terminal of choice - Check if
pip
was automatically installed, if not installpip
Installation - pip documentation v23.1.2 - Run the command
pip install git-remote-codecommit
- Navigate to where you want the repository to live on your local machine
- Run the command
git clone codecommit://AWSAdministratorAccess-<your root account id>@aws-accelerator-config
- If you do not have
- Navigate to where you want the sourcefuse best practices repo to live and clone it sourcefuse/arc-lza-config
- Copy all the files from sourcefuse/arc-lza-config/best-practices over the files cloned from CodeCommit in aws-accelerator-config (replace everything that came from AWS)
- Copy all the files from sourcefuse/arc-lza-config/hipaa over the top of the best practices files you just copied in to aws-accelerator-config
- When your file system asks you about overwriting or skipping files, select overwrite for all of them
- Navigate back to aws-accelerator-config and modify the
accounts-config.yml
file:- Replace the line asking for the Root account email
- Replace the line asking for the Logging account email
- Replace the line asking for the Audit account email
- Replace the line asking for the Network Dev account email (this will be a new unique email, IE. user+network-dev@test.com)
- Replace the line asking for the Network Prod account email (this will be a new unique email, IE. user+network-prod@test.com)
- Replace the line asking for the Non Prod PACS account email (this will be a new unique email, IE. user+pacs-non-prod@test.com)
- Replace the line asking for the PMS Prod account email (this will be a new unique email, IE. user+pms-prod@test.com)
- Save the file
- Modify the
global-config.yaml
file:- Replace the line asking for the Security account email (this will be a new unique email, IE. user+security@test.com)
- Replace all 5 of the lines asking for a
UNIQUE EMAIL FOR BUDGET
with the same email (this will be a new unique email, IE.user+budget@test.com)
- Git add all the new files/changes, git commit, git push origin main
- This will update everything in CodeCommit with our current best practices
- Create the HIPAA required OUs
- Navigate to ControlTower in your Root/Management account
- Scroll down to your current OU list and click View Organizations or Click Organization on the left side bar
- Click the orange Create resources button
- Select Create organizational unit
- Name it
HIS
- Set the Parent OU to Root
- Repeat those steps but name the next one
EIS
- Once
HIS
andEIS
are done, click on yourInfrastructure
OU - Repeat the steps to create an OU twice, naming the new OUs
Infra-Prod
andInfra-Dev
1. Note, these 2 OUs are nested inside theInfrastructure
OU - click on your
Infrastructure
OU - Navigate up a level and click on your recently created
HIS
OU, create 2 more OUs naming themHIS-Non-Prod
andHis-Prod
1. Note, these 2 OUs are nested inside theHIS
OU
- Navigate to CodeCommit in your Root/Management account to validate your changes are present
- Navigate to CodePipeline in your Root/Management account, select
AWSAccelerator-Pipeline
- Click the orange Release Change button
- Click Release
- Wait very patiently, as this will take upwards of 2 hours