Set up for customization
The next sections give steps to set up Account Factory for the customization process. We recommend that you set up delegated admin for the hub account, before you begin these steps.
Summary
-
Step 1. Create the required role. Create an IAM role that grants permission for AWS Control Tower to have access to the (hub) account, where the Service Catalog products, also called blueprints, are stored.
-
Step 2. Create the AWS Service Catalog product. Create the AWS Service Catalog product (also called a “blueprint product”) that you'll need for baselining the custom account.
-
Step 3. Review your custom blueprint. Inspect the AWS Service Catalog product (blueprint) that you created.
-
Step 4. Call your blueprint to create a customized account. Enter the blueprint product information and the role information into the proper fields in Account Factory, in the AWS Control Tower console, while creating the account.
Step 1. Create the required role
Before you begin to customize accounts, you must set up a role that contains a trust relationship between AWS Control Tower and your hub account. When assumed, the role grants AWS Control Tower access to administer the hub account. The role must be named AWSControlTowerBlueprintAccess.
AWS Control Tower assumes this role to create a Portfolio resource on your behalf in AWS Service Catalog, then to add your blueprint as a Service Catalog Product to this Portfolio, and then to share this Portfolio, and your blueprint, with your member account during account provisioning.
You'll create the AWSControlTowerBlueprintAccess
role, as explained
in the following sections.
Navigate to the IAM console to set up the required role.
To set up the role in an enrolled AWS Control Tower account
-
Federate or sign in as the principal in the AWS Control Tower management account.
-
From the federated principal in the management account, assume or switch roles to the
AWSControlTowerExecution
role in the enrolled AWS Control Tower account that you select to serve as the blueprint hub account. -
From the
AWSControlTowerExecution
role in the enrolled AWS Control Tower account, create theAWSControlTowerBlueprintAccess
role with proper permissions and trust relationships.
Note
To comply with AWS best practices guidance, it's important that you sign out
of the AWSControlTowerExecution
role immediately after you create
the AWSControlTowerBlueprintAccess
role.
To prevent unintended changes to resources, the
AWSControlTowerExecution
role is intended for use by AWS Control Tower
only.
If your blueprint hub account isn't enrolled in AWS Control Tower, the
AWSControlTowerExecution
role won't exist in the account, and
there's no need to assume it before you continue with setting up the
AWSControlTowerBlueprintAccess
role.
To set up the role in an unenrolled member account
-
Federate or sign in as a principal in the account that you wish to designate as the hub account, by means of your preferred method.
-
When signed in as the principal in the account, create the
AWSControlTowerBlueprintAccess
role with proper permissions and trust relationships.
The AWSControlTowerBlueprintAccess role must be set up to grant trust to two principals:
-
The principal (user) that runs AWS Control Tower in the AWS Control Tower management account.
-
The role named
AWSControlTowerAdmin
in the AWS Control Tower management account.
Here's an example trust policy, similar to one you will need to include for your
role. This policy demonstrates the best practice of granting least-privilege access.
When you make your own policy, replace the term
YourManagementAccountId
with the
actual acccount ID of your AWS Control Tower management account, and replace the term
YourControlTowerUserRole
with the
identifier of the IAM role for your management account.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::YourManagementAccountId:role/service-role/AWSControlTowerAdmin", "arn:aws:iam::YourManagementAccountId:role/YourControlTowerUserRole" ] }, "Action": "sts:AssumeRole" } ] }
Required permissions policy
AWS Control Tower requires that the managed policy named
AWSServiceCatalogAdminFullAccess
must be attached to the
AWSControlTowerBlueprintAccess
role. This policy provides
permissions that AWS Service Catalog looks for when it allows AWS Control Tower to administer your portfolio
and AWS Service Catalog Product resources. You can attach this policy when you're creating the role
in the IAM console.
Additional permissions may be required
If you store your blueprints in Amazon S3, AWS Control Tower also requires the
AmazonS3ReadOnlyAccess
permission policy for theAWSControlTowerBlueprintAccess
role.The AWS Service Catalog Terraform type of product requires you to add some additional permissions to the AFC custom IAM policy, if you don't utilize the default Admin policy. It requires these in addition to the permissions required to create the resources that you define in your terraform template.
Step 2. Create the AWS Service Catalog product
To create an AWS Service Catalog product, follow the steps at Creating products in the AWS Service Catalog Administrator Guide. You'll add your account blueprint as a template when you create the AWS Service Catalog product.
Important
As a result of HashiCorp's updated Terraform licensing, AWS Service Catalog changed support for Terraform Open Source products and provisioned products to a new product type, called External. To learn more about how this change effects AFC, including how to update your existing account blueprints to the External product type, review Transition to External product type.
Summary of steps to create a blueprint
-
Create or download an AWS CloudFormation template or Terraform tar.gz configuration file that will become your account blueprint. Some template examples are given later in this section.
-
Sign in to the AWS account where you store your Account Factory blueprints (sometimes called the hub account).
-
Navigate to the AWS Service Catalog console. Choose Product list, and then choose Upload new product.
-
In the Product details pane, enter details for your blueprint product, such as a name and description.
-
Select Use a template file and then select Choose file. Select or paste the template or configuration file you've developed or downloaded for use as your blueprint.
-
Choose Create product at the bottom of the console page.
You can download an AWS CloudFormation template from the AWS Service Catalog reference architecture
repository. One example from that repository helps set up a backup plan for your
resources
Here's an example template, for a fictitious company called Best Pets. It helps set up a connection to their pet database.
Resources: ConnectionStringGeneratorLambdaRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: "2012-10-17" Statement: - Effect: Allow Principal: Service: - lambda.amazonaws.com Action: - "sts:AssumeRole" ConnectionStringGeneratorLambda: Type: AWS::Lambda::Function Properties: FunctionName: !Join ['-', ['ConnectionStringGenerator', !Select [4, !Split ['-', !Select [2, !Split ['/', !Ref AWS::StackId]]]]]] Description: Retrieves the connection string for this account to access the Pet Database Role: !GetAtt ConnectionStringGeneratorLambdaRole.Arn Runtime: nodejs16.x Handler: index.handler Timeout: 5 Code: ZipFile: > const response = require("cfn-response"); exports.handler = function (event, context) { const awsAccountId = context.invokedFunctionArn.split(":")[4] const connectionString= "fake connection string that's specific to account " + awsAccountId; const responseData = { Value: connectionString, } response.send(event, context, response.SUCCESS, responseData); return connectionString; }; ConnectionString: Type: Custom::ConnectionStringGenerator Properties: ServiceToken: !GetAtt ConnectionStringGeneratorLambda.Arn PetDatabaseConnectionString: DependsOn: ConnectionString # For example purposes we're using SSM parameter store. # In your template, use secure alternatives to store # sensitive values such as connection strings. Type: AWS::SSM::Parameter Properties: Name: pet-database-connection-string Description: Connection information for the BestPets pet database Type: String Value: !GetAtt ConnectionString.Value
Step 3. Review your custom blueprint
You can view your blueprint in the AWS Service Catalog console. For more information, see Managing products in the Service Catalog Adminstrator Guide.
Step 4. Call your blueprint to create a customized account
When you follow the Create account workflow in the AWS Control Tower console, you'll see an optional section where you can enter information about the blueprint you'd like to use for customizing accounts.
Note
You must set up your customization hub account and add at least one blueprint (Service Catalog product) before you can enter that information into the AWS Control Tower console and begin to provision customized accounts.
Create or update a customized account in the AWS Control Tower console.
-
Enter the account ID for the account that contains your blueprints.
-
From that account, select an existing Service Catalog product (existing blueprint).
-
Select the proper version of the blueprint (Service Catalog product), if you have more than one version.
-
(Optional) You can add or change a blueprint provisioning policy at this point in the process. The blueprint provisioning policy is written in JSON and attached to an IAM role, so it can provision the resources that are specified in the blueprint template. AWS Control Tower creates this role in the member account so that Service Catalog can deploy resources using AWS CloudFormation stack sets. The role is named
AWSControlTower-BlueprintExecution-bp-
. Thexxxx
AdministratorAccess
policy is applied here by default. -
Choose the AWS Region or Regions in which you wish to deploy accounts based on this blueprint.
-
If your blueprint contains parameters, you can enter the values for the parameters into additional fields in the AWS Control Tower workflow. The additional values may include: a GitHub repository name, a GitHub branch, an Amazon ECS cluster name, and a GitHub identity for the repository owner.
-
You can customize accounts at a later time by following the Account update process, if your hub account or blueprints are not yet ready.
For more details, see Create a customized account from a blueprint.