Set up Amazon S3 as the configuration source
When you set up Customizations for AWS Control Tower, it stores an initial
configuration file, called _custom-control-tower-configuration.zip
file in an
Amazon Simple Storage Service (Amazon S3) bucket, named custom-control-tower-configuration-
.account-ID
-region
Note
If you choose to download and modify this file, remember to zip the changes, save as a new file
named custom-control-tower-configuration.zip
, and then upload it back to
the same Amazon S3 bucket.
The Amazon S3 bucket is the default source of the pipeline. When default settings are in place, uploading a configuration zip file without the underscore prefix in the file name to the S3 bucket will initiate the pipeline automatically.
The zip file is protected by Server-Side Encryption (SSE) with AWS Key Management Service (AWS KMS), and denial of use of the KMS key. For access to the zip file, you must update the KMS Key Policy to specify the role(s) that should be granted access. The role may be an administrator role, a user, or both. Follow this procedure:
Navigate to the AWS Key Management Service console
. In Customer Managed Keys, select CustomControlTowerKMSKey.
Select the Key policy tab. Then, select Edit.
In the Edit key policy page, find the Allow Use of the key section in the code, and add one of the following permissions:
To add an administration role:
arn:aws:iam::
<account-ID>
:role/<administrator-role>
To add a user::
arn:aws:iam::
<account-ID>
:user/<username>
Select Save Changes.
Navigate to the Amazon S3 console
, find the S3 bucket containing the configuration zip file, and select download. Make the necessary configuration changes to the manifest file and template files. For information about customizing the manifest and template files, see CfCT customization guide.
Upload your changes:
Zip the modified configuration files, and name the file:
custom-control-tower-configuration.zip
.Upload the file to Amazon S3 using SSE with the AWS KMS master-key:
CustomControlTowerKMSKey
.