AWS CodeCommit AWS CodePipeline AWS Key Management Service AWS Lambda Amazon Simple Notification Service Amazon Simple Storage Service Amazon Simple Queue Service AWS Step Functions AWS Systems Manager Parameter Store

Component services

The following AWS services are components of Customizations for AWS Control Tower (CfCT).

AWS CodeCommit

If you have an existing AWS CodeCommit repository, you can configure it as a source for your pipeline, as an alternative to Amazon S3.

Based on your input to the AWS CloudFormation template, CfCT can create an AWS CodeCommit repository with the same sample configuration that's explained in the Amazon Simple Storage Service section.

To clone the CfCT AWS CodeCommit repository to your local computer, you must create credentials that give you temporary access to the repository, as explained in the AWS CodeCommit User Guide. For information about version compatibility, see Setting up for AWS CodeCommit.

Note

If you do not already use CodeCommit, your only option is to set up the Amazon S3 bucket as the storage location for your configuration package. CodeCommit is not available if you are deploying CfCT for the first time.

AWS CodePipeline

AWS CodePipeline validates, tests, and implements changes based on updates to the configuration package, which you'll make in either the default Amazon S3 bucket or the AWS CodeCommit repository. For more information about configuration source control, see Using Amazon S3 as the Configuration Source. The pipeline includes stages to validate and manage the configuration files and templates, core accounts, AWS Organizations service control policies, and AWS CloudFormation StackSets. For more information about the pipeline stages, refer to CfCT customization guide

AWS Key Management Service

CfCT creates an AWS Key Management Service (AWS KMS) CustomControlTowerKMSKey encryption key. This key is used to encrypt objects in the Amazon S3 configuration bucket, Amazon SQS queue, and sensitive parameters in the AWS Systems Manager Parameter Store. By default, only roles provisioned by CfCT have permission to perform encryption or decryption operations with this key. For access to the configuration file, FIFO queue, or Parameter Store SecureString values, administrators must be added to the CustomControlTowerKMSKey policy. Automatic key rotation is enabled by default.

AWS Lambda

CfCT uses AWS Lambda functions to invoke the installation components during the initial installation and deployment of AWS CloudFormation StackSets or AWS Organizations SCPs during an AWS Control Tower lifecycle event.

Amazon Simple Notification Service

CfCT may publish notifications, such as pipeline approval to Amazon Simple Notification Service (Amazon SNS) topics during the workflow. Amazon SNS is launched only when you choose to receive pipeline approval notifications.

Amazon Simple Storage Service

When you deploy CfCT, CfCT creates an Amazon Simple Storage Service (Amazon S3) bucket with a unique name:

Example: Amazon S3 bucket name

custom-control-tower-configuration-accountID-region

The bucket contains a sample configuration file called _custom-control-tower-configuration.zip

Notice the leading underscore in the file name.

This zip file provides a sample manifest and the related sample templates that describe the necessary folder structure. These examples help you develop a configuration package to customize your AWS Control Tower landing zone. The sample manifest identifies the required configurations for stack sets and service control policies (SCPs) you'll need, when you implement your customizations.

You can use this sample configuration package as a model, to develop and upload your custom package, which triggers the CfCT configuration pipeline automatically.

For information about customizing the configuration file, see CfCT customization guide.

Amazon Simple Queue Service

CfCT uses an Amazon Simple Queue Service (Amazon SQS) FIFO queue to capture lifecycle events from Amazon EventBridge. It triggers an AWS Lambda function, which invokes AWS CodePipeline to deploy AWS CloudFormation StackSets or SCPs. For more information about SCPs, see AWS Organizations.

AWS Step Functions

CfCT creates Step Functions to orchestrate customization deployments. These Step Functions translate configuration files to deploy the customizations as needed across environments.

AWS Systems Manager Parameter Store

AWS Systems Manager Parameter Store stores the CfCT configuration parameters. These parameters allow you to integrate related configuration templates. For example, you can configure each account to log AWS CloudTrail data to a centralized Amazon S3 bucket. Also, the Systems Manager Parameter Store provides a centralized location where administrators can view CfCT inputs and parameters.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Cost

Deployment considerations