Benefits of Customizations for AWS Control Tower (CfCT)Additional CfCT examples

Customize your AWS Control Tower landing zone

Certain aspects of your AWS Control Tower landing zone are configurable in the console, such as selection of Regions and optional controls. Other changes may be made outside the console, with automation.

For example, you can create more extensive customizations of your landing zone with the Customizations for AWS Control Tower capability, a GitOps-style customization framework that works with AWS CloudFormation templates and AWS Control Tower lifecycle events.

Benefits of Customizations for AWS Control Tower (CfCT)

The package of functionality that we refer to as Customizations for AWS Control Tower (CfCT) helps you create more extensive customizations for your landing zone than you can create in the AWS Control Tower console. It offers a GitOps-style, automated process. You can reshape your landing zone to meet your business requirements.

This infrastructure-as-code customization process integrates AWS CloudFormation templates with AWS service control policies (SCPs) and AWS Control Tower lifecycle events, so that your resource deployments remain synchronized with your landing zone. For example, when you create a new account with Account Factory, the resources attached to the account and the OU can be deployed automatically.

Note

Unlike Account Factory and AFT, CfCT is not specifically intended to create new accounts, but to customize accounts and OUs in your landing zone by deploying resources that you specify.

Benefits

Expand a customized and secure AWS environment – You can expand your multi-account AWS Control Tower environment more quickly, and incorporate AWS best practices into a repeatable customization workflow.
Instantiate your requirements – You can customize your AWS Control Tower landing zone for your business requirements, with the AWS CloudFormation templates and service control policies that express your policy intentions.
Automate further with AWS Control Tower lifecycle events – Lifecycle events allow you to deploy resources based on completion of a previous series of events. You can rely on a lifecycle event to help you deploy resources to accounts and OUs, automatically.
Extend your network architecture – You can deploy customized network architectures that improve and protect your connectivity, such as a transit gateway.

Additional CfCT examples

An example networking use case with Customizations for AWS Control Tower (CfCT) is given in the AWS Architecture blog post, Deploy consistent DNS with Service Catalog and AWS Control Tower customizations.
A specific example related to CfCT and Amazon GuardDuty is available on GitHub in the aws-samples repository.
Additional code examples regarding CfCT are available as part of the AWS Security Reference Architecture, in the aws-samples repository. Many of these examples contain sample manifest.yaml files in a directory named customizations_for_aws_control_tower.

For more information about the AWS Security Reference Architecture, see the AWS Prescriptive Guidance pages.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS CloudFormation resources

Customize from the AWS Control Tower console