Methods of provisioning - AWS Control Tower

Methods of provisioning

AWS Control Tower provides several methods for creating and updating member accounts. Some methods are primarily console-based, and some methods are primarily automated.

Overview

The standard way to create member accounts is through Account Factory, a console-based product that's part of the Service Catalog. If your landing zone is not in a state of drift, you can use Create account as a method to add new accounts from the console, as well as Enroll account to enroll existing AWS accounts into AWS Control Tower.

With Account Factory, you can provision basic accounts, by relying on the AWS Control Tower default settings. You also can provision customized accounts that meet requirements for specialized use cases.

Account Factory Customization (AFC) is a way of provisioning customized accounts from the AWS Control Tower console, and it automates the customization and deployment of your accounts. It allows console-based, automated provisioning, after some one-time setup steps, which eliminates the need to write scripts or set up pipelines. For more information, see Customize accounts with Account Factory Customization (AFC).

Console-based methods:

  • Through the Account Factory console that is part of AWS Service Catalog, for basic or customized accounts. Review Provision and manage accounts with Account Factory for details and instructions.

  • Through the Enroll account feature within AWS Control Tower, if your landing zone is not in a state of drift. See Enroll an existing account.

  • In the AWS Control Tower console, you can use Account Factory to create, update, or enroll up to five accounts at the same time.

Automated methods:

  • Lambda code: From your AWS Control Tower landing zone's management account, using Lambda code and appropriate IAM roles. See Automated Account Provisioning with IAM Roles.

  • Terraform: From the AWS Control Tower Account Factory for Terraform (AFT), which relies on Account Factory and a GitOps model to allow automation of account provisioning and updating. See Provision accounts with AWS Control Tower Account Factory for Terraform (AFT) .

  • Account Factory customization in the AWS Control Tower console: After the setup steps, future provisioning of customized accounts requires no additional configuration or pipeline maintenance. Accounts are provisioned by means of a AWS Service Catalog product called a blueprint. A blueprint can use AWS CloudFormation templates, or Terraform templates.

    Note

    AWS CloudFormation blueprints can deploy resources to multiple Regions. Terraform blueprints can deploy resources to a single Region only. By default, that is the home Region.