Performing administrator tasks - Landing Zone Accelerator on AWS
Adding an Organizational Unit (OU)Adding a new accountAdding an existing accountMoving an account between OUsIgnoring an account from resource provisioningClosing an accountAdding a Service Control Policy (SCP)Adding an AWS Config ruleCentral Security ServicesAdding an AWS Transit GatewayAdding an Amazon VPCAdding an IAM Identity Center permission set

Performing administrator tasks

This solution allows you to automate operational tasks associated with managing a multi-account environment. This section includes common instructions and examples for managing your organizational units, accounts, core networking, and security guardrails.

Note

The following samples aren’t an exhaustive list of what you can define in the solution configuration files. For a full configuration reference, refer to the Services, Features, and Configuration References section of the solution’s GitHub Pages website.

Adding an Organizational Unit (OU)

The Landing Zone Accelerator supports the registration of AWS Organizations organizational units with the AWS Control Tower using AWS Control Tower Baseline API.

To add news OUs, complete the following steps to add the OU to the solution configuration:

  1. Sign in to the AWS CodeCommit console.

  2. Select the aws-accelerator-config repository.

  3. Select the organization-config.yaml file.

  4. Choose Edit.

  5. In the organizationalUnits configuration block, append additional itemized OU name(s) and path(s). For example, to add Testing and Production OUs, your configuration would look like the following sample: 

    enable: true
organizationalUnits:
  - name: Security
  - name: Infrastructure
  - name: Testing
  - name: Production
serviceControlPolicies: []
Note

Landing Zone Accelerator on AWS uses the AWS Organizations API to create your Ous, and AWS Control Tower Baseline API to register your Ous with the AWS Control Tower.

Adding a new account

To add an account using this solution, update the accounts-config.yaml file with new account definitions. Account names and emails for each account must be unique. You can add new accounts to the solution configuration using the following steps.

  1. Sign in to the AWS CodeCommit console.

  2. Select the aws-accelerator-config repository.

  3. Select the accounts-config.yaml file.

  4. Choose Edit.

  5. In the workloadAccounts configuration block, append additional account definition(s). For example, to add SharedServices and Network accounts to the Infrastructure OU and the Testing-Workload account to the Testing OU, your configuration would look like the following sample: 

    workloadAccounts:
  - name: SharedServices
    description: The SharedServices account
    email: <shared-services>@example.com  <----- UPDATE EMAIL ADDRESS
    organizationalUnit: Infrastructure
  - name: Network
    description: The Network account
    email: <network>@example.com  <----- UPDATE EMAIL ADDRESS
    organizationalUnit: Infrastructure
  - name: Testing-Workload
    description: The Workload account
    email: <workload>@example.com  <----- UPDATE EMAIL ADDRESS
    organizationalUnit: Testing
    Note

    Note: For account creation steps specific to the AWS GovCloud (US) Regions, refer to Deploy to AWS GovCloud (US) Regions.

Adding an existing account

If your existing account has already been registered with AWS Organizations and AWS Control Tower, you can follow the steps listed in Adding a new account to add the account to the solution configuration.

If the account has not yet been invited to your organization, follow the steps in Inviting an account to join your organization in the AWS Organizations User Guide.

For AWS Control Tower-based installations, refer to Prerequisites for enrollment in the AWS Control Tower User Guide. The Landing Zone Accelerator on AWS solution can enroll the account in AWS Control Tower for you after you have completed these prerequisites.

Moving an account between OUs

If you need to move one of your accounts between OUs, complete the following steps.

Important

If the solution previously deployed resources to this account, identify resources in your configuration files that use the deploymentTargets property. You can use this property to deploy resources to all accounts contained within an OU. The solution might add or remove resources from the account depending on the targeted OU(s) in this configuration property. For example, if you target only the Testing OU and move the account to the Workloads OU, the solution removes resources using that target from the account during the next Core pipeline run.

For AWS Organizations-only deployments

For versions 1.3.0 and later of the solution, follow the Update procedure to update the accounts-config.yaml file with the new organizationalUnit property value. When you release the pipeline, the solution will move the account to the specified OU.

For versions prior to 1.3.0, first move the account from the AWS Organizations console. See Moving accounts to an OU in the AWS Organizations User Guide for additional details. Then follow the Update procedure instructions.

For AWS Control Tower deployments

Note

There might be implications of moving an Account Factory account prior to completing the following procedure. See Update and move accounts in the AWS Control Tower User Guide for more information.

This section is intended for accounts actively managed by AWS Control Tower Account Factory. If moving an unmanaged or suspended account, refer to Moving accounts to an OU in the AWS Organizations User Guide.

  1. Sign in to the AWS Control Tower console from your management account.

  2. From the navigation menu, select Organization.

  3. Select + to expand the OU your account currently belongs to. Choose the account you want to move.

  4. Select Actions, then select Update.

  5. From the Account detail page, in Organizational unit, select the OU.

  6. Choose Update account.

  7. A confirmation box displays. Confirm the details, then select Update account.

    It takes approximately 5-10 minutes to process this update.

  8. Proceed with the Update procedure.

Update procedure

  1. Sign in to the AWS CodeCommit  console.

  2. Select the aws-accelerator-config repository.

  3. Select the accounts-config.yaml file.

  4. Choose Edit.

  5. In the workloadAccounts configuration block, change the organizationalUnit property to the name of the new OU. In this example, we have replaced the previous OU value of Testing with a new value of Workloads: 

    workloadAccounts:
  - name: Testing-Workload
    description: The Workload account
    email: <workload>@example.com  <----- UPDATE EMAIL ADDRESS
    organizationalUnit: Workloads

Ignoring an account from resource provisioning

As of v1.3.0 of the solution, you can designate an ignored OU in the organization-config.yaml file. If you would like the solution to ignore an account so that no resources are deployed to it, perform the following steps.

  1. Create or identify an existing OU that you’d like to use to contain ignored accounts. For this example, our OU is named Suspended.

  2. Move your account(s) that you’d like to ignore to this OU. Do this manually and not using the solution so that resources are not provisioned in the account. Do not follow the additional steps to update the accounts-config.yaml file or release changes to the Core pipeline if following the steps from the previous section.

  3. Sign in to the AWS CodeCommit console.

  4. Select the aws-accelerator-config repository.

  5. Select the organization-config.yaml file.

  6. Choose Edit.

  7. In the organizationalUnits configuration block, append or edit the OU you’ve selected with the ignore: true flag: 

    organizationalUnits:
  - name: Security
  - name: Infrastructure
  - name: Testing
  - name: Production
  - name: Suspended
    ignore: true

  8. Commit these changes, and then select the accounts-config.yaml file.

  9. Choose Edit.

  10. Comment out or remove the configuration(s) for the account(s) that you would like to be ignored. In this example, we are commenting out our Testing-Workload account with hash (#) marks so that it is no longer processed by the solution engine: 

    workloadAccounts:
  # - name: Testing-Workload
  #   description: The Workload account
  #   email: <workload>@example.com  <----- UPDATE EMAIL ADDRESS
  #   organizationalUnit: Workloads

  11. Commit these changes. It is now safe to make additional configuration changes and release the Core pipeline without provisioning resources to the ignored account(s).

    Note

    Landing Zone Accelerator on AWS will not deploy any AWS CloudFormation stacks into ignored OU accounts, but AWS Organizations features could result in stacks being deployed within accounts in the ignored OUs.

    When you use AWS Security Services, such as Macie, Security Hub, and GuardDuty with an AWS Organizations organization, security services are managed for every account in your organization. The solution configures auto-enable for new accounts, therefore when new accounts are added to your AWS Organizations, security services are automatically enabled.

Closing an account

To close an account that is managed by the solution, use the following procedure.

  1. If you’re using AWS Control Tower, follow the steps to unmanage and close the Account Factory account.

  2. If you’re only using AWS Organizations, follow the steps to close the account.

  3. For all deployments, follow the steps in Ignoring an account from resource provisioning.

Adding a Service Control Policy (SCP)

We recommend creating a new directory in your aws-accelerator-config repository to store SCPs. Follow these steps to add a custom SCP to your multi-account environment.

  1. Sign in to the AWS CodeCommit console.

  2. Select the aws-accelerator-config repository.

  3. Choose Create file.

  4. Copy and paste the following policy into the blank box: 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "NoInternet",
      "Effect": "Deny",
      "Action": [
        "ec2:CreateInternetGateway",
        "ec2:CreateEgressOnlyInternetGateway"
      ],
      "Resource": "*",
      "Condition": {
        "ArnNotLike": {
          "aws:PrincipalARN": [
            "arn:${PARTITION}:iam::*:role/${ACCELERATOR_PREFIX}-*",
            "arn:${PARTITION}:iam::*:role/AWSControlTowerExecution",
            "arn:${PARTITION}:iam::*:role/cdk-accel-*"
          ]
        }
      }
    }
  ]
}

  5. For File name, save the file as service-control-policies/block-internet.json.

  6. Enter the Author name and Email address.

  7. Choose Commit changes.

  8. Select the organization-config.yaml file.

  9. Choose Edit.

  10. In the serviceControlPolicies configuration block, append the SCP definition. For example, to add the block-internet SCP to the Testing OU, your configuration would look like the following sample: 

    serviceControlPolicies:
  - name: BlockInternetAccess
    description: >
      Blocks creating Internet gateways
    policy: service-control-policies/block-internet.json
    type: customerManaged
    deploymentTargets:
      organizationalUnits:
        - Testing

Adding an AWS Config rule

You can add managed and custom AWS Config rules to account(s) and OU(s) within your organization. Use the following steps to add a rule to your solution configuration:

  1. Sign in to the AWS CodeCommit  console.

  2. Select the aws-accelerator-config repository.

  3. Open the security-config.yaml file.

  4. Add the following lines to the awsConfig configuration block of the security-config.yaml file. This example adds the managed rule IAM_USER_GROUP_MEMBERSHIP_CHECK to all accounts managed by the solution: 

    awsConfig:
  enableConfigurationRecorder: true
  enableDeliveryChannel: true
  ruleSets:
    - deploymentTargets:
        organizationalUnits:
          - Root
      rules:
        - name: accelerator-iam-user-group-membership-check
          complianceResourceTypes:
            - AWS::IAM::User
          identifier: IAM_USER_GROUP_MEMBERSHIP_CHECK

Central Security Services

This solution supports the concept of delegated administration for security services such as AWS Security Hub, Amazon GuardDuty, Amazon Macie, Amazon Detective, and AWS Audit Manager. The solution simplifies configuring your delegated administrator account and sets up organization member accounts to forward their findings to a central location. Use the following steps to activate central security services in the solution configuration.

  1. Sign in to the AWS CodeCommit console.

  2. Select the aws-accelerator-config repository.

  3. Open the security-config.yaml file.

  4. Add the following lines to the centralSecurityServices configuration block. This example turns on all supported central security services (except Amazon Detective):

    Important

    Amazon Detective isn’t activated in our configuration sample due to a prerequisite that Amazon GuardDuty is activated for 48 hours before activating Amazon Detective. Refer to Amazon Detective prerequisites and recommendations in the Amazon Detective User Guide for additional information.

    Note

    When activating Audit Manager, the service creates an Amazon S3 bucket in your organization’s Audit account specifically for Audit Manager reports. This is created for scenarios where third-party auditors require access to reports. This is a deviation from other central security services, which send logs to the central logging bucket in your organization’s Log Archive account. 

    centralSecurityServices:
  delegatedAdminAccount: Audit
  ebsDefaultVolumeEncryption:
    enable: true
    excludeRegions: []
  s3PublicAccessBlock:
    enable: true
    excludeAccounts: []
  macie:
    enable: true
    excludeRegions: []
    policyFindingsPublishingFrequency: FIFTEEN_MINUTES
    publishSensitiveDataFindings: true
  guardduty:
    enable: true
    excludeRegions: []
    s3Protection:
      enable: true
      excludeRegions: []
    exportConfiguration:
      enable: true
      destinationType: S3
      exportFrequency: FIFTEEN_MINUTES
  auditManager:
    enable: true
    excludeRegions: []
    defaultReportsConfiguration:
      enable: true
      destinationType: S3
  detective:
    enable: false
    excludeRegions: []
  securityHub:
    enable: true
    regionAggregation: true
    excludeRegions: []
    standards:
      - name: AWS Foundational Security Best Practices v1.0.0
        enable: true
        controlsToDisable:[]
      - name: PCI DSS v3.2.1
        enable: true
        controlsToDisable: []
      - name: CIS AWS Foundations Benchmark v1.2.0
        enable: true
        controlsToDisable:[]

Adding an AWS Transit Gateway

Use the following steps to deploy a Transit Gateway to your multi-account environment.

  1. Sign in to the AWS CodeCommit console.

  2. Select the aws-accelerator-config repository.

  3. Open the network-config.yaml file.

  4. Add the following lines to the transitGateways configuration block. This example adds a Transit Gateway with an AWS Resource Access Manager (AWS RAM) share for the entire organization to the Network account in the US East (N. Virginia) Region: 

    transitGateways:
  - name: Network-Main
    account: Network
    region: us-east-1
    shareTargets:
      organizationalUnits:
        - Root
    asn: 65521
    dnsSupport: enable
    vpnEcmpSupport: enable
    defaultRouteTableAssociation: disable
    defaultRouteTablePropagation: disable
    autoAcceptSharingAttachments: enable
    routeTables:
      - name: Network-Main-Core
        routes: []
      - name: Network-Main-Segregated
        routes: []
      - name: Network-Main-Shared
        routes: []
      - name: Network-Main-Standalone
        routes: []

Adding an Amazon VPC

Use the following steps to deploy a VPC to your multi-account environment:

  1. Sign in to the AWS CodeCommit console.

  2. Select the aws-accelerator-config repository.

  3. Open the network-config.yaml file.

  4. Add the following lines to the vpcs configuration block. This example adds a VPC with routes for the Transit Gateway created in Adding an AWS Transit Gateway. 

    vpcs:
  - name: Network-Example
    account: Network
    region: us-east-1
    cidrs:
      - 10.1.0.0/22
    internetGateway: false
    enableDnsHostnames: true
    enableDnsSupport: true
    instanceTenancy: default
    routeTables:
      - name: Network-Endpoints-Tgw-A
        routes: []
      - name: Network-Endpoints-Tgw-B
        routes: []
      - name: Network-Endpoints-A
        routes:
          - name: TgwRoute
            destination: 0.0.0.0/0
            type: transitGateway
            target: Network-Main
      - name: Network-Endpoints-B
        routes:
          - name: TgwRoute
            destination: 0.0.0.0/0
            type: transitGateway
            target: Network-Main
    subnets:
      - name: Network-Endpoints-A
        availabilityZone: a
        routeTable: Network-Endpoints-A
        ipv4CidrBlock: 10.1.0.0/24
      - name: Network-Endpoints-B
        availabilityZone: b
        routeTable: Network-Endpoints-B
        ipv4CidrBlock: 10.1.1.0/24
      - name: Network-EndpointsTgwAttach-A
        availabilityZone: a
        routeTable: Network-Endpoints-Tgw-A
        ipv4CidrBlock: 10.1.3.208/28
      - name: Network-EndpointsTgwAttach-B
        availabilityZone: b
        routeTable: Network-Endpoints-Tgw-B
        ipv4CidrBlock: 10.1.3.224/28
    transitGatewayAttachments:
      - name: Network-Endpoints
        transitGateway:
          name: Network-Main
          account: Network
        routeTableAssociations:
          - Network-Main-Shared
        routeTablePropagations:
          - Network-Main-Core
          - Network-Main-Shared
          - Network-Main-Segregated
        subnets:
          - Network-EndpointsTgwAttach-A
          - Network-EndpointsTgwAttach-B
Important

Landing Zone Accelerator on AWS does not support creation of users and groups in Identity Center. Users and groups are required to be created in Identity Center before the solution can use those principals for permission set assignments.

Adding an IAM Identity Center permission set

Use the following steps to deploy an IAM Identity Center permission set to your multi-account environment:

  1. Sign in to the AWS CodeCommit console.

  2. Select the aws-accelerator-config repository.

  3. Open the iam-config.yaml file.

  4. Add the identityCenter configuration block. This example creates two predefined permission sets that use a single AWS managed policy and modifies the session duration. 

    identityCenter:
  name: identityCenter
  identityCenterPermissionSets:
    - name: PowerAccessUser
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/PowerUserAccess
        customerManaged: []
      sessionDuration: 60
    - name: ViewOnlyAccess
      policies:
        awsManaged:
          - arn:aws:iam::aws:policy/job-function/ViewOnlyAccess
        customerManaged: []
      sessionDuration: 60
Important

Landing Zone Accelerator on AWS does not support creation of users and groups in Identity Center. Users and groups are required to be created in Identity Center before the solution can use those principals for permission set assignments.