Step 1: Launch the Hub stack - Account Assessment for AWS Organizations

Step 1: Launch the Hub stack

Important

Launch the Hub stack before launching the Spoke stack and Org-Management stack.

Follow the step-by-step instructions in this section to configure and deploy the solution into your Hub account.

Time to deploy: Approximately 20 minutes

  1. Sign in to the AWS Management Console and select the button to launch the account-assessment-for-aws-organizations-hub.template CloudFormation template.

    Blue oval button with white text reading "Launch solution".

  2. The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.

    Note

    This solution uses Amazon Cognito that is not currently available in all AWS Regions. You must launch this solution in an AWS Region where Amazon Cognito is available. For the most current availability of AWS services by Region, refer to the AWS Regional Services List.

  3. On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box, and choose Next.

  4. On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and AWS STS quotas, name requirements, and character limits in the AWS Identity and Access Management User Guide.

  5. Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.

    Parameter Default Description
    Solution Setup
    Provide the unique namespace value <Requires input>

    Unique string used as prefix for resource names.

    Note

    Use the same namespace in the Spoke stack and Org-Management stack.

    DynamoDB Configuration
    Provide Time to live (in days) for DynamoDB items

    90

    Time period in days all DynamoDB tables will delete stored items.
    Web UI Configuration
    Provide Web UI Login User Email <Requires input> Admin user will be created at deployment time. Provide an email address to create this initial Cognito user.
    Provide a prefix for the hosted Amazon Cognito domain <Requires input> Pick a globally unique prefix to become part of the url of the login page (Cognito Hosted UI)
    Set MFA for Cognito to ‘ON’ or ‘OPTIONAL’ <Optional input>

    ON – Amazon Cognito users will need to set up multi-factor authentication (MFA) on first login

    OPTIONAL – Amazon Cognito users may opt to set up MFA

    Security Configuration
    Provide CIDR ranges that allow the console to access the API <Requires input>

    Comma separated list of CIDR ranges that allow access to the API. To allow the entire internet, use the following list of two CIDR blocks as the value: 0.0.0.0/1,128.0.0.0/1

    Application Manager Configuration
    Provide the AWS Organization ID <Optional input>

    Organization ID to support multi-account deployment. Leave blank for single account deployments.

    Note

    This solution includes an Service Catalog AppRegistry resource to register the AWS CloudFormation template and underlying resources as an application in both Service Catalog AppRegistry and AWS Systems Manager Application Manager. For more information, see Monitor the solution with AppRegistry.

    Management Account ID <Optional input>

    Account ID for the management account of the AWS Organization. Leave blank for single account deployments.

    Note

    This solution includes an Service Catalog AppRegistry resource to register the AWS CloudFormation template and underlying resources as an application in both Service Catalog AppRegistry and AWS Systems Manager Application Manager. For more information, see Monitor the solution with AppRegistry.

  6. Choose Next.

  7. On the Configure stack options page, choose Next.

  8. On the Review and create page, review and confirm the settings. Check the box acknowledging that the template will create IAM resources.

  9. Choose Submit to deploy the stack.

    You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a CREATE_COMPLETE status in approximately five minutes.

Note

In addition to its primary Lambda functions, this solution includes the solution-helper Lambda function, which runs only during initial configuration or when resources are updated or deleted.

When you run this solution, you will notice all Lambda functions in the AWS console. Only the primary functions are regularly active. However, you must not delete the solution-helper function, as it is necessary to manage associated resources.