Step 1: Launch the Hub stack
Important
Launch the Hub stack before launching the Spoke stack and Org-Management stack.
Follow the step-by-step instructions in this section to configure and deploy the solution into your Hub account.
Time to deploy: Approximately 20 minutes
-
Sign in to the AWS Management Console
and select the button to launch the account-assessment-for-aws-organizations-hub.template
CloudFormation template. -
The template launches in the US East (N. Virginia) Region by default. To launch the solution in a different AWS Region, use the Region selector in the console navigation bar.
Note
This solution uses Amazon Cognito that is not currently available in all AWS Regions. You must launch this solution in an AWS Region where Amazon Cognito is available. For the most current availability of AWS services by Region, refer to the AWS Regional Services List
. -
On the Create stack page, verify that the correct template URL is in the Amazon S3 URL text box, and choose Next.
-
On the Specify stack details page, assign a name to your solution stack. For information about naming character limitations, refer to IAM and AWS STS quotas, name requirements, and character limits in the AWS Identity and Access Management User Guide.
-
Under Parameters, review the parameters for this solution template and modify them as necessary. This solution uses the following default values.
Parameter Default Description Solution Setup Provide the unique namespace value <Requires input>
Unique string used as prefix for resource names.
Note
Use the same namespace in the Spoke stack and Org-Management stack.
DynamoDB Configuration Provide Time to live (in days) for DynamoDB items 90
Time period in days all DynamoDB tables will delete stored items. Web UI Configuration Provide Web UI Login User Email <Requires input>
Admin user will be created at deployment time. Provide an email address to create this initial Cognito user. Provide a prefix for the hosted Amazon Cognito domain <Requires input>
Pick a globally unique prefix to become part of the url of the login page (Cognito Hosted UI) Set MFA for Cognito to ‘ON’ or ‘OPTIONAL’ <Optional input> ON
– Amazon Cognito users will need to set up multi-factor authentication (MFA) on first loginOPTIONAL
– Amazon Cognito users may opt to set up MFASecurity Configuration Provide CIDR ranges that allow the console to access the API <Requires input>
Comma separated list of CIDR ranges that allow access to the API. To allow the entire internet, use the following list of two CIDR blocks as the value:
0.0.0.0/1,128.0.0.0/1
Application Manager Configuration Provide the AWS Organization ID <Optional input> Organization ID to support multi-account deployment. Leave blank for single account deployments.
Note
This solution includes an Service Catalog AppRegistry resource to register the AWS CloudFormation template and underlying resources as an application in both Service Catalog AppRegistry and AWS Systems Manager Application Manager. For more information, see Monitor the solution with AppRegistry.
Management Account ID <Optional input> Account ID for the management account of the AWS Organization. Leave blank for single account deployments.
Note
This solution includes an Service Catalog AppRegistry resource to register the AWS CloudFormation template and underlying resources as an application in both Service Catalog AppRegistry and AWS Systems Manager Application Manager. For more information, see Monitor the solution with AppRegistry.
-
Choose Next.
-
On the Configure stack options page, choose Next.
-
On the Review and create page, review and confirm the settings. Check the box acknowledging that the template will create IAM resources.
-
Choose Submit to deploy the stack.
You can view the status of the stack in the AWS CloudFormation console in the Status column. You should receive a
CREATE_COMPLETE
status in approximately five minutes.
Note
In addition to its
primary Lambda functions, this solution includes the
solution-helper
Lambda function, which runs only during initial
configuration or when resources are updated or deleted.
When you run this solution, you will notice all Lambda functions
in the AWS console. Only the primary functions are regularly
active. However, you must not delete the solution-helper
function,
as it is necessary to manage associated resources.