DEV Community

Cover image for Build a Multi-Account Management Environment with AWS Control Tower
Yasunori Kirimoto for AWS Heroes

Posted on

Build a Multi-Account Management Environment with AWS Control Tower

img

I built a multi-account management environment with AWS Control Tower πŸŽ‰

AWS Control Tower is a service that allows you to build a secure AWS multi-account management environment. Since AWS Organizations and AWS SSO are set up automatically, it is easier than manually creating accounts. I have used this service at my company and found it convenient, so I decided to use it for my account this time. In my account, I have additionally built and managed production, staging, development, and test environments πŸ‘

The following details are explained below.

  • Landing zone settings
  • Adding Accounts
  • SSO connection confirmation

Advance Preparation

  • Prepare two email addresses for new accounts.
  • Prepare email addresses for additional accounts. In this case, prepared four additional ones separately.

Landing Zone Settings

How to set up a landing zone in AWS Control Tower.

Login with the root account β†’ AWS Management Console β†’ Control Tower.
img

Click on "Configure Landing Zone."
img

Set Home Region, Region Deny, and Additional Regions β†’ Click "Next."
img

Configure the basic OU and additional OUs as they are β†’ Click "Next."
img

Configure Log Archive Account and Audit Account β†’ Click "Next." Specify the two email addresses you have prepared in advance here.
img

Confirm settings β†’ Click "Set Landing Zone."
img

Wait a few minutes for the environment to be set up.
img

When completed, three accounts will be created: a root account, a log archive account, and an audit account.
img

This configuration will create a root account, a log archive account, and an audit account with various settings!

Adding Accounts

Here is how to add an account in AWS Control Tower.

Click on β€œAccount Factory” β†’ "Create Account."
img

Set account email address, display name, SSO email address, SSO user name, and organizational unit β†’ Click "Create Account."
img

Account β†’ Addition is complete when the status is displayed as registered.
img

You can create an account for each environment for multi-account management!

SSO Connection Confirmation

This is how to confirm SSO connection on AWS Control Tower.

Click on β€œUsers and Access” β†’ "User Portal URL." This will be the SSO URL you will use for future logins.
img

Enter user, password, MFA, etc. β†’ The login destination for the account you created will be displayed.
img

SSO will also be set up so you can easily log in to each account!

Control Tower makes it easy to implement secure multi-account management, so give it a try! Integrating existing accounts was a bit of a challenge...

References
AWS Control Tower

Top comments (0)