DEV Community

Cover image for Build a Multi-Account Management Environment with AWS Control Tower
Yasunori Kirimoto for AWS Heroes

Posted on

Build a Multi-Account Management Environment with AWS Control Tower


I built a multi-account management environment with AWS Control Tower ๐ŸŽ‰

AWS Control Tower is a service that allows you to build a secure AWS multi-account management environment. Since AWS Organizations and AWS SSO are set up automatically, it is easier than manually creating accounts. I have used this service at my company and found it convenient, so I decided to use it for my account this time. In my account, I have additionally built and managed production, staging, development, and test environments ๐Ÿ‘

The following details are explained below.

  • Landing zone settings
  • Adding Accounts
  • SSO connection confirmation

Advance Preparation

  • Prepare two email addresses for new accounts.
  • Prepare email addresses for additional accounts. In this case, prepared four additional ones separately.

Landing Zone Settings

How to set up a landing zone in AWS Control Tower.

Login with the root account โ†’ AWS Management Console โ†’ Control Tower.

Click on "Configure Landing Zone."

Set Home Region, Region Deny, and Additional Regions โ†’ Click "Next."

Configure the basic OU and additional OUs as they are โ†’ Click "Next."

Configure Log Archive Account and Audit Account โ†’ Click "Next." Specify the two email addresses you have prepared in advance here.

Confirm settings โ†’ Click "Set Landing Zone."

Wait a few minutes for the environment to be set up.

When completed, three accounts will be created: a root account, a log archive account, and an audit account.

This configuration will create a root account, a log archive account, and an audit account with various settings!

Adding Accounts

Here is how to add an account in AWS Control Tower.

Click on โ€œAccount Factoryโ€ โ†’ "Create Account."

Set account email address, display name, SSO email address, SSO user name, and organizational unit โ†’ Click "Create Account."

Account โ†’ Addition is complete when the status is displayed as registered.

You can create an account for each environment for multi-account management!

SSO Connection Confirmation

This is how to confirm SSO connection on AWS Control Tower.

Click on โ€œUsers and Accessโ€ โ†’ "User Portal URL." This will be the SSO URL you will use for future logins.

Enter user, password, MFA, etc. โ†’ The login destination for the account you created will be displayed.

SSO will also be set up so you can easily log in to each account!

Control Tower makes it easy to implement secure multi-account management, so give it a try! Integrating existing accounts was a bit of a challenge...

AWS Control Tower

Top comments (0)