Skip to main content

Landing Zone

Overview

The Landing Zone component is focused on creating an initial best-practice AWS multi-account setup

Extending AWS Control Tower

Gruntwork Landing Zone builds on AWS Control Tower to add important new functionality.

What is AWS Control Tower?

AWS Control Tower helps you set up and govern AWS accounts, and gives you a centralized way to manage compliance and configuration across your AWS accounts. But Control Tower is fundamentally a Platform-as-a-Service (PaaS) paradigm where you use "ClickOps" to create and configure AWS accounts. That stands in contrast to the vision behind IaC tools like Terraform, which are built on the philosophy that all Cloud resources are described in code. It can also be challenging to customize Control Tower and maintain it over time.

Additional functionality

Gruntwork Landing Zone directly addresses these limitations by extending Control Tower with the following functionality:

  1. Configure and customize new AWS accounts using Terraform/OpenTofu
  2. Via the Gruntwork Account Factory:
    1. Have all new AWS accounts meet the CIS AWS Foundations Benchmark out of the box
    2. (Via Gruntwork Account Factory) Request new AWS accounts using a simple YAML file, GitHub Actions, or any system that can trigger a GitHub Action (e.g. ServiceNow)
    3. Review and customize all new AWS account requests using GitHub Pull Request functionality
    4. Define a customized account baseline unique to your organization
    5. Enable AWS account baselines to stay up to date automatically using Patcher

Prerequisites

The first step to using Gruntwork Landing Zone is to use AWS Control Tower to create a new multi-account setup, which requires that you meet the following prerequisites:

  1. A new AWS Account and a user with administrator permissions. (We recommend using an IAM user with admin permissions rather than the root user)

    info

    This account will become the root of your multi-account setup after enabling Control Tower.

  2. Three new unique email addresses for your logs, shared, and security (audit) accounts. It's important to note that these email addresses cannot be already associated with an AWS root login. "+" emails are acceptable, such as root+logs@acme.com, root+security@acme.com etc.

  3. A home region selection where your Control Tower configuration will reside.

    caution

    Your home Region is the AWS Region in which you'll run most of your workloads or store most of your data. It cannot be changed after you've set up your AWS Control Tower landing zone. For more information about how to choose a home Region, see Administrative tips for landing zone setup.

  4. A KMS Key for encrypting Control Tower Resources with a suitable permissions policy

    Step by Step Instructions to create the Control Tower KMS Key

    info

    For more help setting up KMS see the AWS docs: Guidance for KMS keys

    1. Logged in as an admin user, navigate to KMS in your root AWS account to create KMS Keys

    2. Ensure you are in your home region and click Create Key

      1. Configure a key with the default parameters (shown in screenshot below)

        Screenshot

        KMS Key DefaultsKMS Key Defaults

      2. Give the key a descriptive alias like control_tower_key

        Screenshot

        KMS Key AliasKMS Key Alias

      3. Select your admin user as a key administrator

      4. Select your admin user as a key user

      5. Click Finish to create the key

    3. On the next screen, find the key you just created and click on it to edit the following:

      1. In the key policy tab, click edit

        Screenshot

        Edit Key PolicyEdit Key Policy

      2. Add the following config policy statement to the list of Statements, replacing YOUR-HOME-REGION, YOUR-MANAGEMENT-ACCOUNT-ID and YOUR_KMS_KEY_ID with values from your own account.

        {
        "Sid": "Allow Config to use KMS for encryption",
        "Effect": "Allow",
        "Principal": {
            "Service": "config.amazonaws.com"
        },
        "Action": ["kms:Decrypt", "kms:GenerateDataKey"],
        "Resource": "arn:aws:kms:YOUR-HOME-REGION:YOUR-MANAGEMENT-ACCOUNT-ID:key/YOUR-KMS-KEY-ID"
        }

      3. Add the following CloudTrail policy statement to the list of Statements, replacing YOUR-HOME-REGION, YOUR-MANAGEMENT-ACCOUNT-ID and YOUR_KMS_KEY_ID with values from your own account.

        {
        "Sid": "Allow CloudTrail to use KMS for encryption",
        "Effect": "Allow",
        "Principal": {
            "Service": "cloudtrail.amazonaws.com"
        },
        "Action": ["kms:GenerateDataKey*", "kms:Decrypt"],
        "Resource": "arn:aws:kms:YOUR-HOME-REGION:YOUR-MANAGEMENT-ACCOUNT-ID:key/YOUR-KMS-KEY-ID",
        "Condition": {
            "StringEquals": {
            "aws:SourceArn": "arn:aws:cloudtrail:YOUR-HOME-REGION:YOUR-MANAGEMENT-ACCOUNT-ID:trail/aws-controltower-BaselineCloudTrail"
            },
            "StringLike": {
            "kms:EncryptionContext:aws:cloudtrail:arn": "arn:aws:cloudtrail:*:YOUR-MANAGEMENT-ACCOUNT-ID:trail/*"
            }
        }
        }

    4. Click Save Changes

Configure Control Tower

info

Setting up control tower for the first time can take over an hour to complete, most of that time will be spent waiting on Control Tower Operations at the conclusion of the setup flow.

Start Control Tower Setup

  1. Sign in to the AWS management console with your administrator user credentials.

  2. Navigate to the AWS Control Tower console.

  3. Verify that you are working in your desired home Region.

caution

Your home Region is the AWS Region in which you'll run most of your workloads or store most of your data. It cannot be changed after you've set up your AWS Control Tower landing zone. For more information about how to choose a home Region, see Administrative tips for landing zone setup.

  1. Click Set up landing zone.

Review pricing and select Regions

  1. Under Region deny setting select Enabled

    1. This ensures Control Tower policies and controls are unable to be bypassed by using a non-governed region

  2. Under Select additional Regions for governance select all regions where you plan to operate.

    Screenshot

    Region SelectionsRegion Selections

  3. Click Next to continue

Configure Organizational Units (OUs)

  1. Rename the "Additional OU" to "Pre-prod" (Note the casing of the name here).

    Screenshot

    Configure Organizational UnitsConfigure Organizational Units

  2. Click Next to continue.

Configure shared accounts

  1. Under Logs archive account Enter an email address and rename the Logs Archive account to Logs

  2. Under Audit account Enter an email address and rename the Audit account to Security

    caution

    Account names cannot be changed after setting up the landing zone. Ensure the accounts are named appropriately.

    Screenshot

    Configure Shared AccountsConfigure Shared Accounts

  3. Click Next to continue

Additional configurations

  1. Ensure your settings match the screenshot below (These are the defaults)

    Screenshot

    Additional ConfigurationAdditional Configuration

  2. Under KMS Encryption Check the box for Enable and customize encryption settings

  3. Select the KMS Key you created following the guide in prerequisites above.

  4. Click Next to continue

Finish Control Tower Setup

info

Control Tower Creation will take around an hour to complete

  1. Review your choices and check the box accepting permissions at the bottom of the screen

  2. Choose Set up landing zone.

  3. Setting up the landing zone can take up to one hour. You will see a notification like the one below with the estimated time it will take for all the resources to be created.

    Landing Zone Setup StatusLanding Zone Setup Status

    tip

    You can safely close your browser tab once you see this notice. The setup process will proceed unaffected in the background.

  4. Emails will be sent out as the accounts are being created and the Root user will be invited to sign in using the AWS IAM Identity Center and designated the Control Tower Admin. Once the invite is accepted; the Root user will be able to access 3 accounts; Root, Logs, and Security using Identity Center's Access Portal URL contained in the email invite.

    Root User's Access PortalRoot User's Access Portal

Post Setup Configuration

Now that Control Tower is enabled in your root account, there are a few configuration changes that need to be made to prepare for Gruntwork Landing Zone.

  1. Turn off the default VPC created for new accounts. Gruntwork VPCs will be created for each account using terraform.

  2. Create a Shared account in a Prod OU

    1. Navigate to the AWS Control Tower Organization Dashboard

    2. Choose Create Resources and select Create organizational unit.

    3. Create a Prod OU. Select the Root OU as the Parent OU when prompted. Each OU registration takes a couple of minutes.

    4. Choose Create Resources again and select Create account

    5. Name the account Shared, use the shared email address from the Prerequisites, and set the Organizational Unit to Prod

    tip

    The shared account is meant to house resources shared with all other accounts. Examples might include KMS Keys, AMIs, or ECR repositories.

    1. Grant your IAM Identity Center user access to the Shared account

      1. Navigate to IAM Identity Center, then click AWS accounts under Multi-account permissions in the side menu

      2. Select the Shared account from the Prod OU dropdown and click Assign users or groups

      3. Switch to the Users tab, select your management user from the list and click Next

      4. Select AWSAdministratorAccess from the list of Permission Sets, then click Next

      5. Click Submit to finish assigning access to your user

Next Steps

Control Tower is now configured! Next you should consider: