AWS Control Tower Customizations
A solution that combines AWS Control Tower and other AWS services to set up a secure, multi-account AWS environment using best practices.
| Category | Compliance & Governance |
|---|---|
| Community Stars | 370 |
| Last Commit | 1 month ago |
| Last page update | 19 days ago |
| Pricing Details | Free and open-source under Apache License 2.0 |
| Target Audience | AWS administrators and architects managing multi-account environments. |
The Customizations for AWS Control Tower (CfCT) solution addresses the complex challenge of maintaining a secure, compliant, and scalable multi-account AWS environment by integrating tightly with AWS Control Tower. This solution leverages AWS CloudFormation templates and service control policies (SCPs) to customize the AWS Control Tower landing zone, ensuring alignment with AWS best practices.
Technically, CfCT is designed to synchronize resource deployments with AWS Control Tower lifecycle events. For instance, when a new account is created using the AWS Control Tower account factory, the solution automatically deploys all resources attached to the account's organizational units (OUs). This is achieved through a sequential deployment of CloudFormation stacks, where each stack waits for the previous one to reach the CREATE_COMPLETE state before provisioning the next, avoiding race conditions and ensuring dependency order.
Operationally, deploying CfCT involves several key steps, including cloning the repository, running unit tests, and building the customized solution using Python 3.6 or higher. The solution must be uploaded to an Amazon S3 bucket, and then deployed using an AWS CloudFormation stack. This process requires careful configuration of the solution name, version number, and target S3 bucket details.
Key operational considerations include managing dependencies between CloudFormation resources, which are handled through the order specified in the cloudformation_resources section of the manifest file. This ensures that resources are deployed in a sequence that respects their dependencies. Additionally, the solution collects anonymous operational metrics to improve its quality and features, though this can be disabled if necessary.
From a technical detail perspective, the solution supports deployment to individual accounts and OUs, and it can be customized to include opt-in region support. The build process involves updating pip to the latest version and executing specific scripts to create the distributable packages, which are then uploaded to S3 buckets following a defined pattern.