Customizing Your AWS Control Tower Landing Zone

Last updated on August 10, 2023

AWS Control Tower is an AWS solution that simplifies the management of multi-account AWS installations. Although it provides default configurations to create a landing zone, customizing it is still essential to meet specific organizational requirements. Organizations can tailor access controls, organizational structures, and resource provisioning processes.

This article explores different ways to customize the landing zone, enabling organizations to optimize the benefits of AWS Control Tower and create a specialized environment that aligns with their unique needs. Customizing the landing zone allows businesses to improve management, security, and compliance within their AWS environment.

Customizations from AWS Control Tower Console

These are customizations from the AWS Control Tower console:

  • OU Names – During setup, you can change the OU Names. You can even change the OU names after a setup from AWS Organizations.

  • Audit and Log Archive Accounts – You can customize the shared account names during setup. However, you won’t be allowed to change afterward.

  • AWS Regions – You can select or deselect regions during the setup or update of the landing zone. Choosing will allow the AWS Control Tower to govern those regions.

  • Optional Controls – You can decide whether to enable optional controls after setup. You can customize the level of enforcement for OUs by selecting which controls to enable.

  • AWS CloudTrail trails – Organizational CloudTrail trails run by AWS Control Tower can be opted in or out. Select Opt-in if you want AWS Control Tower to create and manage a CloudTrail trail at the organizational level on your behalf. Select Opt-out if you will control logging using your own CloudTrail trails or a third-party logging solution.

  • Member Account – you can customize member accounts from the console using Account Factory Customization (AFC).

Account Factory Customization (AFC)

AWS Control Tower Account Factory automates the provisioning and management of accounts. It helps to create accounts with an initial security setup. However, the customizations of AWS accounts are challenging, trying to maintain the customization process throughout all the AWS accounts. The challenge of creating repeatable account configurations and implementing them consistently at scale always becomes a problem later on.

Hence in this article, we will introduce Account Factory Customization to help Cloud Operations teams have a simplified and repeatable process for applying custom configurations to newly vended and existing AWS accounts.

Account Factory Customization uses AWS Control Tower and AWS Service Catalog. A blueprint must be created first. A blueprint is a product from Service Catalog created from a Cloudformation template.

Tutorials dojo strip

Customizing your AWS Control Tower Landing Zone

After creating a blueprint, you can now import the blueprint to the AWS Control Tower Account Factory customization settings. You can do this during new AWS account creation or updating. These customizations will then be automatically deployed to the account. Using AWS Tower Console, we can now implement customizations consistently to all the AWS accounts under Account Factory.

Customizing your AWS Control Tower Landing Zone

Customizations for AWS Control Tower (CfCT)

Customizations for AWS Control Tower (CfCT) were introduced to provide more thorough customizations for your landing zone. CfCT is a set of tools that enables you to customize your landing zone in greater detail than you can with the AWS Control Tower console. AWS CloudFormation templates and service control policies (SCPs) are used to implement these customizations. The AWS Control Tower lifecycle events are connected with this CfCT functionality to keep your resource deployments in sync with your landing zone.

CfCT Architecture

Customizing your AWS Control Tower Landing Zone

AWS Provides a Cloudformation template that builds the Customizations for Control Tower(CfCT). This template will create an AWS CodePipeline to deploy stack sets or SCPs to OUs or accounts. You must deploy this template to the management account first.

CfCT Deploy Workflows

AWS CodePipeline Workflow – Changes from the configuration package will trigger the pipeline for this workflow. It can be a zipped uploaded package from S3(default) or a committed package from CodeCommit.

A configuration package contains:

  • Manifest file – is the configuration file that will become the pipeline reference to what templates or JSON policy need to deploy, onto which OUs or accounts, and whether to deploy resources or SCPs.

  • Set of templates

  • JSON Files

The pipeline has a build stage to validate the templates and manifest files. Then a state machine will invoke AWS Organizations API to create Service Control Policy and AWS Cloudformation to deploy the stacksets.

AWS Control Tower Lifecycle Event Workflow – This workflow is an extension of the AWS CodePipeline workflow to allow triggering based on the AWS Control Tower Lifecycle Events. It consists of an Amazon EventBridge rule, Amazon Simple Queue Service (Amazon SQS) first-in-first-out (FIFO) queue, and an AWS Lambda function. The Amazon EventBridge rule will detect the AWS Control Tower Lifecycle Event, pass it to Amazon SQS FIFO Queue, and invoke a Lambda function that runs the AWS CodePipeline Workflow.

Account Factory for Terraform (AFT)

AFT is a Terraform module maintained by AWS that allows automated provisioning and customization of new accounts. This module will deploy a pipeline of AWS services that helps you manage AWS Control Tower Accounts through Terraform configuration.

AFT Workflow

Customizing your AWS Control Tower Landing Zone

  • AFT starts with submitting a new account request/s in the pipeline. This request will be queued first in a SQS FIFO Queue. This is one of the benefits of using AFT aside from flexibility. You can create multiple requests. Although this will not speed up the process, it helps that you don’t need to wait for a previous request to finish.

  • The new SQS message will trigger a lambda that will kick off the account vending process in the AWS Control Tower.

  • Upon account creation, a lambda will invoke a state machine that will provision an account-specific pipeline.

  • The newly created pipeline will run the global customizations stage and account-level customizations subsequently.

There are two levels of customization:

Global level – customization to all of the accounts.

Account level – can be an AWS account or a group of AWS accounts, depending on what you have predetermined.  

To apply customizations to existing accounts created from AFT. The user must invoke customization requests from Customization Invocation State Machine. Any push in customizations repositories will not run the account-specific pipeline. However, you can manually execute the state machine to run the account-specific pipeline.

Customizing Your AWS Control Tower Landing Zone by Integrating Security Hub

AWS Control Tower is a powerful service that provides organizations with a centralized and automated way to set up and govern multiple AWS accounts. By integrating AWS Control Tower with Security Hub and leveraging the CIS Benchmarks for AWS Foundations, you can significantly enhance the security and compliance of your AWS environment. This integration allows for streamlined security operations, centralized security monitoring, and adherence to industry best practices.

A global community of security experts has developed the Center for Internet Security (CIS) AWS Foundations standard, including public and private sector organizations. The CIS Benchmarks offer a comprehensive and robust set of security controls and recommendations specifically for AWS environments. While other AWS standards available in Security Hub, such as AWS Foundational Security Best Practices, also offer valuable security insights, the CIS AWS Foundations Benchmark provides a comprehensive and detailed framework widely recognized and respected in the industry.

When using AWS Control Tower, you have multiple options for managing Security Hub and other security-related services. One approach is to delegate an account as the central administrator for Security Hub. This account is responsible for configuring Security Hub settings, including enabling standards like CIS AWS Foundations Benchmark and monitoring the security posture of the member accounts.

By configuring permission sets in AWS IAM Identity Center (AWS Single Sign-On) and assigning them to the Security Hub administrator account, you can grant specific permissions to the security team for managing Security Hub in the administrator account.

The auto-enable feature in Security Hub ensures that Security Hub is automatically enabled for all existing and future member accounts within the AWS Control Tower environment, allowing you to enforce a consistent security posture across the organization.

Free AWS Courses

Customizing your AWS Control Tower Landing Zone

Conclusion:

In conclusion, customizing your AWS Control Tower Landing Zone provides significant benefits for organizations looking to optimize their cloud infrastructure. This article highlights various customization options, all of which empower businesses to align their cloud environment with their unique needs. Furthermore, the flexibility offered by AWS Control Tower allows organizations to adapt and scale their Landing Zone as their cloud infrastructure evolves. Overall, customizing the AWS Control Tower Landing Zone enables businesses to maximize the value of their cloud investment while maintaining a secure and compliant environment.

 

Related Article:

Managing AWS Organizations and Accounts with AWS Control Tower

 

References:

Customizations for AWS Control Tower (CfCT) overview – AWS Control Tower

Architecture overview – AWS Control Tower

https://aws.amazon.com/blogs/mt/automate-account-customization-using-account-factory-customization-in-aws-control-tower/

Customize your AWS Control Tower landing zone – AWS Control Tower

Overview of AWS Control Tower Account Factory for Terraform (AFT) – AWS Control Tower

AFT Architecture – AWS Control Tower

Center for Internet Security (CIS) AWS Foundations Benchmark v1.2.0 and v1.4.0 – AWS Security Hub

Security Hub standard – AWS Control Tower

Tutorials Dojo portal

Level-Up Your Career this 2025

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Bill Junidez Liad

Bill works as a Cloud and DevOps Engineer and is situated in the Philippines. He is actively engaged in furthering his knowledge of the cloud and has significant experience with Web Application Development and Amazon Web Services (AWS). He presently has three AWS Associate certifications. He enjoys biking outside of tech.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?