This project demonstrates how to configure and deploy an AWS Control Tower landing zone using the AWS Cloud Development Kit (CDK) with TypeScript. Control Tower is a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. It serves as an orchestration layer that facilitates deployment, management and governance of your AWS accounts.
This app leverages the CDK to simplify configuration and deployment of a landing zone, using Infrastructure as Code (IaC). Use it as is, as part of establishing your initial cloud foundation on AWS, or as a reference for building your own custom solution.
Basic components of a Control Tower landing zone. For more info, see How AWS Control Tower Works.
The CDK app implements an AWS Control Tower landing zone, including pre-requisite foundational accounts and resources, via a single ControlTowerLandingZone construct in the ControlTowerLandingZoneStack CloudFormation stack.
Overview of the ControlTowerLandingZone construct.
The ControlTowerLandingZone construct is a layer 3 (L3) construct that creates all the necessary resources for a Control Tower landing zone deployment. It consists of several other constructs that handle service specific resource creation for the Control Tower landing zone and it's pre-requisites.
The Organization construct handles the necessary AWS Organizations resources, including the organization itself, and two foundational shared accounts for the Control Tower landing zone.
The ControlTowerIamRoles construct creates four IAM service roles required for Control Tower to access and manage the associated infrastructure.
If encryption is enabled, a KMS customer managed key is created via the ControlTowerKmsKey construct. This key is used for data encryption with Control Tower enabled services (AWS CloudTrail, AWS Config) and the associated AWS S3 data.
The resulting AWS Control Tower landing zone will include the following:
- 2 organizational units, one for your shared accounts and one for accounts that will be provisioned by your users.
- 3 shared accounts, which are the management account and isolated accounts for log archive and security audit.
- A CloudTrail Organization trail.
- An Account Factory service leveraging Service Catalogue.
- An IAM Identity Center organization instance.
- 20 preventive controls to enforce policies and 3 detective controls to detect configuration violations.
You will need programmatic access to the management account of your organization, using credentials with administrator access permissions to deploy the CDK app. If creating a new environment from scratch, it is recommended to enable IAM Identity Center with AWS Organizations and then grant access to a user for this. Control Tower will assume control (pun intended) of the existing organization and IAM Identity Center instance. For detailed instruction, see AWS Control Tower - Setting Up.
This project relies on Projen for synthesized project configuration and management.
npx projen buildFull release build - compile, synth, test, lintnpx projen watchWatches changes in your source code and rebuilds and deploys to the current accountnpx projen testPerform the jest unit tests independentlynpx projen deployDeploys your CDK app to the AWS cloudnpx projen destroyDestroys your CDK app in the AWS cloudnpx projen diffDiffs the currently deployed app against your codenpx projen synthSynthesizes your cdk app into cdk.outnpx projen upgradeUpgrade project dependencies
- Clone this repository:
git clone https://github.com/ScottNoPantsOn/aws-control-tower-lz-cdk.git
cd aws-control-tower-lz-cdk- Install dependencies:
npx projen install- Update the
ControlTowerLandingZoneconstruct props inaws-cdk-control-tower-lz-example-stack.tsto suit your desired configuration.
Example configuration:
new ControlTowerLandingZone(this, 'ControlTowerLandingZone', {
governedRegions: [ 'YOUR-HOME-REGION','us-east-1'],
landingZoneVersion: '3.3',
loggingBucketRetentionPeriod: '365',
accessLoggingBucketRetentionPeriod: '3600',
encryption: true,
securityAccountEmail: '[email protected]',
loggingAccountEmail: '[email protected]',
});Refer to the IControlTowerLandingZoneProps interface to view all available props.
- Compile any changes, then synthesize the CloudFormation template with the Projen
buildtask:
npx projen build- Bootstrap the account if you haven't already:
npx cdk bootstrap- Deploy the stack using Projen:
npx projen deployDuring deployment, the root management account email will receive an IAM Identity Center invitation email for the AWS Control Tower Admin user. The security account email will then receive an SNS subscription confirmation request email for each governed region in your landing zone configuration.
Some unit tests have been defined for each of the custom constructs using the CDK Assertions module.
Tests are run as part of the Projen build task, but you can run tests independently if needed:
npx projen testFor more information on testing CDK applications, see Test AWS CDK applications.