Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. SPDX-License-Identifier: CC-BY-SA-4.0
The SRA Customizations for Control Tower (CFCT) Solution
deploys the Customizations for AWS Control Tower (CFCT) solution. This provides a method to simplify
the deployment of SRA solutions and customer customizations within an AWS Control Tower environment.
The Customizations for AWS Control Tower solution combines AWS Control Tower and other highly-available, trusted AWS services to help customers more quickly set up a secure, multi-account AWS environment using AWS best practices. Before deploying this solution, you must have an AWS Control Tower landing zone deployed in your account.
You can easily add customizations to your AWS Control Tower landing zone using an AWS CloudFormation template and service control policies (SCPs). You can deploy the custom template and policies to individual accounts and organizational units (OUs) within your organization. This solution integrates with AWS Control Tower lifecycle events to ensure that resource deployments stay in sync with your landing zone. For example, when a new account is created using the AWS Control Tower account factory, the solution ensures that all resources attached to the account's OUs will be automatically deployed.
- All resources are deployed via AWS CloudFormation as a Stack within the management account.
- For parameter details, review the AWS CloudFormation templates.
- IAM role used by the Lambda function to perform the start operation for the sra-codebuild AWS CodeBuild project.
The Lambda function to perform the start operation for the sra-codebuild AWS CodeBuild project.
- All the
AWS Lambda Function
logs are sent to a CloudWatch Log Group</aws/lambda/<LambdaFunctionName>
to help with debugging and traceability of the actions performed. - By default the
AWS Lambda Function
will create the CloudWatch Log Group with aRetention
(Never expire) and are encrypted with a CloudWatch Logs service managed encryption key.
The sra-codebuild AWS CodeBuild project is designed and created to download the latest customizations-for-aws-control-tower.template template from GitHub and upload it to the AWS SRA code library staging S3 bucket.
- IAM role used by the CodeBuild project.
- The Customizations for AWS Control Tower (CFCT) solution to support deploying customizations easily to your AWS Control Tower landing zone.
- Defaults updated per SRA recommendations:
- Latest template downloaded from GitHub - customizations-for-aws-control-tower.template
AWS CodePipeline Source
= AWS CodeCommitFailure Tolerance Percentage
= 0
- AWS Control Tower is deployed.
aws-security-reference-architecture-examples
repository is stored on your local machine or pipeline where you will be deploying from.- Ensure the SRA Prerequisites Solution was deployed.
-
In the
management account (home region)
, launch an AWS CloudFormation Stack using the sra-common-cfct-setup-main.yaml template file as the source.aws cloudformation deploy --template-file $HOME/aws-sra-examples/aws_sra_examples/solutions/common/common_cfct_setup/templates/sra-common-cfct-setup-main.yaml --stack-name sra-common-cfct-setup-main --capabilities CAPABILITY_NAMED_IAM
-
For CodeCommit setup follow these steps: AWS CodeCommit Repo
In the management account (home region)
, delete the AWS CloudFormation Stack created in step 2 of the solution deployment. Note: On a Delete Event, the solution will not:
- Delete below Customizations for Control Tower (CFCT) resources:
- CodeCommit Repo (e.g.,
custom-control-tower-configuration
) - S3 Buckets (e.g., buckets names containing
custom-control-tower
orcustomcontroltower
)