The customer automate as much as possible when they provision new AWS accounts and configure them for use. By using the AWS service stack, they would have a solution that creates new accounts with AWS Organizations, applies security guardrails with service control policies (SCPs), authenticates users into accounts with AWS IAM Identity Center (successor to AWS Single Sign-On), and has centralized logging through AWS CloudTrail. To configure newly created accounts, Raf suggested that the customer use AWS Control Tower, and use AWS Service Catalog to determine which portfolio of solutions is available in each account when they are configured.
AWS CloudFormation
The services that we covered in this course — such as AWS Control Tower and AWS Service Catalog — use AWS CloudFormation templates. CloudFormation is an infrastructure as code (IaC) service. It helps you model and set up your AWS resources so that you can spend less time managing those resources, and more time focusing on your applications that run in AWS.
With CloudFormation, you create a template that describes all the AWS resources that you want — such as Amazon Elastic Compute Cloud (Amazon EC2) instances or Amazon Relational Database Service (Amazon RDS) DB instances — and CloudFormation provisions and configures those resources for you. You don’t need to individually create and configure AWS resources and determine what resource is dependent on what. Instead, CloudFormation handles provisioning and configuration.
When you work with AWS, you should be very familiar with CloudFormation and its features. It’s a best practice to deploy infrastructure in an automated way, instead of doing everything manually in the console.
For more resources about CloudFormation, see the following:
- For more information, see What is AWS CloudFormation?
- For a tutorial about how to use CloudFormation, see Deploy a Reliable Multi-tier Infrastructure Using CloudFormation.
AWS Control Tower
AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment that follows prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services — including AWS Organizations, AWS Service Catalog, and IAM Identity Center — to build a landing zone in typically less than an hour. Resources are set up and managed on your behalf.
AWS Control Tower orchestration extends the capabilities of Organizations. To help protect your organizations and accounts from being affected by drift (or divergence from best practices), AWS Control Tower applies preventive and detective controls (or guardrails). For example, you can use guardrails to help ensure that security logs and necessary cross-account access permissions are created, but not altered.
If you host more than a handful of accounts, it’s beneficial to have an orchestration layer that facilitates account deployment and account governance. You can adopt AWS Control Tower as your primary way to provision accounts and infrastructure. With AWS Control Tower, you can more easily adhere to corporate standards, meet regulatory requirements, and follow best practices.
AWS Control Tower uses CloudFormation StackSets to set up resources in your accounts. Each stack set has stack instances that correspond to accounts, and to AWS Regions per account. AWS Control Tower deploys one stack set instance per account and Region.
For more information, see What is AWS Control Tower?
AWS Service Catalog
By using AWS Service Catalog, organizations can create and manage catalogs of IT services that are approved for AWS. These IT services can include virtual machine images, servers, software, databases, and more — they can even include complete, multi-tier application architectures.
Organizations can use AWS Service Catalog to centrally manage commonly deployed IT services. AWS Service Catalog is designed to help organizations achieve consistent governance and meet compliance requirements. End users can quickly deploy only the approved IT services that they need, and these deployments will follow the constraints that your organization sets.
AWS Service Catalog provides the following benefits:
- Standardization: Administer and manage approved assets by restricting where the product can be launched, the type of instance that can be used, and many other configuration options. The result is a standardized landscape for product provisioning for your entire organization.
- Self-service discovery and launch: Users browse listings of products (that is, services or applications) that they can access, locate the product that they want to use, and launch it on their own as a provisioned product.
- Fine-grained access control: Administrators assemble portfolios of products from their catalog, and add constraints and resource tags that will be used when the products are provisioned. Administrators then grant access to the portfolio through AWS Identity and Access Management (IAM) users and groups.
- Extensibility and version control: Administrators can add a product to different portfolios and restrict it without creating another copy. When the product is updated to a new version, the update is propagated to the product in every portfolio that references it.
For more information, see What is AWS Service Catalog?
