# Argo Group AWS Control Tower Activation Day 4/15/2021 Thank you all for join us today for this AWS Control Tower Activation day. Today we will be discussing Control Tower. We will look at networking strategy, life cycle events, security, best practices in organizing your new multi-account environment. Generally I do not spend a lot of time on the power point decks but I have included them here for reference. <!-- # Please fill out the survey: [here](SURVEYLINK_WITH_HTTP).--> You can get the Control Tower slides [here](https://www.dropbox.com/s/1ntyeepeb698nb2/AWS%20Control%20Tower%20First%20Call%20Deck%20April%207th.pdf?dl=0&raw=1). [![Get The slides](https://i.imgur.com/qbE68u7.png)](https://www.dropbox.com/s/1ntyeepeb698nb2/AWS%20Control%20Tower%20First%20Call%20Deck%20April%207th.pdf?dl=0) You can get the Multi-Account Guidance slides [here](https://www.dropbox.com/s/818uyji8vd2bdyu/AWS_Control_Tower_Multi-Account_Strategy.pdf?dl=0?dl=0&raw=1) [![Get The slides](https://i.imgur.com/Fw9v5qD.png)](https://www.dropbox.com/s/818uyji8vd2bdyu/AWS_Control_Tower_Multi-Account_Strategy.pdf?dl=0?dl=0&raw=1) ## Agenda Activations day usually span a full day of activities. In our condensed timeline it’s important we hit on what is important to you. Here is the proposed agenda. - 09:00AM – 09:20AM Kick-Off + Introductions - 09:20AM – 09:50AM AWS Control Tower Overview - 09:50AM – 10:20AM Deep Dive into AWS Control Tower - 10:20AM – 10:30AM Break - 10:30AM - 11:00AM Adding a new account - 11:00AM – 1:00PM Labs ## Labs As part of the Control Tower Activation Day we provide several lab opportunities. These labs will be executed in your Control Tower environment. At the end of each lab there will be directions on how to tear down any provisioned resources. These labs are public and are updated frequently. The recommend labs for Activation Days can be found [here](https://controltower.aws-management.tools/immersionday/). The rest of the labs can be found [here](https://controltower.aws-management.tools/). ### Recommendations from Last Discussion #### A Day as a Control Tower Adiministrator In this [lab](https://controltower.aws-management.tools/workshops/mini_workshop/labs/ct_techsummit_lab1/) you will go through some of the common tasks of AWS Control Tower. From enabling a guard rail and working with SSO to working with Service Catalog to enable self service. #### Account Factory In this [lab](https://controltower.aws-management.tools/core/accountfactory/) investigate the violation and manually correct the violation. You will also learn how to move accounts from OU to another. #### Tasks in Control Tower In this [lab](https://controltower.aws-management.tools/core/cttasks/) you will walk through some common tasks in Control Tower. From accessing accounts and creating new users to enabling strongly recommend guard rails and consolidated billing. #### Control Tower Life Cycle Events In this [lab](https://controltower.aws-management.tools/automation/lifecycle/) you will learn how Control Tower use Control Tower Life Cycle Events to enable flow logs in every VPC in your organization. This example also demonstrates integration with Checkpoint Dome9. #### Guard Duty with Delegated Admin In this [lab](https://controltower.aws-management.tools/security/guardduty/) you will learn how to delegate an account to roll up GuardDuty finding across your organization. #### Deploy Additional Services Using Service Catalog In this [lab](https://controltower.aws-management.tools/deployment/deployaddservices/) you will learn how to share a set of commonly used products across your org that can be deployed in a self-service manner. In this lab you will do the following as an Administrator. - Create a new product in the Control Tower Management account using Service Catalog - Create a new portfolio in Service Catalog and add the newly created product to it - Share the portfolio with the rest of the organization - Import the portfolio into a member account - Launch a product in the member account You will also see how this can be done at an OU level using launch constraints so non-admin users can install products from Service Catalog. #### Add Additional Products to Service Catalog In this [lab](https://controltower.aws-management.tools/deployment/scproducts/) you will learn how to add additional Service Catalog products ## Useful Links [Control Tower Getting Started Guide](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) [Control Tower User Guide](https://docs.aws.amazon.com/controltower/latest/userguide/controltower-ug.pdf/) [Security Best Practices as You Configure Your AWS Resources](https://aws.amazon.com/blogs/security/getting-started-follow-security-best-practices-as-you-configure-your-aws-resources/) [Enroll Existing Accounts into Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html) [Building a Scalable and Secure Multi-VPC AWS Network Infrastructure](https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf) [Extend AWS Control Tower governance using AWS Config Conformance Packs](https://aws.amazon.com/blogs/mt/extend-aws-control-tower-governance-using-aws-config-conformance-packs/) [AWS Service Catalog Connector for ServiceNow](https://aws.amazon.com/blogs/aws/new-aws-service-catalog-connector-for-servicenow/) [SecurityHub Now Integrated with AWS Organizations](https://aws.amazon.com/about-aws/whats-new/2020/11/aws-security-hub-integrates-with-aws-organizations-for-simplified-security-posture-management/) [Automating AWS Security Hub Alerts with AWS Control Tower lifecycle events](https://aws.amazon.com/blogs/mt/automating-aws-security-hub-alerts-with-aws-control-tower-lifecycle-events/) [Deep-Dive into the Multi-Account Framework](https://www.youtube.com/watch?v=zVJnenaD3U8&t=2096s) [Automation of the Account Factory](https://www.youtube.com/watch?v=t0gxOsByOlA) [Using lifecycle events to track AWS Control Tower actions and trigger automated workflows](https://aws.amazon.com/blogs/mt/using-lifecycle-events-to-track-aws-control-tower-actions-and-trigger-automated-workflows/) [Customizations for AWS Control Tower](https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/) ## Life Cycle Events More details can be found [here](https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html) ### What are Life Cycle Events? Life Cycle Events are events logged to mark the completion of specific control tower actions. Life Cycle Events apply to specifically resources that Control tower manages (OU's, accounts, guard rails). Life Cycle Events are logged in CloudTrail as non-API AWS service events. Life Cycle Events are also delivered to cloud watch events and EventBridge to trigger additional automation. ### Life Cycle Event Types * *CreateManagedAccount*: The log records whether AWS Control Tower successfully completed every action to create and provision a new account using account factory. * *UpdateManagedAccount*: The log records whether AWS Control Tower successfully completed every action to update a provisioned product that's associated with an account you had previously created by using account factory. * *EnableGuardrail*: The log records whether AWS Control Tower successfully completed every action to enable a guardrail on an OU that was created by AWS Control Tower. * *DisableGuardrail*: The log records whether AWS Control Tower successfully completed every action to disable a guardrail on an OU that was created by AWS Control Tower. * *SetupLandingZone*: The log records whether AWS Control Tower successfully completed every action to set up a landing zone. * *UpdateLandingZone*: The log records whether AWS Control Tower successfully completed every action to update your existing landing zone. * *RegisterOrganizationalUnit*: The log records whether AWS Control Tower successfully completed every action to enable its governance features on an OU. * *DeregisterOrganizationalUnit*: The log records whether AWS Control Tower successfully completed every action to disable its governance features on an OU. ## Auth0 IAM Federation Auth0 does not currently support SCIM out of the box. However you can continue you to use IAM Federation with AWS and Control Tower. I have heard that Auth0 does have a professional services offering to help implement SCIM for direct integration with AWS Single Sign On. https://auth0.com/docs/integrations/aws/configure-amazon-web-services-for-sso ## AWS SSO allows automatic provisioning through SCIM Evolution of Single Sign-on - Integrate with Azure AD with automatic user provisioning: https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/ ## AWS SSO with AWS CLI 2.0 With AWS CLI 2.0 you can easily configure one or more of your AWS CLI named profiles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) to use a role from AWS SSO https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html <!-- ### Serverless Transit Network Orchestrator (STNO) The Serverless Transit Network Orchestrator (STNO) solution adds automation to AWS Transit Gateway. This solution provides the tools necessary to automate the process of setting up and managing transit networks in distributed AWS environments. A web interface is created to help control, audit, and approve (transit) network changes. STNO supports both AWS Organizations (https://aws.amazon.com/organizations/) and standalone AWS account types. https://aws.amazon.com/solutions/implementations/serverless-transit-network-orchestrator/ ![](https://i.imgur.com/VYfYDqD.png) --> ## AWS Control Tower can be deployed in Existing Organizations AWS Control tower can now be enabled in existing Organizations. https://www.youtube.com/watch?v=y6QLFn00A3U (https://www.youtube.com/watch?v=y6QLFn00A3U&feature=youtu.be) ## AWS Config Conformance Packs You can prepare accounts to get enrolled in Control Tower, with Conformance Packs. https://docs.aws.amazon.com/config/latest/developerguide/aws-control-tower-detective-guardrails.html