AWS Control Tower Immersion Day 6/16/2021

# AWS Control Tower Immersion Day 6/16/2021 # Agenda | Start Time (PST) | End Time (PST) | Topic | |------------------|----------------|---------------------------------------------------------------------| | 9:00 AM | 9:20 AM | Intro | | 9:20 AM | 10:00 AM | AWS Control Tower Overview | | 10:00 AM | 10:20 AM | Control Tower Demo | | 10:20 AM | 10:30 AM | Break | | 10:30 AM | 11:00 AM | Multi Account Strategy | | 11:00 AM | 11:30 AM | Lunch and Learn | | 11:30 AM | 11:40 AM | Next Steps | | 11:40 AM | 11:50 AM | Break | | 11:50 AM | 12:30 PM | (Optional) Setting Up Control Tower in an Existing AWS Organization | # Survey Please share your feedback about the session and how we can do better --removed-- # Main Chime Room --removed-- # 6/23 Builder Session Sign-up URL --removed-- # Sessions PDF --removed-- # Related Videos ## AWS Control Tower Overview https://www.youtube.com/embed/2t-VkWt0rKk?start=26&end=1450&version=3 ## Control Tower Demo https://youtu.be/2t-VkWt0rKk?t=1454 ## AWS Account Architecture Best Practices https://www.youtube.com/watch?v=zVJnenaD3U8 ## Manage your AWS Service Catalog Portfolios like a Pro https://www.youtube.com/watch?v=lVfXkWHAtR8 # **Official Documentation** https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html * **Here is the URL for the self-paced labs:** https://controltower.aws-management.tools/ # **Useful Links** [Control Tower Getting Started Guide](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) [AWS Secure Account Setup](https://aws.amazon.com/answers/security/aws-secure-account-setup/) [Getting Started: Follow Security Best Practices as You Configure Your AWS Resources](https://aws.amazon.com/blogs/security/getting-started-follow-security-best-practices-as-you-configure-your-aws-resources/) [Building a Scalable and Secure Multi-VPC AWS Network Infrastructure](https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf) [AWS Service Catalog Connector for ServiceNow](https://aws.amazon.com/blogs/aws/new-aws-service-catalog-connector-for-servicenow/) [Automating AWS Security Hub Alerts with AWS Control Tower lifecycle events](https://aws.amazon.com/blogs/mt/automating-aws-security-hub-alerts-with-aws-control-tower-lifecycle-events/) [Enrolling Existing AWS Accounts into Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html) ## **Control Tower Lifecycle** https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html ## **IMPORTANT: AWS Control Tower can be deployed in Existing Organizations:** https://aws.amazon.com/pt/blogs/architecture/field-notes-enroll-existing-aws-accounts-into-aws-control-tower/ **Youtube:** https://www.youtube.com/watch?v=-n65I4M8cas ## **IMPORTANT: Customizations for AWS Control Tower** https://aws.amazon.com/pt/solutions/implementations/customizations-for-aws-control-tower/ ![](https://i.imgur.com/9MmbxBy.png) **Doc:** https://docs.aws.amazon.com/solutions/latest/customizations-for-aws-control-tower/welcome.html ## **Field Notes: Customizing the AWS Control Tower Account Factory with AWS Service Catalog** https://aws.amazon.com/pt/blogs/architecture/field-notes-customizing-the-aws-control-tower-account-factory-with-aws-service-catalog/ ## **Manage Control Tower life cycle actions intelligently using AWS Service Catalog, AWS Config, Amazon DynamoDB and AWS CloudFormation** https://aws.amazon.com/pt/blogs/mt/manage-control-tower-life-cycle-actions-aws-service-catalog-aws-config-amazon-dynamodb-aws-cloudformation/ ## **Customizing account configuration with AWS Control Tower lifecycle events** https://aws.amazon.com/blogs/mt/customizing-account-configuration-aws-control-tower-lifecycle-events/ ## **Enabling guardrails in new AWS Regions the AWS Control Tower supports** https://aws.amazon.com/blogs/field-notes/enabling-guardrails-in-new-aws-regions-the-aws-control-tower-supports/ ## **How to automate the creation of multiple accounts in AWS Control Tower** https://aws.amazon.com/pt/blogs/mt/how-to-automate-the-creation-of-multiple-accounts-in-aws-control-tower/ ## **Enabling Amazon GuardDuty in AWS Control Tower using Delegated Administrator** https://aws.amazon.com/blogs/mt/automating-amazon-guardduty-deployment-in-aws-control-tower/ ## **AWS Control Tower with Firewall Manager** https://www.youtube.com/watch?v=wocz0drq8-8 ## **How to Detect and Mitigate Guardrail Violations with AWS Control Tower** https://www.youtube.com/watch?v=HuVZqx8IHd4 ## **Automating Service Limit Increases and Enterprise Support with AWS Control Tower** https://aws.amazon.com/pt/blogs/mt/automating-service-limit-increases-enterprise-support-aws-control-tower/ # AWS Control Tower Partners Solutions https://aws.amazon.com/marketplace/solutions/control-tower/ ## **Monitoring resources in an AWS Control Tower environment using Splunk from AWS Marketplace** https://aws.amazon.com/pt/blogs/awsmarketplace/monitoring-resources-in-an-aws-control-tower-environment-using-splunk-from-aws-marketplace/ ## **Automate your network setup in AWS Control Tower using Aviatrix** https://aws.amazon.com/pt/blogs/awsmarketplace/automate-your-network-setup-in-aws-control-tower-using-aviatrix/ ## **Log analysis with AWS Control Tower and Logz.io** https://aws.amazon.com/pt/blogs/awsmarketplace/log-analysis-with-aws-control-tower-and-logz-io/ ## **Enhance AWS Control Tower multi-account observability with Sumo Logic** https://aws.amazon.com/pt/blogs/awsmarketplace/enhance-aws-control-tower-multi-account-observability-with-sumo-logic/ ## **Integrating Alert Logic Managed Detection and Response with AWS Control Tower** https://aws.amazon.com/pt/blogs/awsmarketplace/integrating-alert-logic-managed-detection-and-response-with-aws-control-tower/ ## **Solutions integrated with AWS Control Tower are now available in AWS Marketplace** https://aws.amazon.com/pt/blogs/awsmarketplace/solutions-integrated-with-aws-control-tower-are-now-available-in-aws-marketplace/ ## **Full-stack observability of your AWS Control Tower landing zone with New Relic** https://aws.amazon.com/pt/blogs/awsmarketplace/full-stack-observability-of-your-aws-control-tower-landing-zone-with-new-relic/ # **AWS SSO** ## **AWS SSO allows automatic provisioning through SCIM:** Evolution of Single Sign-on - Integrate with Azure AD with automatic user provisioning: https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/ ## **AWS SSO with AWS CLI 2.0:** With AWS CLI 2.0 you can easily configure one or more of your AWS CLI named profiles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) to use a role from AWS SSO https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html ## **Provisioning Users in AWS Control Tower Using AWS SSO** https://www.youtube.com/watch?v=y_n9xN5mg1g # Other Topics ## **Serverless Transit Network Orchestrator (STNO)** The Serverless Transit Network Orchestrator (STNO) solution adds automation to AWS Transit Gateway. This solution provides the tools necessary to automate the process of setting up and managing transit networks in distributed AWS environments. A web interface is created to help control, audit, and approve (transit) network changes. STNO supports both AWS Organizations (https://aws.amazon.com/organizations/) and standalone AWS account types. https://aws.amazon.com/solutions/implementations/serverless-transit-network-orchestrator/ ![](https://i.imgur.com/pPvcouT.png) # AWS Config ## **AWS Config Conformance Packs:** You can prepare accounts to get enrolled in Control Tower, with Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/aws-control-tower-detective-guardrails.html https://www.youtube.com/watch?v=YCUNNQuGZfg Remediate Non-Compliance Using AWS Config Rules and a Custom SSM Document https://www.youtube.com/watch?v=CyyNlyAHs0A ## **Extend AWS Control Tower governance using AWS Config Conformance Packs** https://aws.amazon.com/pt/blogs/mt/extend-aws-control-tower-governance-using-aws-config-conformance-packs/ ## **AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack** https://aws.amazon.com/pt/blogs/mt/aws-control-tower-detective-guardrails-as-an-aws-config-conformance-pack/ AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack https://aws.amazon.com/pt/blogs/mt/aws-control-tower-detective-guardrails-as-an-aws-config-conformance-pack/ # AWS Organizations ## **Best Practices for Organizations** https://aws.amazon.com/pt/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/ ## **Building a Shared Account Structure Using AWS Organizations** https://aws.amazon.com/pt/blogs/architecture/field-notes-building-a-shared-account-structure-using-aws-organizations/