{"id":77010,"date":"2023-01-25T18:11:37","date_gmt":"2023-01-25T18:11:37","guid":{"rendered":"https:\/\/www.globallogic.com\/il\/insights\/%insight%\/deploying-a-landing-zone-with-aws-control-tower-part-3\/"},"modified":"2025-01-20T07:16:47","modified_gmt":"2025-01-20T07:16:47","slug":"deploying-a-landing-zone-with-aws-control-tower-part-3","status":"publish","type":"insightsection","link":"https:\/\/www.globallogic.com\/il\/insights\/blogs\/deploying-a-landing-zone-with-aws-control-tower-part-3\/","title":{"rendered":"Deploying a Landing Zone with AWS Control Tower &#8211; Part 3"},"content":{"rendered":"<div class=\"classic_editor_content\">Previously in Part 2, we looked at how to create an organisational structure and enable guardrails within Control Tower.<\/p>\n<p>In this post, we\u2019re going to walkthrough some of the remaining post configuration tasks including configuring IAM Identity Center and provisioning a new AWS Account through Account Factory.<\/p>\n<h4>Configuring IAM Identity Center for Single Sign-On<\/h4>\n<p>AWS IAM Identity Center (formerly known as AWS SSO) is a service that enables you to have a single point of entry for managing resources within all of your AWS Accounts in an organisation.<\/p>\n<p>As part of the Control Tower deployment this gets enabled using the native Identity Center directory. This allows you to create Users, Groups and Permission Sets that, when assigned to an AWS Account, would allow you to authenticate and have authorisation to different resources based on the policies defined in the Permission Set. Whilst the Identity Center directory is the default configuration, a post deployment activity is typically to change this to either a 3rd Party Identity Provider such as Azure Active Directory or to perhaps an on-premise Active Directory Domain (AAD).<\/p>\n<p>For those without access to an Azure Active Directory Domain, please refer to the instructions below:<\/p>\n<ul>\n<li><a rel=\"external nofollow\" target=\"_blank\" href=\"https:\/\/controltower.aws-management.tools\/aa\/sso\/azure_ad\/\">Azure Active Directory<\/a><\/li>\n<\/ul>\n<p>When IAM Identity Center is integrated with a 3rd Party Solution such as AAD, you add your AAD Groups to the Azure Enterprise Application. As part of the System for Cross-domain Identity Provisioning (SCIM), Groups and the Users that are member of those Groups will be replicated and created within IAM Identity Center. This provides the user the ability to login through the AWS access portal URL and authenticate using their standard login details \u2013\u00a0those used for other business workloads such as email etc.<\/p>\n<p>Since all the identity management is now connected to the corporate AAD, things such as password policies are handled by AAD. However, Multi Factor Authentication (MFA) could be handled either by AAD or alternatively, you may decide to handle that within IAM Identity Center.<\/p>\n<h4>Enabling MFA in IAM Identity Center<\/h4>\n<ul>\n<li>Login to the AWS Management Console and Navigate to IAM Identity Center.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77011\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-23-300x181.png\" alt=\"\" width=\"730\" height=\"440\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-23-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-23-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-23-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-23-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-23.png 1920w\" sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>Click\u00a0<strong>Settings<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77012\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-24-300x181.png\" alt=\"\" width=\"730\" height=\"441\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-24-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-24-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-24-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-24-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-24.png 1920w\" sizes=\"auto, (max-width: 730px) 100vw, 730px\" \/><\/p>\n<ul>\n<li>Click the\u00a0<strong>Network &amp; security<\/strong>\u00a0tab.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77013\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-25-300x181.png\" alt=\"\" width=\"731\" height=\"441\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-25-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-25-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-25-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-25-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-25.png 1920w\" sizes=\"auto, (max-width: 731px) 100vw, 731px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Configure<\/strong>\u00a0under Multi-factor authentication section.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77014\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-26-300x181.png\" alt=\"\" width=\"729\" height=\"440\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-26-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-26-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-26-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-26-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-26.png 1920w\" sizes=\"auto, (max-width: 729px) 100vw, 729px\" \/><\/p>\n<ul>\n<li>Select\u00a0<strong>Every time they sign in (always-on)<\/strong>\u00a0under the \u201cPrompt users for MFA\u201d section.<\/li>\n<li>Select\u00a0<strong>Security keys and built-in authenticators<\/strong>\u00a0and\u00a0<strong>Authenticator apps<\/strong>\u00a0under the \u201cUsers can authenticate with these MFA types\u201d section.<\/li>\n<li>Select\u00a0<strong>Require them to register an MFA device at sign in<\/strong>\u00a0under the \u201cIf a user does not yet have a registered MFA device\u201d section.<\/li>\n<li>Click\u00a0<strong>Save changes<\/strong>.<\/li>\n<\/ul>\n<h4>Creating a Permission Set<\/h4>\n<p>As a best practice, permissions should follow the principle of least privilege access. An enabler of this is through the use of Permission Sets with IAM Identity Center. There are several default Permission Sets created by Control Tower, although these don\u2019t always meet all requirements.<\/p>\n<p>Behind the scenes, once you\u2019ve created a Permission Set and you\u2019ve assigned it to the AWS Account(s) that you want that applied to and the Groups you want to associate, an IAM Role is created hwhich has a Trust policy configured to only allow the role to be assumed using SAML and it must have come via the IAM Identity Provider within that Account which was also created by IAM Identity Center.<\/p>\n<ul>\n<li>Login to the AWS Management Console and Navigate to IAM Identity Center.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77015\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-27-300x181.png\" alt=\"\" width=\"737\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-27-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-27-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-27-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-27-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-27.png 1920w\" sizes=\"auto, (max-width: 737px) 100vw, 737px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Permission sets<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77016\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-28-300x181.png\" alt=\"\" width=\"738\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-28-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-28-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-28-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-28-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-28.png 1920w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Create permission set<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77017\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-29-300x181.png\" alt=\"\" width=\"738\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-29-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-29-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-29-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-29-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-29.png 1920w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<ul>\n<li>Select\u00a0<strong>Custom permission set<\/strong>\u00a0and then Click\u00a0<strong>Next<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77018\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-30-300x181.png\" alt=\"\" width=\"738\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-30-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-30-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-30-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-30-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-30.png 1920w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<p>Depending on what you\u2019re trying to achieve from a permissions allocation perspective, you might attach different types of policies or a combination of them all. This could include AWS Managed Policies, Customer Managed Policies, Inline Policies and or Permissions Boundaries. In this example, we\u2019re going to show examples of using just an AWS Managed Policy as we only want to give S3 Full Access to people via SSO.<\/p>\n<ul>\n<li>Expand\u00a0<strong>AWS Managed Policies<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77019\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-31-300x181.png\" alt=\"\" width=\"738\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-31-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-31-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-31-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-31-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-31.png 1920w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<ul>\n<li>Filter by\u00a0<strong>AmazonS3<\/strong>, Select\u00a0<strong>AmazonS3FullAccess<\/strong>\u00a0and then Click\u00a0<strong>Next<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77020\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-32-300x181.png\" alt=\"\" width=\"738\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-32-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-32-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-32-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-32-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-32.png 1920w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<ul>\n<li>Give the Permission Set a name and then Click\u00a0<strong>Next<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77021\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-33-300x181.png\" alt=\"\" width=\"739\" height=\"446\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-33-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-33-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-33-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-33-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-33.png 1920w\" sizes=\"auto, (max-width: 739px) 100vw, 739px\" \/><\/p>\n<ul>\n<li>On the Review and create page, Click\u00a0<strong>Create<\/strong>.<\/li>\n<\/ul>\n<h4>Assigning a Permission Set to a Group<\/h4>\n<ul>\n<li>Login to the AWS Management Console and Navigate to IAM Identity Center.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77022\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-34-300x181.png\" alt=\"\" width=\"736\" height=\"444\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-34-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-34-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-34-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-34-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-34.png 1920w\" sizes=\"auto, (max-width: 736px) 100vw, 736px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>AWS Accounts<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77023\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-35-300x181.png\" alt=\"\" width=\"736\" height=\"444\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-35-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-35-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-35-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-35-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-35.png 1920w\" sizes=\"auto, (max-width: 736px) 100vw, 736px\" \/><\/p>\n<ul>\n<li>Select the AWS Account you wish to allow Groups access to and click\u00a0<strong>Assign users or groups<\/strong>.<\/li>\n<li>Click the\u00a0<strong>Groups<\/strong>\u00a0tab.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77024\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-36-300x181.png\" alt=\"\" width=\"738\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-36-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-36-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-36-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-36-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-36.png 1920w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<ul>\n<li>Select the\u00a0<strong>Group(s)<\/strong>\u00a0that you wish to assign the Permission Set to and Click\u00a0<strong>Next<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77025\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-37-300x181.png\" alt=\"\" width=\"738\" height=\"445\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-37-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-37-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-37-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-37-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-37.png 1920w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<ul>\n<li>Select the\u00a0<strong>Permission Sets<\/strong>\u00a0that you wish to assign and Click\u00a0<strong>Next<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77026\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-38-300x181.png\" alt=\"\" width=\"744\" height=\"449\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-38-300x181.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-38-1024x619.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-38-768x464.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-38-1536x928.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-38.png 1920w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Submit<\/strong>.<\/li>\n<\/ul>\n<p>The next time the user authenticates through Single Sign-On they\u2019ll be able to leverage the new permissions as they\u2019ll see another role available to them.<\/p>\n<h4>Working with the Account Factory<\/h4>\n<p>One of the capabilities that Control Tower provides is the Account Factory. Account Factory is used for provisioning new AWS Accounts that will in turn be governed via Control Tower and configured with all the baselines that Control Tower will provide, such as CloudTrail, Config, CloudWatch as well as guardrails.<\/p>\n<p>The Account Factory provides the ability to create a VPC as part of the Account provisioning. A key challenge of this functionality is that the Network configuration is controlled within the Control Tower Console. This configuration means you must choose whether you have Public Subnets and\/or Private Subnets and you can only have a maximum of 2 Private Subnets per Availability Zone and deployed based on a Well-Architected design. One of the configuration choices is the CIDR range that you select for the entire VPC, but you have no option as to how this is then utilised for the Subnets; it\u2019s simply split evenly across them all. Another is the region(s) that this same VPC configuration is implemented in, which is determined by the regions that are governed by Control Tower. In situations where you have multiple regions that require VPCs and the Account is provisioned via the Account Factory, this goes against best practice since you end up with overlapping CIDR ranges which would cause network routing issues should these VPCs need to communicate with each other.<\/p>\n<p>With this in mind, we would recommend disabling this functionality in the Account Factory, by unchecking any regions in the Account Factory Network Configuration. This can be done by:<\/p>\n<ul>\n<li>Login to the AWS Management Console and Navigate to Control Tower.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77027\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-39-300x161.png\" alt=\"\" width=\"744\" height=\"399\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-39-300x161.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-39-1024x551.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-39-768x413.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-39-1536x826.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-39.png 1920w\" sizes=\"auto, (max-width: 744px) 100vw, 744px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Account factory<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77028\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-40-300x161.png\" alt=\"\" width=\"743\" height=\"399\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-40-300x161.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-40-1024x551.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-40-768x413.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-40-1536x826.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-40.png 1920w\" sizes=\"auto, (max-width: 743px) 100vw, 743px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Edit<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77029\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-41-300x161.png\" alt=\"\" width=\"743\" height=\"399\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-41-300x161.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-41-1024x551.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-41-768x413.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-41-1536x826.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-41.png 1920w\" sizes=\"auto, (max-width: 743px) 100vw, 743px\" \/><\/p>\n<ul>\n<li>Uncheck all\u00a0<strong>Regions<\/strong>\u00a0to disable the VPC provisioning element of the Account Factory and then Click\u00a0<strong>Save<\/strong>.<\/li>\n<\/ul>\n<h4>Creating a New AWS Account<\/h4>\n<ul>\n<li>Login to the AWS Management Console and Navigate to Control Tower.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77030\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-42-300x161.png\" alt=\"\" width=\"743\" height=\"399\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-42-300x161.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-42-1024x551.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-42-768x413.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-42-1536x826.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-42.png 1920w\" sizes=\"auto, (max-width: 743px) 100vw, 743px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Account factory<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77031\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-43-300x161.png\" alt=\"\" width=\"743\" height=\"399\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-43-300x161.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-43-1024x551.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-43-768x413.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-43-1536x826.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-43.png 1920w\" sizes=\"auto, (max-width: 743px) 100vw, 743px\" \/><\/p>\n<ul>\n<li>Click\u00a0<strong>Create account<\/strong>.<\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\" wp-image-77032\" src=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-44-300x161.png\" alt=\"\" width=\"740\" height=\"397\" srcset=\"https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-44-300x161.png 300w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-44-1024x551.png 1024w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-44-768x413.png 768w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-44-1536x826.png 1536w, https:\/\/www.globallogic.com\/il\/wp-content\/uploads\/sites\/11\/2023\/03\/setup-part-44.png 1920w\" sizes=\"auto, (max-width: 740px) 100vw, 740px\" \/><\/p>\n<ul>\n<li>Under the Account email section, enter the\u00a0<strong>email address<\/strong>\u00a0that you want to associate with the root user of the new AWS Account.<\/li>\n<li>Under the Display name section, enter the\u00a0<strong>Name<\/strong>\u00a0that you want to assign to the new AWS Account.<\/li>\n<li>Under the Identity Center user email section, enter the first name and surname of the IAM Identity Center user. This user will then be granted the Administrator Access Permission to the new AWS Account.<\/li>\n<li>Under the Organisation unit section, select the OU that you want the new AWS Account to be provisioned in. This will then determine both the Preventative and Detective Guardrails that will be applied to it as part of the Account Baseline.<\/li>\n<\/ul>\n<p>Once the AWS Account has been fully provisioned the Account will show as Governed within the Control Tower console.<\/p>\n<p>That\u2019s all for the basic configuration of AWS Control Tower. In an upcoming post, we\u2019ll walkthrough how you can customise Control Tower.<\/p>\n<h4>About the author:<\/h4>\n<p>Adam Divall, Solutions Architect at GlobalLogic with over 20 years demonstrable experience in design, implementation, migration and support of large, complex solutions to support a customer\u2019s long term business strategy. Divall holds all 12 available certifications for Amazon Web Services with specialisations including Networking, Security, Database, Data Analytics and Machine Learning.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>In this post, we\u2019re going to walkthrough some of the remaining post configuration tasks including configuring IAM Identity Center and provisioning a new AWS Account through Account Factory.<\/p>\n","protected":false},"author":10,"featured_media":0,"parent":0,"menu_order":22,"template":"","insight":[41],"insight-subcats":[],"insight-industry":[750],"insight-services":[],"insight-partners":[921],"class_list":["post-77010","insightsection","type-insightsection","status-publish","hentry","insight-blogs","insight-industry-technology","insight-partners-aws"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insightsection\/77010","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insightsection"}],"about":[{"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/types\/insightsection"}],"author":[{"embeddable":true,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/users\/10"}],"version-history":[{"count":1,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insightsection\/77010\/revisions"}],"predecessor-version":[{"id":101350,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insightsection\/77010\/revisions\/101350"}],"wp:attachment":[{"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/media?parent=77010"}],"wp:term":[{"taxonomy":"insight","embeddable":true,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insight?post=77010"},{"taxonomy":"insight-subcats","embeddable":true,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insight-subcats?post=77010"},{"taxonomy":"insight-industry","embeddable":true,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insight-industry?post=77010"},{"taxonomy":"insight-services","embeddable":true,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insight-services?post=77010"},{"taxonomy":"insight-partners","embeddable":true,"href":"https:\/\/www.globallogic.com\/il\/wp-json\/wp\/v2\/insight-partners?post=77010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}