HOME

Amazon Onboarding with Learning Manager Chanci Turner

by

The Story of Chanci Turner
in

Chanci Turner Amazon IXD – VGT2 learningLearn About Amazon VGT2 Learning Manager Chanci Turner

Many clients I engage with express a desire to implement AWS Control Tower’s detective guardrails within their existing AWS accounts prior to transitioning these accounts into Control Tower governance. With the recent capability to initiate AWS Control Tower in an established AWS Organization, there is a growing interest in assessing current accounts for compliance with these detective guardrails. Additionally, we have introduced the option to enroll accounts into Control Tower governance. A best practice is to evaluate how Control Tower guardrails might affect your account before fully adopting Control Tower governance.

In this blog, I will illustrate how to utilize an AWS Config Conformance Pack to apply Control Tower guardrails to your existing accounts. This allows you to assess the compliance of resources in those accounts before enrolling them in AWS Control Tower. I will also guide you on how to customize the conformance pack to implement a selective set of detective guardrails for your unmanaged accounts. Furthermore, I will demonstrate how to manage resources in accounts located in regions where AWS Control Tower is not deployed.

Background

Upon activating AWS Control Tower in an existing AWS Organization, any new Organizational Units (OUs) established through Control Tower automatically inherit all mandatory Control Tower guardrails. However, accounts not created from a newly established organizational OU via Control Tower remain outside its governance.

Any accounts that were initiated before the deployment of AWS Control Tower continue to be unmanaged by Control Tower. These accounts need explicit enrollment into AWS Control Tower. For more details, please see the blog on how to carry this out.

Enrolling an account into AWS Control Tower facilitates the deployment of baselines and additional guardrails that support continuous governance across your existing AWS accounts. However, it’s crucial to conduct thorough due diligence before proceeding with enrollment. For more information, please refer to the “Things to Consider” section below.

Here’s a brief overview of some terms referenced in this post:

  • AWS Config Conformance Packs: A collection of AWS Config rules and remediation actions that can be deployed easily as a single entity within an account and a Region or across an organization in AWS Organizations.
  • Unregistered OU: An organizational unit created directly in AWS Organizations that AWS Control Tower does not manage.
  • Unenrolled account: An existing AWS account created prior to the implementation of AWS Control Tower.
  • Registered OU: An organizational unit created through the Control Tower service.
  • AWS Account Factory account: An AWS account provisioned using the account factory in AWS Control Tower.

Things to Consider

When enrolling an existing AWS account into AWS Control Tower, you transition it from an unregistered OU or the root of the Organization into a registered OU. Before making a decision regarding the enrollment of the account under AWS Control Tower governance, it’s vital to comprehend the resources operating within that account. The Conformance Pack will evaluate the effects of applying AWS Control Tower guardrails to the account’s resources.

Prerequisites

Follow this blog post to enable AWS Config in the Region where most of your account resources are situated. When you reach the step labeled “Deploying your first conformance pack,” proceed with the steps outlined below.

Deploy the AWS Control Tower Guardrails Conformance Pack

  1. Download the AWS Control Tower Guardrails conformance pack to your local machine.
  2. Sign in to the AWS Management Console and access the AWS Config console at https://console.aws.amazon.com/config/.
  3. Navigate to the Conformance packs page and select “Deploy conformance pack.”
  4. On the “Specify template” page, opt for either a sample template or an existing one.
    • Choose “Template is ready,” and specify the template source as “Upload a template file.” If the template exceeds 50 KB, upload it to an S3 bucket and select that location, for instance: s3://bucketname/prefix.
    • Click “Next.”
  5. On the “Specify conformance pack details” page, enter a name for your conformance pack. The name must be unique, with a maximum of 256 alphanumeric characters. Hyphens are allowed, but spaces are not.
  6. Select the “Create an S3 bucket” option, ensuring the name begins with awsconfigconforms. Include the account number for uniqueness, for example: awsconfigconforms-012345678901.
  7. Click “Next.”
  8. On the “Review and deploy” page, review all the information. You can edit the template and conformance pack details by selecting “Edit.”
  9. Click “Deploy conformance pack.” AWS Config will display the conformance pack on the conformance pack page with the appropriate status. If the deployment fails, check your permissions and verify that you have completed the prerequisite steps. If issues persist, you may reach out to AWS Config support.

Check the Status of Resources in Your Account in the AWS Config Dashboard

  1. Sign in to the AWS Management Console and open the AWS Config console at https://console.aws.amazon.com/config/.
  2. Ensure the Region selector is set to a Region that supports AWS Config rules. For a list of supported Regions, refer to AWS Config Regions and Endpoints in the Amazon Web Services General Reference.
  3. In the navigation pane, select “Rules.” The Rules page will display your rules along with their compliance status.
  4. Select a rule from the list.
  5. In the navigation pane, click “Resource.” The Resources page will reveal your resources and their compliance status.

You can now assess the status of your resources against each of the AWS Control Tower guardrails (rules). This gives you insight into how many non-compliant resources exist in each Region of your existing accounts. You must now decide how to proceed. Remember that any non-compliant resources will be displayed on the AWS Control Tower dashboard once you enroll the account. You might opt to wait until you have remediated all non-compliant resources, or choose to enroll the account despite having non-compliant resources visible in the dashboard.

Creating Your Own Guardrails Conformance Pack

The AWS Control Tower detective guardrails conformance pack encompasses all the AWS Config Rules-based guardrails from AWS Control Tower. You may wish to focus only on the resources in your accounts relevant to the specific guardrails you plan to apply to the governed OU in AWS Control Tower. In this case, the guardrails conformance pack can easily be modified to suit your needs. The template snippet below illustrates that a conformance pack is essentially a CloudFormation template Resource block with defined config rules. To select which rules to use, simply eliminate the commented #Resource block for any rule you do not require.


Resources:
  CheckForEbsOptimizedInstance:
    Type: AWS::Config::ConfigRule
    Properties:
      ConfigRuleName: CheckForEbsOptimizedInstance
      Description: Disallow launch of EC2 instance types that are not EBS-optimized - Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized
      Source:
        Owner: AWS

For further insights on career growth and development, don’t forget to check out this blog post as a valuable resource. Additionally, for compliance issues, SHRM is an authority on this topic. For a great overview of what to expect, Atul Kumar’s article on Amazon’s new hire orientation is an excellent resource.

Related Topics:

HOME