Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

In today’s fast-paced technological landscape, Amazon offers a streamlined approach to establish and manage your AWS environment, often referred to as a landing zone, utilizing best practices systematically managed on your behalf. With the power of AWS Control Tower, multiple AWS services—including AWS Organizations, AWS CloudFormation StackSets, Amazon Simple Storage Service (Amazon S3), AWS Single Sign-On (AWS SSO), AWS Config, and AWS CloudTrail—are orchestrated to configure a landing zone in less than 30 minutes. Additionally, AWS Control Tower implements preventive and detective controls (guardrails) to ensure adherence to best practices.

Upon deploying AWS Control Tower, two shared accounts are automatically created: the audit account and the log archive account. The log archive account is designated for your team members who require access to all logging data from enrolled accounts within registered Organizational Units (OUs). Conversely, the audit account is intended for users needing access to audit information provided by AWS Control Tower and can also serve as a gateway for third-party tools performing programmatic audits of your environment, aiding in compliance assessments.

To facilitate the creation of these accounts, customers are required to input unique email addresses for each account. Following setup, you can either create new AWS Accounts or incorporate existing ones under AWS Control Tower Management. For further details, refer to About AWS accounts in AWS Control Tower.

Many clients, having established custom landing zones, expressed a desire to reuse their pre-existing log archive and security accounts. Leveraging the existing Logging account enables them to consolidate logs and configuration aggregators within a single account.

In this article, we illustrate how to reuse existing core or security AWS accounts while deploying AWS Control Tower. This feature allows customers to save time and effort that they might otherwise expend modifying AWS native or third-party integrations in their core accounts.

Use Case Overview

Several scenarios may necessitate the use of existing AWS accounts as the log archive and audit accounts for AWS Control Tower. For instance, if you utilize AWS CloudTrail for organizational features, which logs events for the management account and all member accounts, you would likely prefer to continue using the same account for AWS CloudTrail and AWS Config with AWS Control Tower, especially if third-party integrations are established for post-log processing. Now, you can designate these accounts as Audit and Log Archive accounts during AWS Control Tower deployment.

Another scenario involves utilizing an existing account as a delegated administrator for various AWS services, such as AWS Security Hub or AWS GuardDuty, while wishing to have the same account function as AWS Control Tower’s Audit account.

Considerations

Before proceeding, please consider the following:

• Review the Considerations for bringing existing security and logging accounts.
• AWS Control Tower will relocate these accounts to the OU it creates during deployment.
• AWS Control Tower establishes its own Config Aggregator in addition to any existing Config aggregators you may have.
• If AWS Config is deployed in other accounts that you intend to enroll with AWS Control Tower and wish to maintain the same AWS Config recorder and Delivery Channel, you must follow the specified steps prior to deploying AWS Control Tower.

Prerequisites

Ensure you meet the following prerequisites before proceeding:

• Familiarize yourself with the prerequisites to deploy AWS Control Tower.
• Existing core or shared account(s) must already be part of your organization.
• Remove the AWS Config recorder and AWS Config Delivery channel from the accounts intended for this feature. This step must be completed for every region you wish to govern with AWS Control Tower.

Steps to Deploy Control Tower with Existing Accounts

To deploy AWS Control Tower with existing accounts, follow these steps:

1. Navigate to AWS Control Tower in your AWS management console.
2. Select “Set up landing zone.”
3. Review pricing and select regions.
4. Configure OUs.
5. Opt for “Use existing account” (refer to the accompanying screenshots).

Here, enter the Log Archive account ID.