A Sneak Peak into AWS Control Tower.

 

AWS Control Tower 

AWS Control Tower is a service provided by Amazon Web Services (AWS) that helps organizations set up and govern a secure, multi-account AWS environment based on AWS best practices AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center, to build a landing zone, which helps organizations adhere to best practices for security and compliance.

 Key Features

         Landing Zone Setup:

      • Automated Environment: Set up a pre-configured, secure, multi-account AWS environment.
      • Multi-Account Management: Enables the creation and management of multiple AWS accounts using AWS Organizations.
         Governance and Compliance:

      • Guardrails: Implement pre-packaged governance rules (guardrails) to enforce policies. These include preventive (blocking actions) and detective (identifying actions) controls.
      • Service Control Policies (SCPs): Apply permissions management across accounts to enforce compliance.
         Account Provisioning:

      • Account Factory: Streamlines the provisioning of new AWS accounts with standardized configurations.
        Centralized Logging and Monitoring:

      • AWS CloudTrail Integration: Logs all API activity across your AWS environment.
      • AWS Config Integration: Tracks resource configurations and changes to ensure compliance.
         Single Sign-On (SSO):

      • AWS SSO Integration: Provides single sign-on access to AWS accounts and applications.
Benefits

        Simplified Setup and Management:

      • Reduces the complexity and time required to establish a multi-account AWS environment following best practices.
        Enhanced Security and Compliance:

      • Enforces security policies and compliance through automated guardrails and SCPs.
        Operational Efficiency:

      • Automates setup and governance, allowing IT teams to focus on higher-value tasks.
        Scalability:

      • Facilitates the easy scaling of cloud environments, allowing quick provisioning of new accounts with consistent configurations.
        Cost Management:

      • Provides visibility and governance over resources, aiding in cost optimization.
Control Tower Dashboard

The AWS Control Tower console provides a centralized interface to monitor and manage your multi-account AWS environment.

The dashboard provides you the status of Landing Zone.


You will be able to view the environment summary like number of OU and Accounts.


Dashboard provides you the details of enabled controls

The dashboard lists non-compliant resources.



The dashboard also provides information about the compliance status and the registration status of OU/Accounts.  


In addition, the AWS Control Tower console serves as the central hub for managing and overseeing your AWS Control Tower environment.








Connecting to a CodeCommit repository from AWS CLI using Identity Centre Credentials.


With the AWS Multi-Account Control Tower model and AWS Identity Center as your identity provider, you can connect to a CodeCommit repository in one of the child accounts using the AWS CLI and Identity Centre Credentials. Ensure that the appropriate permissions are granted to your Identity Center IDs to access CodeCommit in the corresponding account.

Prerequisite

  • AWS CLI above version 2
       Installation Steps

  • Python version3 with pip.
  • Git Client latest version.
  • Create the user and provide “AWSCodeCommitAccess” role access to the user.
  • Sign out and close all AWS consoles.
  • Install git-remote-codecommit plugin & ensure the PATH variable is correctly set.

Installing git-remote-codecommit plugin

On a computer running Linux, macOS, or Unix:

$sudo pip install git-remote-codecommit

On a computer running Windows:

$pip install --user git-remote-codecommit

Note:- Account numbers mentioned in this blog post is not a valid account number and is used for demo purpose only.

Step1 – Configure Identity Centre for AWS CLI

Open your command prompt, type below command and input provided values.

$ aws configure sso

SSO session name (Recommended): aws-codecommit-session
(Enter a name for the session)

SSO start URL [None]: https://XXXXXX.awsapps.com/start/
(Enter Identity Centre URL)

SSO region [None]: us-east-1

(Enter the AWS Region)

SSO registration scopes [sso:account:access]: 0123456789123

(Enter the Identity Centre Account ID)

<Command Prompt Message>

Attempting to automatically open the SSO authorization page in your default browser.

If the browser does not open or you wish to use a different device to authorize this request, open the following URL:

 https://device.sso.ap-south-1.amazonaws.com/

 Then enter the code:

 BBXB-TRRQ

Step2- Confirm the authorization code.

Once you entered above values, you will be redirected to below page. Note down the authorization code in the web page and ensure that you have same code in your command prompt as well.

After successful verification, click on “Confirm and Continue”  (Don’t proceed if the authorization code verification is not successful.)




Step3- Allow authorization request.

After successful confirmation you will be redirected to below page.

Click on “Allow”





You will be notified with the approval status.





Step4- AWS CLI Profile details.

 

Switch back to command prompt and note down the profile name.

The only AWS account available to you is: 987654321012 

Using the account ID 987654321012

The only role available to you is: AWSCodeCommitAccess

Using the role name "AWSCodeCommitAccess"

CLI default client Region [us-east-1]:<Enter>

CLI default output format [None]:<Enter>

CLI profile name [AWSCodeCommitAccess-987654321012]:<Enter>

(If you would like to change the profile name you can enter the new profile name here but you should use the same profile name while executing below command)

 Step5- Clone your repository.

 Use below command to clone your repository.

 $ git clone codecommit::us-east-1://AWSCodeCommitAccess-987654321012@<Repository Name>

 Example:

$ git clone codecommit::us-east-1://AWSCodeCommitAccess-987654321012@test-repository