In this step your Cloud Administrators will create several new team development AWS accounts via AWS Control Tower’s Account Factory.
This step should take about 30 minutes to complete.
As highlighted previously, an AWS best practice is to isolate the work of distinct builder teams by assigning a different development AWS account to each team. Benefits of this approach include:
Inherent Per Team Cost Allocation: Since AWS resource costs are, by default, attributable to each AWS account in which the resources are provisioned, at this early stage in your adoption, you don’t need to force builder teams to use cost allocation tags on their resources.
Inherent Isolation Between Teams: Since cloud resources managed by builder teams using different AWS accounts are, by default, completely isolated from each other, more advanced AWS Identity and Access Management (IAM) configurations are not needed to ensure that builder teams don’t inadvertently impact each other’s cloud resources.
Initially, you will likely need AWS accounts for the following teams:
| Team Development Account | Purpose |
|---|---|
| Workload Builder Team | A team development AWS account for the team that will be doing the workload specific work for your first formal workload on AWS. |
| Foundation Team | A team development AWS account for the initial few Cloud and Security Administrators to experiment, develop, and perform early testing of changes to the foundation. |
In AWS Control Tower, provision the initial set of team development AWS accounts for early experimentation, development, and testing.
You’ll follow these steps twice: Once to create the initial development team’s AWS account and again to create the development AWS account for the foundation team.
master account.Management console associated with the AWSAdministratorAccess role.Control Tower.Account Factory on the left.Enroll account.| Field | Recommendation |
|---|---|
Account email |
Consult the set of AWS account root user email addresses that you established earlier. |
Display name |
team-a-dev or foundation-dev |
AWS SSO email |
Use the same email address as Account Email. |
AWS SSO First Name |
Use a part of your account name. For example, Team A or Foundation for the foundation team’s development AWS account. |
AWS SSO Last Name |
Use the remaining part of the account name. For example, Development |
Organizational unit |
Select the development OU you created earlier in this section. For example, development. |
Enroll Account.It will take a few minutes to enroll the new account. You can check the status in Service Catalog. Once it’s done, the e-mail address you used will receive 3 messages: 1) Your AWS Account is Ready, 2) Invitation to join AWS Single Sign-On, 3) Welcome to Amazon Web Services.
When each new team development AWS account is created, follow these steps to initialize the AWS account’s AWS SSO user and root user to align with security best practices.
When a new AWS account has been created via the Account Factory, a user for the new AWS account is created in AWS SSO. As a best practice, you should initiatize the associated user’s password and enable MFA.
Accept invitation.Follow the instruction in How to Register a Device for Use with Multi-Factor Authentication.
In addition to a new AWS SSO user being created for the AWS account, the new AWS account has a built-in root user.
See Log In as Root User in the AWS Control Tower documentation for instructions to set the root user’s password.
See Enable MFA on the AWS Account Root User for instructions to enable MFA.
Since Cloud Administrators won’t automatically be granted sufficient access to newly created AWS accounts, you need to enable this access each time you create new AWS accounts via AWS Control Tower’s Account Factory.
master account.Management console associated with the AWSAdministratorAccess role.AWS SSO.AWS accounts in AWS SSO.Team A - DevFoundation - DevAssign users.Groups.example-cloud-admin or similar.Next: Permission sets.AWSAdministratorAccess.Finish.Now you’ve enabled all users who are part of the Cloud Administrator group in AWS SSO administrator access to the selected AWS accounts.
Since the names of shared subnets are not currently propagated to AWS accounts, as a Cloud Administrator, you should apply names to the shared subnets within each team development AWS account so that it’s easier for the builder teams to understand the role of each subnet as they configure resources for AWS services.
Management console associated with the AWSAdministratorAccess role.VPC.Your VPCs.base-dev.Subnets.Name field of each private subnet to match the name of the private subnet as it’s configured in the Network AWS account. You can open another icognito or similar browser session to view the Network account’s resources. Caution: The subnets may not be listed in the same order in both AWS accounts by default.