Review Note: This section is an early draft and undergoing reviewing and editing.
If you’ve followed this guide, you’ve already created the Organizational Units (OUs) for your workload, and provisioned an initial account in the workloads_dev OU. This step assumes you are ready to provision In this step your Cloud Administrators will create new AWS accounts dedicated for your workload via AWS Control Tower’s Account Factory.
For purposes of this guide, we presume to create one production and one test account for the given workload. If you’ve followed the steps closely so far, you’ve created a foundation that will scale to manage many accounts with a minimum of overhead.
This step should take about 60 minutes to complete.
Confirm email addresses Every AWS account requires a unique email address for the “root” user. You may have created these addresses in an earlier step. If not, please go back and review the guidance and provision the test and production workload addresses before you continue. You will need to be capable of accessing the inboxes of the email accounts to proceed through the steps below.
Choose Workload Group Identifier When you created the development workload environment, you used <team identifier> as a differentiator. Test and production workloads are best provisioned in workload-specific accounts so we’ll use the workload group ID to label them. For example, workloads-test-sap and workloads-prod-sap where sap would be the workload group ID.
Use AWS Control Tower Account Factory to provision the required production workload account.
management account.Management console associated with the AWSAdministratorAccess role.Control Tower.Account Factory on the left.Enroll account.| Field | Recommendation |
|---|---|
Account email |
Use the prod email created in Step 1 above. |
Display name |
workloads-prod-<workloadId> |
AWS SSO email |
Use the email address of your AWS Control Tower Admin user in AWS SSO. As long as you reference an existing AWS SSO user, the Account Factory will not create another AWS SSO user for this new AWS account. |
AWS SSO First Name |
AWS Control Tower |
AWS SSO Last Name |
Admin |
Organizational unit |
workloads_prod. |
Enroll Account.It will take several minutes to enroll the new account. You can check the status in Service Catalog.
By default, AWS Control Tower will only allow one account provisioning request to be active at a time. If you try to enroll a second account while the first one is provisioning, it will fail and you will need to terminate the request in Service Catalog and start over. You can request an increase in this soft limit via ticket to AWS Support.
Once you create a new AWS account using Account Factory, there are several user account related tasks that you should perform to enhance the security of your environment.
Since AWS Control Tower’s Account Factory automatically grants the AWS SSO user specified in the Account Factory parameters administrative access to the newly created AWS account, you should remove this individual access. Since you’ll grant your Cloud Administrators access to the new AWS account using their AWS SSO group in a subsequent step, there’s no need to leave this individual access in place.
AWS SSO.AWS accounts in AWS SSO.Remove access from the User/group entry that matches the AWS SSO email address you supplied in the previous step.Remove access to confirm removal.Set AWS Account Root User Password: See Log In as Root User in the AWS Control Tower documentation for instructions to set the root user’s password.
Enable Multi-Factor Authentication (MFA): See Enable MFA on the AWS Account Root User for instructions to enable MFA.
Follow the same steps to create the test workload account. Ensure the previous step has completed before you proceed.
Account Factory on the left.Enroll account.| Field | Recommendation |
|---|---|
Account email |
Use the test email created in Step 1 above. |
Display name |
workloads-test-<workloadId> |
AWS SSO email |
Use the email address of your AWS Control Tower Admin user in AWS SSO. As long as you reference an existing AWS SSO user, the Account Factory will not create another AWS SSO user for this new AWS account. |
AWS SSO First Name |
AWS Control Tower |
AWS SSO Last Name |
Admin |
Organizational unit |
workloads_test. |
Enroll Account.It will take several minutes to enroll the new account. You can check the status in Service Catalog.
Once you create a new AWS account using Account Factory, there are several user account related tasks that you should perform to enhance the security of your environment.
Since AWS Control Tower’s Account Factory automatically grants the AWS SSO user specified in the Account Factory parameters administrative access to the newly created AWS account, you should remove this individual access. Since you’ll grant your Cloud Administrators access to the new AWS account using their AWS SSO group in a subsequent step, there’s no need to leave this individual access in place.
AWS SSO.AWS accounts in AWS SSO.Remove access from the User/group entry that matches the AWS SSO email address you supplied in the previous step.Remove access to confirm removal.Set AWS Account Root User Password: See Log In as Root User in the AWS Control Tower documentation for instructions to set the root user’s password.
Enable Multi-Factor Authentication (MFA): See Enable MFA on the AWS Account Root User for instructions to enable MFA.
Since Cloud Administrators won’t automatically be granted sufficient access to newly created AWS accounts, you need to enable this access each time you create new AWS accounts via AWS Control Tower’s Account Factory.
management account.Management console associated with the AWSAdministratorAccess role.AWS SSO.AWS accounts in AWS SSO.Assign users.Groups.example-cloud-admin or similar.Next: Permission sets.AWSAdministratorAccess.Finish.Now you’ve enabled all users who are part of the Cloud Administrator group in AWS SSO administrator access to the selected AWS accounts.