If you’ve followed this guide, you’ve already created the Organizational Units (OUs) for your workload, and provisioned an initial account in the
workloads_dev OU. This step assumes you are ready to provision In this step your Cloud Administrators will create new AWS accounts dedicated for your workload via AWS Control Tower’s Account Factory.
For purposes of this guide, we presume to create one production and one test account for the given workload. If you’ve followed the steps closely so far, you’ve created a foundation that will scale to manage many accounts with a minimum of overhead.
This step should take about 60 minutes to complete.
Every AWS account requires a unique email address for the “root” user. You may have created these addresses in an earlier step. If not, please go back and review the guidance and provision the test and production workload addresses before you continue. You will need to be capable of accessing the inboxes of the email accounts to proceed through the steps below.
Since test and production workloads are best provisioned in workload-specific accounts, you should determine a workload identifier to associate with your first few workloads. You’ll use that identifier when you name your test and production AWS accounts. For example, if you’re workload is a virtual desktop infrastructure (VDI) deployment using, for example, Amazon WorkSpaces, you might use
vdi as the workload identifier and name your accounts
Use AWS Control Tower Account Factory to provision the required production workload account.
Account Factoryon the left.
||Use email address that you’ve already identified.|
||Provide the email address of one of your cloud administrators as registered in AWS SSO. As long as you reference an existing AWS SSO user, the Account Factory will not create another AWS SSO user for this new AWS account.|
It will take several minutes to enroll the new account. You can check the status in
Once you create a new AWS account using Account Factory, there are several user account related tasks that you should perform to enhance the security of your environment.
Since AWS Control Tower’s Account Factory automatically grants the AWS SSO user specified in the Account Factory parameters administrative access to the newly created AWS account, you should remove this individual access. Since you’ll grant your Cloud Administrators access to the new AWS account using their AWS SSO group in a subsequent step, there’s no need to leave this individual access in place.
AWS accountsin AWS SSO.
Remove accessfrom the
User/groupentry that matches the AWS SSO email address you supplied in the previous step.
Remove accessto confirm removal.
Set AWS account root user password: See Log In as Root User in the AWS Control Tower documentation for instructions to set the root user’s password.
Enable multi-factor authentication (MFA): See Enable MFA on the AWS Account Root User for instructions to enable MFA.
Account Factory can create only one account at a time: You’ll need to wait for provisioning of the test workloads account to finish before you start creating the production account.
Repeat the account creation steps you used for the test workloads account, but substitute
prod where appropriate.
Perform the same post-account creation steps as noted above for your production workloads account.
Since Cloud Administrators won’t automatically be granted sufficient access to newly created AWS accounts, you need to enable this access each time you create new AWS accounts via AWS Control Tower’s Account Factory.
AWS accountsin AWS SSO.
Next: Permission sets.
Now you’ve enabled all users who are part of the Cloud Administrator group in AWS SSO administrator access to the selected AWS accounts.