If you’ve followed this guide, you’ve already created the Organizational Units (OUs) for your workload, and provisioned an initial account in the workloads_dev
OU. This step assumes you are ready to provision In this step your Cloud Administrators will create new AWS accounts dedicated for your workload via AWS Control Tower’s Account Factory.
For purposes of this guide, we presume to create one production and one test account for the given workload. If you’ve followed the steps closely so far, you’ve created a foundation that will scale to manage many accounts with a minimum of overhead.
This step should take about 60 minutes to complete.
Every AWS account requires a unique email address for the “root” user. You may have created these addresses in an earlier step. If not, please go back and review the guidance and provision the test and production workload addresses before you continue. You will need to be capable of accessing the inboxes of the email accounts to proceed through the steps below.
Since test and production workloads are best provisioned in workload-specific accounts, you should determine a workload identifier to associate with your first few workloads. You’ll use that identifier when you name your test and production AWS accounts. For example, if you’re workload is a virtual desktop infrastructure (VDI) deployment using, for example, Amazon WorkSpaces, you might use vdi
as the workload identifier and name your accounts workloads-test-vdi
and workloads-prod-vdi
.
Use AWS Control Tower Account Factory to provision the required production workload account.
management
account.Account Factory
on the left.Enroll account
Field | Recommendation |
---|---|
Account email |
Use email address that you’ve already identified. |
Display name |
workloads-test-<workload-id> |
AWS SSO email |
Provide the email address of one of your cloud administrators as registered in AWS SSO. As long as you reference an existing AWS SSO user, the Account Factory will not create another AWS SSO user for this new AWS account. |
AWS SSO First Name |
AWS Control Tower |
AWS SSO Last Name |
Admin |
Organizational unit |
workloads_test . |
Enroll Account
.It will take several minutes to enroll the new account. You can check the status in Service Catalog
.
Once you create a new AWS account using Account Factory, there are several user account related tasks that you should perform to enhance the security of your environment.
Since AWS Control Tower’s Account Factory automatically grants the AWS SSO user specified in the Account Factory parameters administrative access to the newly created AWS account, you should remove this individual access. Since you’ll grant your Cloud Administrators access to the new AWS account using their AWS SSO group in a subsequent step, there’s no need to leave this individual access in place.
AWS SSO
.AWS accounts
in AWS SSO.Remove access
from the User/group
entry that matches the AWS SSO email address you supplied in the previous step.Remove access
to confirm removal.Set AWS account root user password: See Log In as Root User in the AWS Control Tower documentation for instructions to set the root user’s password.
Enable multi-factor authentication (MFA): See Enable MFA on the AWS Account Root User for instructions to enable MFA.
Account Factory can create only one account at a time: You’ll need to wait for provisioning of the test workloads account to finish before you start creating the production account.
Repeat the account creation steps you used for the test workloads account, but substitute prod
where appropriate.
Perform the same post-account creation steps as noted above for your production workloads account.
Since Cloud Administrators won’t automatically be granted sufficient access to newly created AWS accounts, you need to enable this access each time you create new AWS accounts via AWS Control Tower’s Account Factory.
AWS SSO
.AWS accounts
in AWS SSO.Assign users
.Groups
.example-cloud-admin
or similar.Next: Permission sets
.AWSAdministratorAccess
.Finish
.Now you’ve enabled all users who are part of the Cloud Administrator group in AWS SSO administrator access to the selected AWS accounts.