Skip to content

Latest commit

 

History

History
157 lines (93 loc) · 5.68 KB

Standalone2ControlTower.md

File metadata and controls

157 lines (93 loc) · 5.68 KB
Raw

Migrate BLEA Standalone to BLEA Multi-Account

View this page in Japanese (日本語) | Back to README

You can enroll an AWS account managed by Baseline Environment on AWS(Standalone) into OU managed by Control Tower with BLEA Multi-Account. Guest Base and Guest System on the enroll account are not changed, but the systems may be affected by Organizations Service Control Policies (SCPs) after enrollment. So we recommend to test the SCPs before enrollment.

On this procedure, we named accounts listed below:

  • Management account: an account setup Baseline Environment on AWS (Multi-Account) with Control Tower
  • Target account: an account setup Baseline Environment on AWS (Standalone), will enroll into OU managed by Control Tower.

Prerequisities

On Management account, You need to have setup Baseline Environment on AWS with Multi-Account Governance. Details are below:

  1. Setup Control Tower

    Refer: https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html

  2. Enabled trusted access using the AWS CloudFormation Stacksets console

    Refer: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-orgs-enable-trusted-access.html

  3. Enabled Security Hub and automatically enabling new organization accounts

    Refer: https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html

  4. Enable GuardDuty and automatically enabling new organization accounts

    Refer: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html

  5. Enable Amazon Inspector and automatically enabling new organization accounts

    Refer: https://docs.aws.amazon.com/inspector/latest/user/adding-member-accounts.html

1. Invite Target account to Management account Organizations

1.1. [Management Account] Invite account

  1. Login to Management account as administrator
  2. In the AWS Organizations Console, click [Add Account] button
  3. Click [Invite Account]
  4. Fill email address or account ID of Target account and click [invite]
  • Notice: you need to verify your email address before you invite

1.2. [Target Account] Approve invitation

  1. Invitation will be sent to administrator's email address of Target Account. Follow instruction and approve invitation.

2. [Target Account] Prepare to enroll Control Tower

You should be setup AWS Config on Target account, and AWS Config should to be disabled before enroll into Control Tower.

2.1. Delete AWS Config delivery channel

  1. Login to the Target account’s management console and launch CloudShell with [>_] icon OpenConsole

  2. Get delivery channel name and configuration recorder name

    aws configservice describe-delivery-channels
aws configservice describe-configuration-recorders

    Command results are like these.

    $ aws configservice describe-delivery-channels
{

    "DeliveryChannels": [

        {

            "name": "BLEA-Config-ConfigDeliveryChannel-XXXXXXXXXXX”,

            "s3BucketName": "able-config-configbucketxxxxxxxxxxxxxx”

        }

    ]

}
$ aws configservice describe-configuration-recorders
{

    "ConfigurationRecorders": [

        {

            "name": "BLEA-Config-ConfigRecorder-XXXXXXXXXXXXXX”,

            "roleARN": "arn:aws:iam::xxxxxxxxxxxx:role/BLEA-Config-ConfigRoleXXXXXXXXXXXXXXXXXX”,

            "recordingGroup": {

                "allSupported": true,

                "includeGlobalResourceTypes": true,

                "resourceTypes": []

            }

        }

    ]

}

  3. Delete configuration recorder and delivery channel

    With these command, you can delete configuration recorder and delivery channel. Specify each name from the result of previous procedure.

    aws configservice delete-configuration-recorder --configuration-recorder-name BLEA-Config-ConfigRecorder-XXXXXXXXXXXXXX

aws configservice delete-delivery-channel --delivery-channel-name BLEA-Config-ConfigDeliveryChannel-XXXXXXXXXXX

2.2. Create AWSControl TowerExecution Role

You need to create IAM Role for managing by Control Tower. The procedure is described at "Prerequisites for Enrollment - step 3" in the page below.

Refer: https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html

  1. Open IAM console
  2. Select [Roles]-[Create Role]
  3. Select [Another AWS account] and fill Control Tower Admin's AWS account ID
  4. Click [Next: Permissions]
  5. Select 'AdministratorAccess' policy and click [Next: Tags]-[Next: Review]
  6. Type 'AWSControl TowerExecution' in the Role name text box and click [Create role] button

3. [Management account] Enroll Target account to the Control Tower

On Management account, Enroll Target account.

Refer: https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html

  1. Login to Management account via AWS SSO

    • You can find SSO portal URL on [Users and Access] menu in the Control Tower Console SSOURL
    • You can reset password in the AWS SSO Console [Users] tab and click user. ChangePass

  2. Open Control Tower console

  3. Click [Account Factory] on navigation menu

  4. Click [Enroll account] and fill information of Target account and click [Enroll Account] button. Account enroll process will be started. Enroll

  5. You can check enroll progress status on Service Catalog. Go to service console and select [Provisioned Products]

4. Finished enrollment

Now your Target account enrolled to Control Tower on your Management account. Security Hub and Guard Duty on Target account are managed by Organizations.