AWS Control Tower: Baby Steps
The next time you create an AWS account whether for an existing organization or a new one, try AWS Control Tower. Control Tower is like a helping hand nudging users on the path of “best” cloud infrastructure practices that most of us don’t have time to learn. However, unless you perform some under-documented chores during your journey, you will experience the joy of errors instead.
First error:
AWS Control Tower failed to set up your landing zone completely: AWSControlTower could not complete the operation, because it could not assume the “AWSControlTowerAdmin” role
- Log in to AWS using the organization’s root account
- Go to Organizations. For example:
https://console.aws.amazon.com/organizations - Click Policies
- Click Service control policies
- Check the box next to FullAWSAccess
- Click Create Policy
Second error:
There are several.
No launch paths found for resource:
The landing zone has drifted
Account enrollment failed
The CSV file associated with the last error contains a clue:
Add the IAM user to the AWS Service Catalog portfolio before registering your OU
Here’s a solution:
- Create an IAM user (yes, a real IAM user) in your organization
- Assign the AdministratorAccess policy to it
- Go to Service Catalog
- Click Portfolios
- Click AWS Control Tower Account Factory Portfolio
- Click the Access tab
- Click Grant access
- Click the Users tab
- Check the box next the user you created in step 1
- Click Grant access
- Log out
- Log in as the user you created in step 1
Don’t log in to the AWS console with the organization’s root account ever again!
It’s probably never a good idea to use Control Tower with any user besides the one you created in step 1 above. AWS needs to straighten this out because even AWS recommends using IAM Identity Center users instead of IAM Users (not at all confusing 🙄).
You’re Ready to Rock the Tower!
When enabling AWS Control Tower, you’ll be asked whether to create accounts for security and audit. I recommend doing so — specify two email addresses.
If you don’t have your own email provider and would like all of the emails to land in the same inbox, try the + trick! me+logs@gmail.com and me+audit@gmail.com. No guarantees — although this is part of the web email “specification”, AWS might prohibit entering + signs in email addresses.