View this page in Japanese (日本語) | Back to README
You can enroll an AWS account managed by Baseline Environment on AWS(Standalone) into OU managed by ControlTower with BLEA Multi-Account. Guest Base and Guest System on the enroll account are not changed, but the systems may be affected by Organizations Service Control Policies (SCPs) after enrollment. So we recommend to test the SCPs before enrollment.
On this procedure, we named accounts listed below:
- Management account: an account setup Baseline Environment on AWS (Multi-Account) with ControlTower
- Target account: an account setup Baseline Environment on AWS (Standalone), will enroll into OU managed by ControlTower.
On Management account, You need to have setup Baseline Environment on AWS with Multi-Account Governance. Details are below:
-
Setup Control Tower
Refer: https://docs.aws.amazon.com/controltower/latest/userguide/setting-up.html
-
Enabled trusted access using the AWS CloudFormation Stacksets console
-
Enabled Security Hub and automatically enabling new organization accounts
Refer: https://docs.aws.amazon.com/securityhub/latest/userguide/accounts-orgs-auto-enable.html
-
Enable GuardDuty and automatically enabling new organization accounts
Refer: https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_organizations.html
-
Enable Amazon Inspector and automatically enabling new organization accounts
Refer: https://docs.aws.amazon.com/inspector/latest/user/adding-member-accounts.html
- Login to Management account as administrator
- In the AWS Organizations Console, click [Add Account] button
- Click [Invite Account]
- Fill email address or account ID of Target account and click [invite]
- Notice: you need to verify your email address before you invite
- Invitation will be sent to administrator's email address of Target Account. Follow instruction and approve invitation.
You should be setup AWS Config on Target account, and AWS Config should to be disabled before enroll into ControlTower.
-
Login to the Target account’s management console and launch CloudShell with [>_] icon
-
Get delivery channel name and configuration recorder name
aws configservice describe-delivery-channels aws configservice describe-configuration-recorders
Command results are like these.
$ aws configservice describe-delivery-channels { "DeliveryChannels": [ { "name": "BLEA-Config-ConfigDeliveryChannel-XXXXXXXXXXX”, "s3BucketName": "able-config-configbucketxxxxxxxxxxxxxx” } ] } $ aws configservice describe-configuration-recorders { "ConfigurationRecorders": [ { "name": "BLEA-Config-ConfigRecorder-XXXXXXXXXXXXXX”, "roleARN": "arn:aws:iam::xxxxxxxxxxxx:role/BLEA-Config-ConfigRoleXXXXXXXXXXXXXXXXXX”, "recordingGroup": { "allSupported": true, "includeGlobalResourceTypes": true, "resourceTypes": [] } } ] }
-
Delete configuration recorder and delivery channel
With these command, you can delete configuration recorder and delivery channel. Specify each name from the result of previous procedure.
aws configservice delete-configuration-recorder --configuration-recorder-name BLEA-Config-ConfigRecorder-XXXXXXXXXXXXXX aws configservice delete-delivery-channel --delivery-channel-name BLEA-Config-ConfigDeliveryChannel-XXXXXXXXXXX
You need to create IAM Role for managing by ControlTower. The procedure is described at "Prerequisites for Enrollment - step 3" in the page below.
Refer: https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html
- Open IAM console
- Select [Roles]-[Create Role]
- Select [Another AWS account] and fill Control Tower Admin's AWS account ID
- Click [Next: Permissions]
- Select 'AdministratorAccess' policy and click [Next: Tags]-[Next: Review]
- Type 'AWSControlTowerExecution' in the Role name text box and click [Create role] button
On Management account, Enroll Target account.
Refer: https://docs.aws.amazon.com/controltower/latest/userguide/enroll-account.html
-
Login to Management account via AWS SSO
-
Open Control Tower console
-
Click [Account Factory] on navigation menu
-
Click [Enroll account] and fill information of Target account and click [Enroll Account] button. Account enroll process will be started.
-
You can check enroll progress status on Service Catalog. Go to service console and select [Provisioned Products]
Now your Target account enrolled to Control Tower on your Management account. Security Hub and Guard Duty on Target account are managed by Organizations.