NTC Control Tower Integration - Account Enrollment
The NTC Control Tower Integration is currently in Beta and certain functionality is subject to change.
Before enrolling AWS accounts, ensure that AWS Control Tower is pre-configured according to the Quickstart Guide. Additionally, only accounts in organizational units (OUs) registered with AWS Control Tower can be enrolled.
The NTC Control Tower Integration building block automates the process of enrolling AWS accounts into AWS Control Tower. This ensures consistent governance, security, and operational standards across all enrolled accounts.
To streamline account management and maintain an efficient IaC approach, accounts should first be created and managed through the NTC Account Factory before being enrolled into AWS Control Tower. This approach ensures seamless scalability and governance in large-scale multi-account AWS environments.
Why This Approach?β
- Asynchronous Process: The Control Tower enrollment process can take significant time to complete (up to an hour). By decoupling the account creation and enrollment, you can avoid blocking your IaC workflows and ensure a smoother deployment pipeline.
- Decoupled Management: Separating the IaC-driven account creation from the Control Tower enrollment reduces dependencies, allowing independent updates to account configurations and Control Tower settings without interfering with infrastructure deployments.
- Consistency and Governance: The NTC Account Factory ensures that all accounts are provisioned with consistent baselines, while Control Tower enforces organizational guardrails post-enrollment, achieving a seamless combination of custom configurations and centralized governance.
This design enables organizations to efficiently manage large-scale AWS environments while adhering to best practices for scalability and security.
Account Enrollment Stepsβ
-
Account Creation via AWS Organizations:
AWS accounts are created using the NTC Account Factory via AWS Organizations. This step ensures that the account structure aligns with organizational governance and policies, automating compliance and enabling scalable multi-account management. -
NTC Account Baseline:
Once an account is created, the NTC baseline is applied. This includes pre-configured settings such as centralized logging, IAM policies, and VPC configurations to ensure consistency and compliance. -
Control Tower Account Enrollment:
Specified accounts are enrolled into AWS Control Tower, where guardrails and service configurations are applied.- This step is triggered by the IaC deployment but runs asynchronously, allowing other workflows to proceed without waiting for enrollment to complete.
- Control Tower applies additional organizational guardrails to enforce compliance across all enrolled accounts.
Account Enrollment Scopeβ
When a new AWS account is created in AWS Organizations, it triggers an event. This event is captured and processed by the NTC Control Tower Integration Step Function to determine if the account should be enrolled in AWS Control Tower.
Example Account Creation Eventβ
The following is a simplified example of the event triggered when an AWS account is created:
{
"source" : "aws.organizations",
"detail" : {
"eventSource" : "organizations.amazonaws.com",
"eventName" : "CreateAccountResult",
"serviceEventDetails" : {
"createAccountStatus" : {
"state": "SUCCEEDED",
"accountId" : "111111111111"
}
}
}
}
Enrollment Processβ
- The NTC Control Tower Integration Step Function checks the account against the defined enrollment scope to decide if it should be enrolled in AWS Control Tower.
- The enrollment scope is customizable and can include accounts based on OU paths, tags, or names.
- If the account matches the enrollment scope, the Control Tower Account Enrollment process is initiated.
- The enrollment process may take up to an hour to complete (a limitation of AWS Control Tower). The NTC Control Tower Integration Step Function will return the final result of the process.
Defining the Enrollment Scopeβ
The account_enrollment_scope parameter allows you to define which accounts should be enrolled and which accounts should be excluded.
The Account Enrollment applies only to newly created accounts. Existing accounts can be explicitly enrolled using the acccount_enrollment_existing_accounts parameter.
Example Configurationβ
Below is a sample configuration that enrolls new accounts in the /root/workloads OU and the existing account 111111111111.
Modify the parameters to align with your organizationβs structure.
# --------------------------------------------------------------------------------------------------
# Β¦ NTC CONTROL TOWER INTEGRATION
# --------------------------------------------------------------------------------------------------
module "ntc_control_tower_integration" {
source = "github.com/nuvibit-terraform-collection/terraform-aws-ntc-control-tower-integration?ref=X.X.X"
account_enrollment_scope = {
# Should every new account be enrolled?
enroll_accounts_all = false
# Enroll accounts under specific OU paths
enroll_accounts_by_ou_paths = [
"/root/workloads"
]
# Enroll accounts by account name
enroll_accounts_by_names = []
# Enroll accounts by specific account tags
enroll_accounts_by_tags = [
# {
# key = "AccountType"
# value = "workload"
# }
]
# Exclude accounts by specific OU paths
exclude_accounts_by_ou_paths = []
# Exclude accounts by specific names (e.g., admin or core accounts)
exclude_accounts_by_names = []
# Exclude accounts by specific account tags
exclude_accounts_by_tags = []
}
# Enroll existing accounts
acccount_enrollment_existing_accounts = [
"111111111111",
]
}
Key Parametersβ
Current list format is informative but could benefit from a table:
| Parameter | Description |
|---|---|
enroll_accounts_all | Enroll all accounts in the organization. |
enroll_accounts_by_ou_paths | Specify accounts by their OU paths. |
enroll_accounts_by_names | Specify accounts by their names. |
enroll_accounts_by_tags | Specify accounts by key-value tags. |
exclude_accounts_* | Exclude specific accounts from enrollment. |
acccount_enrollment_existing_accounts | Explicitly enroll existing accounts. |
By customizing these parameters, you can fine-tune the enrollment process to meet the specific requirements of your organization.