SlideShare a Scribd company logo

ControlTower_AFT_CommunityDayNordics.pdf

Masoom Tulsiani
Masoom Tulsiani

AWS Community Day Nordics 2024, 7th May 2024 AWS Control Tower Account Factory for Terraform (AFT) Deploy and Customize AWS Landing Zone using AWS Control Tower Account Factory for Terraform (AFT) AWS’s ControlTower & Best Practices from Customers experiences. This session will show how to Deploy and Customize AWS accounts using Account Factory for Terraform (AFT) for Provisioning new accounts & Customizations.

Technology
1 of 19
NORDICS DGI Byen’s CPH Conference 2024
NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) — CloudFormation Control Tower Account Factory for Terraform (AFT) — Terraform Landing Zone Accelerator (LZA) - CDK
NORDICS AFT Components
IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = ”111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
AFT Pipeline ct-aft-account-provisioning-customizations ct-aft-customization
State machine aft-account-provisioning-framework
Account Import in AFT
NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = ”masoom.tulsiani@rackspace.com" AccountName = ”CommunityDaySandbox" ManagedOrganizationalUnit = ”Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = ”Masoom" SSOUserLastName = ”Tulsiani" } account_tags = { "Project" = ”CommunityDay” }
NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
$150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines – 3 Pipelines - $ 6 KMS Key – 2 KMS AFT Keys - $ 5 5 DynamoDBTables
Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) – AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.
NORDICS Thank you! Twitter: @CloudJedi_ masoom.tulsiani@rackspace.com

Recommended

Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Mitoc Group
 
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Mitoc Group
 
Monkey man
Monkey manMonkey man
Monkey man
ShapeBlue
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019
D.Rajesh Kumar
 
Deploying SharePoint @ Cloud
Deploying SharePoint @ CloudDeploying SharePoint @ Cloud
Deploying SharePoint @ Cloud
Juan Andrés Valenzuela
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
Massimo Ferre'
 
A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)
Julien SIMON
 
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
Soowan Lee
 

Recommended

Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Mitoc Group
 
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Mitoc Group
 
Monkey man
Monkey manMonkey man
Monkey man
ShapeBlue
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019
D.Rajesh Kumar
 
Deploying SharePoint @ Cloud
Deploying SharePoint @ CloudDeploying SharePoint @ Cloud
Deploying SharePoint @ Cloud
Juan Andrés Valenzuela
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
Massimo Ferre'
 
A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)
Julien SIMON
 
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
Soowan Lee
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Davide Benvegnù
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Amrit Sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
AWS Summits
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
Mikael Puittinen
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
DevOps.com
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14
ShapeBlue
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
Amazon Web Services
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
WSO2
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Amazon Web Services
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud Services
Lai Yoong Seng
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
Denis Gundarev
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
Amazon Web Services
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECS
Matt Ray
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
Wesley Beary
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
Wesley Beary
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost Control
Bob Brown
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
Michele Orselli
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
Kai Zhao
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration Management
ShapeBlue
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 

More Related Content

Similar to ControlTower_AFT_CommunityDayNordics.pdf

Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Davide Benvegnù
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Amrit Sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
AWS Summits
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
Mikael Puittinen
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
DevOps.com
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14
ShapeBlue
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
Amazon Web Services
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
WSO2
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Amazon Web Services
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud Services
Lai Yoong Seng
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
Denis Gundarev
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
Amazon Web Services
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECS
Matt Ray
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
Wesley Beary
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
Wesley Beary
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost Control
Bob Brown
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
Michele Orselli
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
Kai Zhao
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration Management
ShapeBlue
 

Similar to ControlTower_AFT_CommunityDayNordics.pdf (20)

Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud Services
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECS
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost Control
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration Management
 

Recently uploaded

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 

Recently uploaded (20)

National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 

ControlTower_AFT_CommunityDayNordics.pdf

  • 1. NORDICS DGI Byen’s CPH Conference 2024
  • 2. NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
  • 3. NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
  • 4. NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) — CloudFormation Control Tower Account Factory for Terraform (AFT) — Terraform Landing Zone Accelerator (LZA) - CDK
  • 6. IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
  • 7. AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
  • 8.
  • 9. NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = ”111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
  • 10. NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
  • 14. NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = ”masoom.tulsiani@rackspace.com" AccountName = ”CommunityDaySandbox" ManagedOrganizationalUnit = ”Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = ”Masoom" SSOUserLastName = ”Tulsiani" } account_tags = { "Project" = ”CommunityDay” }
  • 15. NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
  • 16. $150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines – 3 Pipelines - $ 6 KMS Key – 2 KMS AFT Keys - $ 5 5 DynamoDBTables
  • 17.
  • 18. Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) – AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.