Accelerating Cloud Governance with Control Tower and Account Factory for Terraform (AFT)

As part of a well-architected AWS multi-account environment, we frequently recommend using AWS Control Tower to implement best-practice security and governance controls over accounts at scale. Control Tower helps to improve organization-level management processes, but there are additional integrated tools available that can take multi-account customization to the next level by provisioning baseline resources automatically to enrolled accounts. In this article, we’ll discuss one of these tools, AWS Control Tower Account Factory for Terraform (AFT), and how it works together with Control Tower.

AWS Control Tower

First, some background on Control Tower. Many organizations benefit from multi-account environments to segregate workloads with isolated boundaries. Control Tower orchestrates AWS Organizations, AWS Config, IAM Identity Center, and other AWS services, to provide a prescriptive approach to building a secure landing zone and managing multiple accounts. In fact, AWS defines a well-architected environment as starting with a landing zone because it provides numerous advantages over a single-account environment:

• Security controls and limiting blast radius of incidents
• Support for many teams and projects
• Billing for separate usage
• Resource quotas, which are evaluated per account

Control Tower addresses these areas through a straightforward user interface, reducing the administrative burden of implementing similar capabilities yourself. While this service can provision the resources it needs to function along with a default VPC in each account, we often need to take additional steps to get an account ready for use.

Use Cases for AFT

When provisioning new accounts, several common tasks come to mind: setting up VPC networks, enforcing security requirements, enabling Enterprise Support, and creating cost controls are just a few. Control Tower itself provisions certain key resources in accounts during onboarding, but what happens when you need to customize networking or your organization has compliance control requirements beyond what’s available out of the box?

This is where Control Tower customization frameworks come into play, and Amazon offers two of these. The first is Account Factory Customization (AFC), which uses Service Catalog products. The second option, and the primary topic here, is Account Factory for Terraform. AFT uses a GitOps model to automate account creation and apply account customizations using familiar Terraform IaC that many organizations use as standard.

Taking the First Steps

To start with AFT, AWS requires creating a dedicated AFT management account and Organizational Unit (OU), which you can initiate through the Control Tower or Service Catalog consoles. From there, deploying AFT involves calling a Terraform module (also available on the Terraform Registry). Afterwards, you must also create the customization repositories, which use CodeCommit by default but also support other providers like GitHub or GitLab. The AFT deployment will connect your VCS to its pipeline workflow, built on AWS CodePipeline, Step Functions, DynamoDB, and other integrated services to provide a robust account provisioning process. If your organization uses Terraform Cloud or Terraform Enterprise, those are supported as well with API-driven workflows and managed state. More information on deployment and post-deployment is available here:

• Deploy AFT
• Post-deployment steps

Understanding AFT Customization Types

There are two main types of customizations you can design with AFT—global and account customizations. These differ in scope and are each useful to achieve a desired account configuration baseline. They both use the same Terraform concepts and templating techniques to achieve scalable solutions adapted to your organizational requirements.

Global Customizations

Global customizations are deployed to all managed accounts, so these are a good fit for things like Security Hub standards or other resources that should be deployed to every account without exception. These configurations cannot be bypassed on a per-account basis, so you should be deliberate about how you define them and only include resources that are truly universal. These can, however, help you avoid repeating yourself in the Terraform code for account customizations.

Account Customizations

Account customizations can be tailored to individual accounts or groups of accounts that need more specific configurations. For example, a set of production workload accounts may need a hardened VPC setup, or certain environments may need PCI DSS security standards enforced. You may want to provide repeatable developer sandboxes, including foundational infrastructure and connectivity, to your team with minimal onboarding time so developers can become productive quickly and safely. AFT customizations allow you to build these resources into the accounts from day one in an automated fashion, without running separate tasks to deploy baseline infrastructure and controls. Keep in mind as you design your implementation that accounts can only have a single account customization applied, while an account customization can be reused across multiple accounts.

What Comes Next

Control Tower and AFT are constantly developing and improving. Organizations should consider it a regular task to update and maintain the solution to ensure it continues to meet organizational needs and that the latest advancements are being implemented. Keep in mind that you can enroll existing accounts into AFT and update customizations you have previously applied to keep deployments up to date. AFT includes workflows and service integrations to roll out updated customizations to enrolled accounts.

There are also a handful of tasks that are not yet fully automated with this solution. One example is IAM Identity Center access provisioning to managed accounts—administrators still need to assign and manage access to accounts to allow users and developers to sign in to their environments.

Getting There

Implementing multi-account governance at scale can seem like a daunting task. Making use of the latest tools like Control Tower and AFT can help streamline the process and make it more approachable while maintaining your security, compliance, and architectural requirements. As an AWS Premier Tier Services Partner, including the Cloud Operations Services Competency, we have the expertise to accelerate your AWS governance initiatives. Connect with a cloud advisor and discuss your organizational goals.