SlideShare una empresa de Scribd logo

ControlTower_AFT_CommunityDayNordics.pdf

Masoom Tulsiani
Masoom Tulsiani

AWS Community Day Nordics 2024, 7th May 2024 AWS Control Tower Account Factory for Terraform (AFT) Deploy and Customize AWS Landing Zone using AWS Control Tower Account Factory for Terraform (AFT) AWS’s ControlTower & Best Practices from Customers experiences. This session will show how to Deploy and Customize AWS accounts using Account Factory for Terraform (AFT) for Provisioning new accounts & Customizations.

Tecnología
1 de 19
NORDICS DGI Byen’s CPH Conference 2024
NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) — CloudFormation Control Tower Account Factory for Terraform (AFT) — Terraform Landing Zone Accelerator (LZA) - CDK
NORDICS AFT Components
IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = ”111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
AFT Pipeline ct-aft-account-provisioning-customizations ct-aft-customization
State machine aft-account-provisioning-framework
Account Import in AFT
NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = ”masoom.tulsiani@rackspace.com" AccountName = ”CommunityDaySandbox" ManagedOrganizationalUnit = ”Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = ”Masoom" SSOUserLastName = ”Tulsiani" } account_tags = { "Project" = ”CommunityDay” }
NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
$150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines – 3 Pipelines - $ 6 KMS Key – 2 KMS AFT Keys - $ 5 5 DynamoDBTables
Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) – AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.
NORDICS Thank you! Twitter: @CloudJedi_ masoom.tulsiani@rackspace.com

Recomendados

Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Mitoc Group
 
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Mitoc Group
 
Monkey man
Monkey manMonkey man
Monkey manShapeBlue
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019D.Rajesh Kumar
 
Deploying SharePoint @ Cloud
Deploying SharePoint @ CloudDeploying SharePoint @ Cloud
Deploying SharePoint @ CloudJuan Andrés Valenzuela
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureMassimo Ferre'
 
A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)Julien SIMON
 
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유Soowan Lee
 

Recomendados

Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Mitoc Group
 
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Mitoc Group
 
Monkey man
Monkey manMonkey man
Monkey manShapeBlue
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019D.Rajesh Kumar
 
Deploying SharePoint @ Cloud
Deploying SharePoint @ CloudDeploying SharePoint @ Cloud
Deploying SharePoint @ CloudJuan Andrés Valenzuela
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureMassimo Ferre'
 
A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)Julien SIMON
 
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유Soowan Lee
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Davide Benvegnù
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarAmrit Sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019AWS Summits
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless WorkshopMikael Puittinen
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersDevOps.com
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14ShapeBlue
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesAmazon Web Services
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosWSO2
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Amazon Web Services
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesLai Yoong Seng
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSDenis Gundarev
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2Amazon Web Services
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECSMatt Ray
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)Wesley Beary
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the CloudWesley Beary
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost ControlBob Brown
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Michele Orselli
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTKai Zhao
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementShapeBlue
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger FoundationHyperleger Tokyo Meetup
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 

Más contenido relacionado

Similar a ControlTower_AFT_CommunityDayNordics.pdf

Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Davide Benvegnù
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarAmrit Sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019AWS Summits
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersDevOps.com
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14ShapeBlue
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesAmazon Web Services
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosWSO2
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Amazon Web Services
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesLai Yoong Seng
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSDenis Gundarev
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2Amazon Web Services
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECSMatt Ray
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)Wesley Beary
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the CloudWesley Beary
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost ControlBob Brown
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Michele Orselli
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTKai Zhao
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementShapeBlue
 

Similar a ControlTower_AFT_CommunityDayNordics.pdf (20)

Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud Services
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECS
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost Control
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration Management
 

Último

Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe中 央社
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentationyogeshlabana357357
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?Mark Billinghurst
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!Memoori
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfFIDO Alliance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfFIDO Alliance
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfFIDO Alliance
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data SciencePaolo Missier
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewDianaGray10
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...FIDO Alliance
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...ScyllaDB
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...FIDO Alliance
 

Último (20)

Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
AI mind or machine power point presentation
AI mind or machine power point presentationAI mind or machine power point presentation
AI mind or machine power point presentation
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?The Metaverse: Are We There Yet?
The Metaverse: Are We There Yet?
 
ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!State of the Smart Building Startup Landscape 2024!
State of the Smart Building Startup Landscape 2024!
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
TrustArc Webinar - Unified Trust Center for Privacy, Security, Compliance, an...
 
Design and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data ScienceDesign and Development of a Provenance Capture Platform for Data Science
Design and Development of a Provenance Capture Platform for Data Science
 
UiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overviewUiPath manufacturing technology benefits and AI overview
UiPath manufacturing technology benefits and AI overview
 
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...Hyatt driving innovation and exceptional customer experiences with FIDO passw...
Hyatt driving innovation and exceptional customer experiences with FIDO passw...
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
Event-Driven Architecture Masterclass: Engineering a Robust, High-performance...
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 

ControlTower_AFT_CommunityDayNordics.pdf

  • 1. NORDICS DGI Byen’s CPH Conference 2024
  • 2. NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
  • 3. NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
  • 4. NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) — CloudFormation Control Tower Account Factory for Terraform (AFT) — Terraform Landing Zone Accelerator (LZA) - CDK
  • 6. IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
  • 7. AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
  • 8.
  • 9. NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = ”111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
  • 10. NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
  • 14. NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = ”masoom.tulsiani@rackspace.com" AccountName = ”CommunityDaySandbox" ManagedOrganizationalUnit = ”Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = ”Masoom" SSOUserLastName = ”Tulsiani" } account_tags = { "Project" = ”CommunityDay” }
  • 15. NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
  • 16. $150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines – 3 Pipelines - $ 6 KMS Key – 2 KMS AFT Keys - $ 5 5 DynamoDBTables
  • 17.
  • 18. Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) – AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.