SlideShare una empresa de Scribd logo

ControlTower_AFT_CommunityDayNordics.pdf

Masoom Tulsiani
Masoom Tulsiani

AWS Community Day Nordics 2024, 7th May 2024 AWS Control Tower Account Factory for Terraform (AFT) Deploy and Customize AWS Landing Zone using AWS Control Tower Account Factory for Terraform (AFT) AWS’s ControlTower & Best Practices from Customers experiences. This session will show how to Deploy and Customize AWS accounts using Account Factory for Terraform (AFT) for Provisioning new accounts & Customizations.

Tecnología
1 de 19
NORDICS DGI Byen’s CPH Conference 2024
NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) — CloudFormation Control Tower Account Factory for Terraform (AFT) — Terraform Landing Zone Accelerator (LZA) - CDK
NORDICS AFT Components
IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = ”111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
AFT Pipeline ct-aft-account-provisioning-customizations ct-aft-customization
State machine aft-account-provisioning-framework
Account Import in AFT
NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = ”masoom.tulsiani@rackspace.com" AccountName = ”CommunityDaySandbox" ManagedOrganizationalUnit = ”Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = ”Masoom" SSOUserLastName = ”Tulsiani" } account_tags = { "Project" = ”CommunityDay” }
NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
$150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines – 3 Pipelines - $ 6 KMS Key – 2 KMS AFT Keys - $ 5 5 DynamoDBTables
Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) – AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.
NORDICS Thank you! Twitter: @CloudJedi_ masoom.tulsiani@rackspace.com

Recomendados

Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Mitoc Group
 
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Mitoc Group
 
Monkey man
Monkey manMonkey man
Monkey man
ShapeBlue
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019
D.Rajesh Kumar
 
Deploying SharePoint @ Cloud
Deploying SharePoint @ CloudDeploying SharePoint @ Cloud
Deploying SharePoint @ Cloud
Juan Andrés Valenzuela
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
Massimo Ferre'
 
A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)
Julien SIMON
 
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
Soowan Lee
 

Recomendados

Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Hands-On Terraform Module for AWS Landing Zone at HashiTalks2020
Mitoc Group
 
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Hands-on with the Terraform Module for AWS Landing Zone Indy Cloud Conf 2020
Mitoc Group
 
Monkey man
Monkey manMonkey man
Monkey man
ShapeBlue
 
Meetup bangalore aug31st2019
Meetup bangalore aug31st2019Meetup bangalore aug31st2019
Meetup bangalore aug31st2019
D.Rajesh Kumar
 
Deploying SharePoint @ Cloud
Deploying SharePoint @ CloudDeploying SharePoint @ Cloud
Deploying SharePoint @ Cloud
Juan Andrés Valenzuela
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
Massimo Ferre'
 
A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)A 60-minute tour of AWS Compute (November 2016)
A 60-minute tour of AWS Compute (November 2016)
Julien SIMON
 
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
[AWSKRUG 아키텍처 모임] 세일즈부스트 인프라스트럭처 사례 공유
Soowan Lee
 
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Davide Benvegnù
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Amrit Sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
AWS Summits
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
Mikael Puittinen
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
DevOps.com
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14
ShapeBlue
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
Amazon Web Services
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
WSO2
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Amazon Web Services
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud Services
Lai Yoong Seng
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
Denis Gundarev
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
Amazon Web Services
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECS
Matt Ray
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
Wesley Beary
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
Wesley Beary
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost Control
Bob Brown
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
Michele Orselli
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
Kai Zhao
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration Management
ShapeBlue
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 

Más contenido relacionado

Similar a ControlTower_AFT_CommunityDayNordics.pdf

Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Davide Benvegnù
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Amrit Sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Amazon Web Services
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
AWS Summits
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
Mikael Puittinen
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
DevOps.com
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14
ShapeBlue
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
Amazon Web Services
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
WSO2
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Amazon Web Services
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud Services
Lai Yoong Seng
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
Denis Gundarev
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
Amazon Web Services
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECS
Matt Ray
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
Wesley Beary
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
Wesley Beary
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost Control
Bob Brown
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
Michele Orselli
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
Kai Zhao
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration Management
ShapeBlue
 

Similar a ControlTower_AFT_CommunityDayNordics.pdf (20)

Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
Consolidating Infrastructure with Azure Kubernetes Service - MS Online Tech F...
 
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkarScaling search-clusters-solr-k8s-2020-amrit-sarkar
Scaling search-clusters-solr-k8s-2020-amrit-sarkar
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
Deep Dive on Amazon Elastic Container Service (ECS) | AWS Summit Tel Aviv 2019
 
AWS Serverless Workshop
AWS Serverless WorkshopAWS Serverless Workshop
AWS Serverless Workshop
 
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps EngineersUnderstanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
Understanding the New Enterprise Multi-Cloud Backbone for DevOps Engineers
 
CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14CloudStack Metering - Working with Usage Data #CCCNA14
CloudStack Metering - Working with Usage Data #CCCNA14
 
Monitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar SeriesMonitoring Containers at Scale - September Webinar Series
Monitoring Containers at Scale - September Webinar Series
 
Building a SaaS using WSO2 Stratos
Building a SaaS using WSO2 StratosBuilding a SaaS using WSO2 Stratos
Building a SaaS using WSO2 Stratos
 
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
Running Serverless at The Edge (CTD302) - AWS re:Invent 2018
 
Private Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud ServicesPrivate Cloud R2: Scaling From Server To Cloud Services
Private Cloud R2: Scaling From Server To Cloud Services
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2AWS Sydney Summit 2013 - Your First Week with Amazon EC2
AWS Sydney Summit 2013 - Your First Week with Amazon EC2
 
Habitat & Amazon's ECS
Habitat & Amazon's ECSHabitat & Amazon's ECS
Habitat & Amazon's ECS
 
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
fog or: How I Learned to Stop Worrying and Love the Cloud (OpenStack Edition)
 
fog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloudfog or: How I Learned to Stop Worrying and Love the Cloud
fog or: How I Learned to Stop Worrying and Love the Cloud
 
AWS Cost Control
AWS Cost ControlAWS Cost Control
AWS Cost Control
 
Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17Hopping in clouds - phpuk 17
Hopping in clouds - phpuk 17
 
GE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoTGE Predix 新手入门 赵锴 物联网_IoT
GE Predix 新手入门 赵锴 物联网_IoT
 
Ansible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration ManagementAnsible & CloudStack - Configuration Management
Ansible & CloudStack - Configuration Management
 

Último

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
saastr
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
Edge AI and Vision Alliance
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
Fwdays
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 

Último (20)

AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
 
Artificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic WarfareArtificial Intelligence and Electronic Warfare
Artificial Intelligence and Electronic Warfare
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
“How Axelera AI Uses Digital Compute-in-memory to Deliver Fast and Energy-eff...
 
"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota"Choosing proper type of scaling", Olena Syrota
"Choosing proper type of scaling", Olena Syrota
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 

ControlTower_AFT_CommunityDayNordics.pdf

  • 1. NORDICS DGI Byen’s CPH Conference 2024
  • 2. NORDICS AWS ControlTower: AFT [Account Factory for Terraform] MASOOM TULSIANI | 7th May 2024
  • 3. NORDICS Masoom Tulsiani - Cloud Architect at Rackspace Technology, EMEA - Based in Amsterdam - Cloud Engineering / Platform Engineering Background - Banking, Telecom & Education Research Customers - Kubernetes, Containers & Cloud Governance/ Landing Zones - AWS Community Speaker - Twitter/X: @CloudJedi_ - masoom.tulsiani@rackspace.com
  • 4. NORDICS Landing Zone Options Customizations for AWS Control Tower (CfCT) — CloudFormation Control Tower Account Factory for Terraform (AFT) — Terraform Landing Zone Accelerator (LZA) - CDK
  • 6. IAM AWSAFTExecutionRole - account customizations AWSAFTAdmin Role - Allows AFT pipeline to assume Role AWSAFTService Role - Intended for account provisioning.
  • 7. AFT Repos 1. aft-account-request: Requests for AFT provisioned accounts 2. aft-global-customizations: Customizations to all accounts 3. aft-account-customizations: Specific Account related customizations 4. aft-account-provisioning-customizations: Integrations with ENVs using Lambda, Step functions, ECS, SNS/SQS
  • 8.
  • 9. NORDICS backend.tf #CodeBuild - aft-global-customizations-terraform terraform { required_version = ">= 0.15.0" backend "s3" { region = "eu-west-1" bucket = "aft-backend-1975050084111-primary-region" key = ”111377056321-aft-global-customizations/terraform.tfstate" dynamodb_table = "aft-backend-1975050084111" encrypt = "true" kms_key_id = "7100e753-de48-4a17-b8fd-597641296870" role_arn = "arn:aws:iam:1975050084111:role/AWSAFTExecution" } }
  • 10. NORDICS #CodeBuild - aft-global-customizations-terraform Initializing the backend... Successfully configured the backend "s3"! Terraform will automatically use this backend unless the backend configuration changes. Initializing provider plugins... - Finding latest version of hashicorp/aws... - Installing hashicorp/aws v5.40.0... - Installed hashicorp/aws v5.40.0 (signed by HashiCorp)
  • 14. NORDICS Account Request module "account_request_01" { source = "./modules/aft-account-request" control_tower_parameters = { AccountEmail = ”masoom.tulsiani@rackspace.com" AccountName = ”CommunityDaySandbox" ManagedOrganizationalUnit = ”Dev" SSOUserEmail = " masoom.tulsiani@rackspace.com " SSOUserFirstName = ”Masoom" SSOUserLastName = ”Tulsiani" } account_tags = { "Project" = ”CommunityDay” }
  • 15. NORDICS Account Customization module "aft" { source = "github.com/aws-ia/terraform-aws-control_tower_account_factory" ##... vcs_provider = "github" account_request_repo_name = "${var.github_username}/terraform-aft-account-request" account_provisioning_customizations_repo_name = "${var.github_username}/terraform-aft-account-provisioning- customizations" global_customizations_repo_name = "${var.github_username}/terraform-aft-global-customizations" account_customizations_repo_name = "${var.github_username}/terraform-aft-account-customizations" }
  • 16. $150 - $400 per month Config: Total 4010 CI Items - $9.84 ServiceCatalog: Current: $0.09 (Initial 1000 API Calls part of Free Tier) Backup Recovery Points Cloudtrail: $34 per month 2 Public NAT Gateways - $60 per month 24 VPC Endpoints - $175-$200 per month ControlTower Costs associated with AFT Upto 10 Accounts 3 snapshots AFT CodePipelines – 3 Pipelines - $ 6 KMS Key – 2 KMS AFT Keys - $ 5 5 DynamoDBTables
  • 17.
  • 18. Takeaway - ControlTower Best Practices - Self-manage IAM Identity Centre (SSO) – AWS does not create IAM roles & groupings. - AFT queues and processes the account requests in a first-in, first-out order. Takes 30 mins per account - Disable public NAT Gateway; Monitor your AFT costs. - Disable AWS Config before account enrollment. - Avoid AWS Organizations to update SCPs attached to an OU. - Use the Control Tower Detective Guardrails Conformance Pack. - Check your customer/organization needs if AFT fits your use-case.