AI Project Multi-Account Management via Control Tower

Question

Pulumi · Accepted Answer

AWS Control Tower is a service that provides a way to set up and govern a new, secure, multi-account AWS environment based on best practices. With AWS Control Tower, you can automate the setup of multiple accounts that gives you a set of pre-configured accounts based on AWS best practices. This will result in a baseline environment where you have an initial set-up that includes a multi-account structure using AWS Organizations, identity management using AWS Single Sign-On (SSO), federated access using SSO to accounts, centralized logging from AWS CloudTrail, and cross-account security audits from AWS Config rules.

In this Pulumi Python program, I'll demonstrate how to deploy a `Control Tower Landing Zone`, which involves setting up the basic structure and resources related to AWS Control Tower.

We'll be using two main resources from the Pulumi AWS provider and Pulumi AWS Native provider respectively:

1. `EnabledControl` from Pulumi AWS Native
   - This enables a control in AWS Control Tower's landing zone. Controls are high-level governance rules that can be applied across AWS accounts.
2. `LandingZone` from Pulumi AWS Native
   - A Landing Zone in the context of AWS Control Tower is essentially a solution that automates the setup of an environment for running secure and scalable workloads. It also includes predefined templates for accounts, organization units (OUs), and other resources.

Let's create a program that initiates these resources:

```python
import pulumi
import pulumi_aws_native as aws_native

# Initialize the AWS Control Tower Landing Zone.
# The manifest and version are required fields and you would need to provide the appropriate values for each.
# A manifest is a custom landing zone configuration YAML file, compatible with AWS Control Tower.
landing_zone = aws_native.controltower.LandingZone("myLandingZone",
                                                   version="2.0", # Specify the version of the landing zone
                                                   manifest=pulumi.FileAsset("landing_zone_manifest.yaml")
                                                   # The manifest file should be provided as a YAML file in the same directory as the Pulumi program.
                                                   )

# Now, let's enable a control within the landing zone.
# This control will ensure governance on AWS accounts that is defined by AWS or custom-made.
enabled_control = aws_native.controltower.EnabledControl("myEnabledControl",
                                                         control_identifier="Detect-root-user-login",  # Use the identifier of the control you want to enable
                                                         target_identifier=landing_zone.managed_organization_arn  # Use the ARN of the managed organization
                                                         )

# Export the Control Tower's landing zone ARN and the Enabled Control's ARN
pulumi.export("landing_zone_arn", landing_zone.arn)
pulumi.export("enabled_control_arn", enabled_control.arn)
```

In the code above, replace `"landing_zone_manifest.yaml"` with the path to your actual manifest file. Note that this is a simplified example and setting up a Control Tower Landing Zone typically involves additional steps and configurations, like setting up your Organizational Units (OUs) and account structures as per your organization's need.

This will set up the landing zone and enable specified controls across the AWS organization. It's important to have the `AWS Control Tower Landing Zone` resource created first because other resources like the `EnabledControl` depend on it.

To run this Pulumi program you'll need to have Pulumi installed and set up, including credentials for deploying resources to your AWS account. The command to deploy these resources using Pulumi is `pulumi up`, which will create or update resources in your AWS account according to the defined program.