Enable AWS Control Tower For Existing Organizations - AWS How To Guide
HTML-код
- Опубликовано: 10 сен 2024
- AWS Control Tower enables you to design and orchestrate your AWS multi-account environment following AWS best practices and recommended guidelines. The service uses the AWS Landing Zone set of well-architected blueprints to help you provision AWS Organizations, recommended OUs and AWS accounts to help you get started with your AWS multi-account architecture.
In this video, we examine how you can provision AWS Control for existing AWS Organizations and extend governance to existing OUs and AWS accounts. Often you will come across clients who may have already started their AWS journey and have already started to set up and configure AWS accounts. Using AWS Control Tower, you can extend AWS's recommended best practices for managing and governing existing and new AWS accounts.
Recommended article for this video: docs.aws.amazo...
Additional Resources from IaaS Academy:
1. AWS Certified Cloud Practitioner Exam Guide - amzn.to/3YJryw2
2. AWS Certified Solutions Architect SAA-C03 - iaasacademy.com
3. AWS How-To-Guides - iaasacademy.co...
4. Book a career consultation with our senior trainers - calendly.com/r...
5. Connect with me on LinkedIn - / rdcloudtech
Great Video thanks for putting this on
Thank you.
beautifully explained, even companies that are mature in aws, don't necessarily use CT, so this is great
Thank you for your valuable feedback. I'm really glad to hear you found the video on AWS Control Tower useful. Thanks again!
Very well detailed on this topic. One question to be addressed which will be helpful for all, when I add an existing OU which has Production servers running on it, will it impact the production servers or applications? Meaning while adding the production account to the control tower will i face downtime with my application?
No your applications running in your production account will not be affected by this change or transition.
@@awstraining Thanks for your reply, I'm gona enable the landing zone in the root/management account where my production servers are present. Your reply is really helping me in setup.
@@sachutharaman sure, remember if you are adding AWS Control Tower governance to an existing organization you must follow all pre-requistes and procedures. Here is a link to the AWS documentation to help - docs.aws.amazon.com/controltower/latest/userguide/about-extending-governance.html
Also, please ensure you don't have any SCPs that conflict with existing policies.
@@sachutharaman as far as i know it's not recommended to create Control Tower in the account where production workloads exists. In general it's not recommended to place any kind of workloads in management account. You can create brand new management account, spin up CT in a new management account and migrate all existing accounts under CT.
if i implement control tower in the us-east-1 it will be governed in the same region.. what about the regions where control tower service is not supported.
if we add alias to while creating the new AWS account. so which will be the root account
That's a good question. Ideally, you want to set this all up using an IAM user with sufficient privileges so that you don't get prompted to create an SSO account similar to the root account. The root account still exists however
Hi thanks for the clip, it's very helpful for companies that are just starting in AWS. Quick question, once the new Control Tower has been created, how did it discover the previously created accounts? Was it because you used the same root user that owns the old accounts?
In the above example, we configured Control Tower in an existing organization (in the management account). This allowed Control Tower to gain visibility of the existing accounts. However, initially, Control Tower created its baseline OUs and Accounts but did not enrol the existing development and production accounts that existed prior to the setup of Control Tower. We had to enrol those pre-existing accounts and OUs using an IAM user with the Account Factory permissions (and admin permissions).
@@awstraining Great, thank again.