AWS Platform Guide
Launch Customizations for Control Tower
This is an advanced topic for platform engineers.
You should use the landing zone template repository to set up your landing zone by clicking the “Use this template” button and creating the repository in GitHub from there.
- Accept the invitation to join AWS Identity Center that was sent to the management account email.
- If there are legacy accounts to enroll, see Enroll Existing (Legacy) Accounts.
- From your Landing Zone template, run the
bin/deployscript to launch Customizations for Control Tower. - Follow the prompts from the self-guided installation to configure your landing zone.
You are now ready to set up your single sign on identity provider.
Enroll Existing (Legacy) Accounts
This page is a work in progress.
If the AWS Organization for which you are setting up Control Tower/Landing Zone contains legacy accounts that you wish to enroll to be managed by Control Tower, follow the steps below:
- Before deploying Customizations for Control Tower, manually create
the
AWSControlTowerExecutionrole by following the Step 2 in this guide. In a Control Tower-initialized account, this role is created by AWS automatically, and is required for Control Tower to manage any account. Legacy accounts do not have it. - Add the legacy account configs to
accounts.yamlin the landing-zone repo, with values forAccountNameandAccountEmailthat match current account details.
AWS Platform Guide
The guide for building and maintaining production-grade Kubernetes clusters with built-in support for SRE best practices.
Source available on GitHub.