AWS Platform Guide
Launch Customizations for Control Tower
This is an advanced topic for platform engineers.
You can use the landing zone template repository to set up your landing zone, by selecting the template from the dropdown during repo creation.
Accept the invitation to join AWS Identity Center that was sent to the management account email.
Make a clone of the landing zone template repository.
You can select the template repo from the repo creation page
If there are legacy accounts to enroll, see Enroll Existing (Legacy) Accounts.
Run the
bin/deployscript to launch Customizations for Control Tower.Follow the prompts to configure your landing zone.
You are now ready to set up your single sign on identity provider.
Enroll Existing (Legacy) Accounts
This page is a work in progress.
If the AWS Organization for which you are setting up Control Tower/Landing Zone contains legacy accounts that you wish to enroll to be managed by Control Tower, follow the steps below:
- Before deploying Customizations for Control Tower, manually create
the
AWSControlTowerExecutionrole by following the Step 2 in this guide. In a Control Tower-initialized account, this role is created by AWS automatically, and is required for Control Tower to manage any account. Legacy accounts do not have it. - Add the legacy account configs to
accounts.yamlin the landing-zone repo, with values forAccountNameandAccountEmailthat match current account details.
AWS Platform Guide
The guide for building and maintaining production-grade Kubernetes clusters with built-in support for SRE best practices.
Source available on GitHub.