User Guide
Release Notes

Automatically Add New AWS Accounts

Integrate new AWS accounts in an organization using Landing Zones.

AWS Control Tower allows organizations to easily deploy AWS accounts into an organization, ensure that those accounts adhere to existing security policies, and create a baseline set of standard resources in each account.

Veza integrates with AWS Control Tower to automatically register accounts added to an AWS Control Tower Landing Zone. When an AWS account is provisioned within the OU, the provided CloudFormation template will create the required IAM resources in the AWS account, and create a new Veza integration.

Integration Details

Veza’s AWS Control Tower integration is delivered as an AWS CloudFormation template that can be installed in an organization’s Control Tower root account. The integration consists of three main infrastructure components:

  1. An AWS Lambda function that runs in the Control Tower root account

    • This Lambda function executes when accounts are created or updated in the Control Tower Landing Zone (either by Service Catalog or Account Factory)

    • The function interacts with Veza APIs to ensure that the child account is registered as a Cloud Provider in the organization’s Veza instance

  2. An IAM Role and Policy for the Control Tower root account to enable the Lambda function to execute and to read account update events in CloudWatch

  3. An IAM Role and Policy for the child account to allow Veza to assume an IAM Role with read-only access and discover the resources inside the account

The Veza-provided cloud formation script runs on account enrollment and account update. Any existing AWS accounts will need to be re-enrolled to trigger the script in the parent account and integrate the child accounts with Veza.

Installation

Required Veza Details

Before deploying the Veza AWS Control Tower integration, two pieces of data are required from the Veza instance.

  1. Make note of the URL used to connect to the Veza (ex: https://example.cookiecloud.ai)

  2. Generate an API key for use by the Control Tower root account

AWS Configuration

The following steps should be completed in the AWS Control Tower root account by an administrator IAM user:

CloudFormation

  1. Log into the AWS console, click Services, then search for and select CloudFormation.

  2. In the left navigation bar, click Stacks.

  3. In the right corner of the main pane, click Create Stack, then select With new resources (standard) from the dropdown menu.

  4. In Step 1: Specify Template form, provide https://veza-controltower.s3.amazonaws.com/veza-controltower.yaml as the Amazon S3 URL.

  5. In Step 2: Specify Stack Details, provide the following details:

    1. Stack Name: enter a display name for the CloudFormation Stack.

    2. VezaApiToken: paste in the API key generated for the Veza instance.

    3. VezaApplicationUrl: paste in the URL of the Veza instance copied above.

    4. VezaDiscoveryAccountId: leave the default value unless otherwise instructed.

    5. VezaExternalId: this is the externalId that Veza will provide when attempting to assume the IAM Role in the child account. It can be set to any value.

    6. VezaManagedAccountTemplateUrl: use the default value unless hosting the CloudFormation templates in a non-Veza S3 bucket.

    7. VezaRDSUser: this is the user account that will be used to discover RDS resources.

  6. For Step 3: Configure Stack Options form, accept the default values, and click Next.

  7. In Step 4: Review, review the entered parameters, scroll to the bottom of the form and accept the IAM Role disclaimer, then click Create Stack.

Once the CloudFormation Stack is provisioned, the integration is enabled.

Control Tower

To see the integration in action, create an AWS account inside the Control Tower Landing Zone

  1. Log into the AWS console, click Services, then search for and select Control Tower.

  2. In the left navigation bar, click Account Factory.

  3. In the right corner of the main pane, click Enroll Account.

  4. Complete the Enroll Account form with the following details:

    • An email account for the root account user.

    • A display name for the account.

    • SSO details for the account user.

    • Select a parent Organizational Unit where the account will be provisioned.

  5. Click Enroll Account.

The account creation and enrollment process can take up to 30 minutes. Once finished, the account will show Enrolled in the Control Tower Accounts view.

Once the account shows as Enrolled, it will also be automatically integrated with the Veza instance referenced in the CloudFormation setup.

Re-enroll member accounts

Any currently-enrolled AWS accounts must be re-enrolled to trigger the script and integrate them with Veza. To remove an account from management so that it can be re-enrolled with Control Tower:

  1. Open the AWS Service Catalog.

  2. Open the Provisioned products list.

  3. Choose the account to remove from AWS Control Tower management.

  4. Choose Terminate from the Actions menu and confirm the decision.

  5. When successful, the account status will change to Not Enrolled.

For more information see Unmanage an account in the AWS documentation.

S3 Information

Veza CloudFormation scripts are hosted on AWS S3. You can either use the defaults provided below or host your own modified versions.

If using a customized template, you should update the Amazon S3 URL when creating the CloudFormation stack, and set an appropriate VezaManagedAccountTemplateUrl when specifying the stack details.

Environment

Root account YAML URL

Managed Account YAML URL

Production

https://veza-controltower.s3.amazonaws.com/veza-controltower.yaml

https://veza-controltower.s3.amazonaws.com/veza-controltower-managed-account.yaml

PreviousAdd Existing AWS AccountsNextAWS DynamoDB

Last updated