AWS — Account Vending Machine

Golden Rule — If you want to minimize the probability of error, just automate the process.

Creating a new AWS account and set up the key baselines and guardrails manually can be a bit challenging, but when your Organization’s(Company) footprints are growing into AWS and every 15 days a new account is getting created then it becomes really difficult to do everything manually. You can achieve the same by using AVM(Account Vending Machine).

What is Account Vending Machine?

AVM is an automated process that uses features of Service Catalog, AWS Organization, CloudFormation, and Lambda to create a new account in AWS Organization with standard baselines and guardrails. You can always modify the template file and customize the deployment. Apart from this, products will be created in the new account’s Service Catalog which can be deployed based on the requirement. In short, AVM is used for account creation, security, and governance.

Examples of most recommended automated baselines and Guardrails

1. Create OU in the AWS Organization and setup Service Control policies for the new account.
2. Setup cross-account access from the master account.
3. Enable CloudTrail for all the regions in the new account.
4. Enable GuardDuty to continuously monitor for malicious activity and unauthorized behavior.
5. Setup AWS Config rules for cloud governance.
6. Service Catalog products list from where the products can be launched later based on the best practices. eg. VPC, EC2, and S3.

Step by Step Process:

First of all, download the below-mentioned files and upload them in an S3 bucket.

Initialsetup.yaml
accountbuilder.yml
Baseline.yml
AccountCreationLambda.zip

Git Repository — https://github.com/schoudhary22/AccountVendingMachine

In short, Initialsetup.yaml will create a CFN stack. Then, AVM will trigger the accountbuilder.yml template which will further use AccountCreationLambda.zip and Baseline.yml to create the required resources.

This process is divided into 3 sections. Below are the details:

Section-1

→ Create a stack in CloudFormation using the CFN template Initialsetup.yaml.

→ In the parameters section, you will have to provide the ARN of the user or group with admin privileges to run the account creation from Service Catalog and the source S3 bucket where you have uploaded all the files.

→ Go with the default settings and create this stack. the Output section of CloudFormation, copy the key and value column contents for Lambda. You will be using this value during the execution of the account vending machine.

In this section, a portfolio and product with the name “Account Vending Machine” are created in Service Catalog. Along with these, a Lambda and its roles and constraints are also created. Python as a runtime environment and AccountCreationLambda.zip as the code is used for this Lambda.

At this point, Account Vending Machine is successfully created and ready to use.

Section-2

→ Login to AWS console with the user which was mentioned in section 1 and open Service Catalog.

→ Go to the product “Account Vending Machine” and click the launch product.

→ On the parameters page, provide the required parameters.

• LambdaARN: provide the output from the previous section
• AccounrEmail: A unique email ID has to be provided which will become the root of a new account.
• OrganizationUniteName: If you want to create OU in the AWS Organization, provide the name; otherwise, leave as default and account will be created under Root.
• AccountName: Enter an account name.
• StackRegion: Provide the region.
• SourceBucket: Provide the name of the bucket where you have kept all the templates and files.
• BaselineTemplate: Leave as default and it will pick up from the source bucket. But, if you want to customize you can provide your template.
• CloudTrailCWLogsRetentionTime: Provide the number of days to retain logs in CloudWatch Logs. Default 90 days. Although, logs are stored in S3 for 10 years by default.
• CloudTrailLogS3DataEvents: resource operations performed on or within S3 will be captured. Default is Yes.
• CloudTrailEncryptS3Logs: KMS to encrypt the logs in S3 and a new key will be created for this. default is Yes.
• ConfigSnapshotFrequency: Provide the snapshot frequency of AWS Config from the drop-down. Default is Six_Hours.
• GuardDutyEmailAddress: Provide the email address to receive alerts from GuardDuty.

→ Launching the product will create a new CloudFormation stack.

→ In the Outputs, you will find the following details.

• CloudFormation Stack ARN
• Account ID of new account
• Login URL of new account
• Username

In the background, Account Vending Machine used the AccountBuilder template to trigger a python Lambda function which utilized the Baseline template and created an account with other baselines and guardrails.

In the Builder template, input parameters are passed into the Lambda function. Then, Lambda first creates an AWS account based on the input parameters provided and assign the account under the OU. It also deletes the default VPC along with default subnets and Internet gateway from the newly created account. It further creates a cross-account role so that users in the master account can switch roles to a newly created linked account. Lastly, it triggers the Baseline template to deploy other resources.

In the baseline template, first, an S3 bucket and its bucket policy are created for the CloudTrail logs. Based on the input parameters provided during the launch of the account vending machine, the KMS key and the key policies are created. Once these required resources are created, CloudTrail logs and log groups are created.

Next, Baseline templates create a role, delivery channel, bucket for the AWS config setup.

Further, detector, SNS topic, CloudWatch Events, and subscription are created for the GuardDuty.

For the self — deployment of the resources using the Service Catalog in the new account. SC user, group, policy, and roles are created. Then, a portfolio is created in the Service Catalog and later 4 products are listed under it. VPC creation product, Linux EC2, and windows EC2 products along with constraints. Lastly, the S3 bucket product is also created with the required association and constraint.

This finishes the initial account creation along with guardrails. In the output section, AccountID, username and the Login URL for the new account are provided.

Section — 3

→ Login to the new account using the login URL provided in the output of section — 2.

→ Use the below-mentioned credentials to login and it will prompt you to change the password after the first login.

Username: service-catalog-user
Password: Password@123

→ Make sure you are in the same region where stack waa created and go to Service Catalog.

→ You will find 4 products under the portfolio that a user can launch with its current permissions.

→ Before starting to launch products in Service Catalog, create a new key-pair in the EC2 dashboard which will be used by EC2 instances.

→ Go to the VPC product and launch it by providing the name and the required parameters. The output section will provide the details of the created resources.

→ Same way, EC2, and S3 products can be launched by providing the required parameters.

Now the Guardrails and Service Catalog products are setup based on the well-architected framework. Every time, a new account is created using the Account Vending Machine, all the baselines and guardrails will be set up without any manual efforts.

More services and products can be added to these templates to automate the whole account setup process.

For more information on the Service Catalog governance and constraints, follow my other blog.

https://medium.com/@shailender.choudhary/aws-cloud-governance-service-catalog-cb4fcb3516a5

Happy Learning!