Upgrade Control Tower Landing Zone From 2.x to 3.x

2 minute read
Content level: Intermediate
0

Outline key considerations and steps to perform this major version upgrade.

CONSIDERATIONS BEFORE UPGRADING TO LANDING ZONE 3.x

  • Region Deny Updates - APIs for AWS Chatbot, S3 Storage Lens, and S3 Multi Region Access Points are new exemptions to the Region Deny Guardrail [1]
  • Config Global Resource Recording - Control Tower reduces redundant Config items by only recording Global Resources in your home region (Region CT was configured in) [2]
  • NEW CONFIG OPTION KMS Encryption - Customer can now opt to encrypt CT resources using a customer-provided KMS key to enhance encryption over default SSE-S3 option [3]
  • NEW CONFIG OPTION Org-Level CloudTrail - Customer can now opt to automatically log actions of all member accounts to a management account trail. This can result in duplicate costs, important to understand this! [4]
  • Automations that rely on CloudTrail logs in member accounts will have a new log path [5]
  • CloudWatch Metric Alarms will need to be updated if the customer opts into Org-Level CloudTrail
  • There is no way to revert back once an upgrade is initiated

UPDATE YOUR LANDING ZONE

  1. In the Control Tower Console select Landing Zone Settings
  2. Select the latest version and click the Update Button
  3. Move through the wizard steps and configure according to preference Update Your Landing Zone

RE-REGISTER OUs

  1. In the Control Tower Console select Organization
  2. Select an OU
  3. Under the Create Resources button choose Re-register Organizational Unit Re-Register OUs

RECOMMENDED READING/WATCHING

[1] https://aws.amazon.com/about-aws/whats-new/2022/07/aws-control-tower-region-deny-guardrail-expands-aws-chatbot-s3-storage-lens-s3-multi-region-access-points-apis/

[2] https://aws.amazon.com/about-aws/whats-new/2022/07/aws-control-tower-reduces-aws-config-items-recording-global-resources-home-regions/

[3] https://aws.amazon.com/about-aws/whats-new/2021/07/aws-control-tower-provides-support-kms-encryption/

[4] https://aws.amazon.com/about-aws/whats-new/2022/07/aws-control-tower-adopts-aws-cloudtrail-organization-logging/

[5] https://docs.aws.amazon.com/controltower/latest/userguide/2022-all.html#version-3.0

profile pictureAWS
EXPERT
Tyler_P
published 2 months ago1679 views