2 Answers
- Newest
- Most votes
- Most comments
0
If you have customized the AVM CloudFormation template for creating accounts (For example chaining within same service catalog product or customization related directly within account vending resource), then you might want to keep the existing AWS Service Catalog Product as well as the Provisioned product. You must update the section that trigger account provisioning with a new one for Control Tower Account Factory for example:
See
0
Migration of AWS Landing Zone to AWS Control Tower requires careful planning.
Challenges
- Restrictive Policies: Control Tower will apply mandatory service control policies that are inherited by all organizational units. These may conflict with your current policies.
- Account Structure: Control Tower creates a centralized audit and logging account structure. This may not be consistent with your current logging and audit strategy.
- Policies and Permission Sets: Control Tower creates several users, groups, policies, and permission sets. These may not be consistent with your current definitions.
- Cost Management: The tags that are set for Control Tower centralized infrastructure need the correct cost centers assigned.
Resolutions
- Incremental Scaling: Start by migrating low commercial impact (e.g., dev) accounts first. Register only the organizational units and accounts with Control Tower (not all your current customized organizational units will be registered as default on deploying control tower) that you want to migrate. Typically, customers start with Sandbox OU.
- Account Review and Validations: Use tools like AWS IAM Access Analyzer to review that resources have the expected access levels. Review that the correct permission sets have been applied.
- Test Landing Zone: We recommend setting up a test landing zone with AWS Control Tower so that you can test accounts being migrated before moving to the production Control Tower landing zone.
These are some of the most common challenges and resolutions.
Relevant content
- asked a year ago
