- Newest
- Most votes
- Most comments
Hi Arjun In the question,infrastructure and control tower is mentioned. The exact usecase is not clear. Generally speaking customization to account set up, infrastructure across various accounts in AWS organization is achieved using CFCT
https://aws.amazon.com/solutions/implementations/customizations-for-aws-control-tower/
At the basic level CloudFormation stacksets could be used with some DevOps pipeline that packages the AWS Lambda.
If Governance, auditing and versioning needs arise, the solution can have Service Catalog with advanced features
There is also a terraform version
https://docs.aws.amazon.com/controltower/latest/userguide/aft-account-customization-options.html
For the use case you described in the comment, you don't need a separate copy of the Lambda function deployed in each target account. You can have your Lambda centrally in one AWS account and region, and in the target accounts, you would only deploy an IAM role that the central Lambda function is allowed the permission to assume.
You could then either schedule as many invocations of the Lambda function as you'd like in the central account, each invocation assuming the role you deployed in the specified target account, do its work, and use the original Lambda execution role (instead of the role in the target account your function explicitly assumed) to save the output in the central S3 bucket. This way, the multiple target accounts also don't have to be granted access to the central output bucket nor have access to a local copy of the Lambda function's code.
Instead of scheduling multiple invocations, a more sophisticated solution would be to use Step Functions to orchestrate invoking the central Lambda function for each account. Step Functions makes it easy and neat to handle errors and retries, as well as having built-in features allowing you to parallelise the Lambda invocations without having to write code to implement the parallelisation.
Hi Leo K, can you provide me a working solution for the same.
Hello,
AWS CloudFormation StackSets might be the solution, You can now define an AWS resource configuration in a CloudFormation template and then roll it out across multiple AWS accounts and/or Regions with AWS Organizations. . There's no costs associated with using AWS CF Stack Sets. Providing here few links which might be useful.
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html
- https://aws.amazon.com/blogs/aws/use-cloudformation-stacksets-to-provision-resources-across-multiple-aws-accounts-and-regions/
- https://aws.amazon.com/blogs/aws/new-use-aws-cloudformation-stacksets-for-multiple-accounts-in-an-aws-organization/
Relevant content
- Accepted Answerasked a year ago
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
Hi
AWS-User-7407181
, I am running a lambda function which is generating an IAM report i.e. list of roles, users, user groups and policies attached to the roles and users and which users are the part of usergroups. The output of the lambda function is stored in s3 bucket. Now I need to run this lambda function across 20 accounts and I want to aggregate the output for lambda function that runs in all the accounts into one common S3 bucket and I want to trigger this lambda function in an automated fashion using a service like Amazon EventBridge to avoid manual effort. I need to know how can I provision infrastructure for this using CloudFormation StackSet.The previous answer still holds good. All you need is to create a CloudFormation template for AWS Lambda with EventBridge rule and deploy that as a stackset targeting the 20 accounts. The Lambda role should have permission to upload the file to the common s3 bucket and also necessary S3 bucket policies.