Building a new AWS Lab (part 2) – Billing

I mentioned in Part 1 that I wasn’t sure of the costs of doing a lab environment with Control Tower (plus all the resources it turns on by default). To keep on top of things, I’ve enabled billing notifications with a monthly $20 limit – this needs to be done in the original route account (so logging into AWS with your root credentials and NOT the SSO credentials).

I’ll come back to this in a week and see how the bill is working out..

Building a new AWS Lab (part 1.5)

Preventing Sprawl!

Since this is only and lab and I want to keep the costs under control, I’ve opted to set some lower retention/lifecycle policies in the buckets related to logs (the default is 365 days).

Since ControlTower deploys everything using StackSets, you need to modify the StackSet rather than editing the S3 Lifecycle policy directly.

Login as your AWS Administrator from your SSO console and go to Shared Accounts -> Log Archive and click on View CloudFormation StackSet:

Now you can modify the Retention policy in the Stack parameters by clicking through:

  • Manage StackSet
  • Edit StackSet
  • Current template: Update AWSControlTowerLoggingResources
  • and then changing the retention policy to 5-days.

After this, just Next-Next-Next until you can update the StackSet… this will rollout to the account automatically.

Building a new AWS Lab (part 1)

So, I’m deep in the midst of my AWS SA Pro studies this week but need to put some things into practice to help cement the ideas.. to do this I’ve decided to build a new AWS environment using all the best/recommended/guided methods I could!

First steps today – getting a basic account structure up and running using AWS Control Tower.  Control tower builds a basic account structure called a Landing Zone – consisting of the root account, a logging account and an auditing account, and then wrapping this in a set of permissions, with SSO and an Organisations setup.

Warning Side note: this is probably going to cost a fortune to keep running, but it’s only for a short period.. I don’t think the Free Tier will cover much.  I’ll try and do a costs-related post later on once they start racking up.

Steps to do first thing:

  1. Create basic AWS account – I’ve done this, given it a crazy lab-related name and setup a dedicate email alias in Gmail for the first tranche of emails.
  2. Created a WorkMail configuration with two email addresses; one for notifications (logs) and one for auditor (audit logs)
  3. Kicked off the Control Tower build process


WorkMail is quite useful here as I can completely contain all the email etc associated with the Organisation/LandingZone within the original account.  I wouldn’t recommend this as best-practice, but it makes it easy to dismantle the lab environment afterwards.

Costs…  (verbatim) $4.00 per user per month and includes 50 GB of mailbox storage for each user. You can get started with a 30-day free trial for up to 25 users.

Control Tower

Control Tower delivers a basic level of security and governance around AWS accounts.. getting the customer off to the right start on the Shared Responsibility Model.

As Control Tower sets up SSO, you’ll get an email to setup your SSO account – once done you should be able to login and get a view similar to this:

First SSO Account View

It takes about an hour for Control Tower to do its thing and the dashboard will keep you updated with its progress:

And once it’s done, something like this: