Building a new AWS Lab (part 1)

So, I’m deep in the midst of my AWS SA Pro studies this week but need to put some things into practice to help cement the ideas.. to do this I’ve decided to build a new AWS environment using all the best/recommended/guided methods I could!

First steps today – getting a basic account structure up and running using AWS Control Tower.  Control tower builds a basic account structure called a Landing Zone – consisting of the root account, a logging account and an auditing account, and then wrapping this in a set of permissions, with SSO and an Organisations setup.

Warning Side note: this is probably going to cost a fortune to keep running, but it’s only for a short period.. I don’t think the Free Tier will cover much.  I’ll try and do a costs-related post later on once they start racking up.

Steps to do first thing:

  1. Create basic AWS account – I’ve done this, given it a crazy lab-related name and setup a dedicate email alias in Gmail for the first tranche of emails.
  2. Created a WorkMail configuration with two email addresses; one for notifications (logs) and one for auditor (audit logs)
  3. Kicked off the Control Tower build process


WorkMail is quite useful here as I can completely contain all the email etc associated with the Organisation/LandingZone within the original account.  I wouldn’t recommend this as best-practice, but it makes it easy to dismantle the lab environment afterwards.

Costs…  (verbatim) $4.00 per user per month and includes 50 GB of mailbox storage for each user. You can get started with a 30-day free trial for up to 25 users.

Control Tower

Control Tower delivers a basic level of security and governance around AWS accounts.. getting the customer off to the right start on the Shared Responsibility Model.

As Control Tower sets up SSO, you’ll get an email to setup your SSO account – once done you should be able to login and get a view similar to this:

First SSO Account View

It takes about an hour for Control Tower to do its thing and the dashboard will keep you updated with its progress:

And once it’s done, something like this: