oh I I made a mistake in that question the T policy sorry use a t policy in the place of the backup policy okay yes yes so so we have there are about five policies that you have that AWS organization gives you right I I mentioned just the key ones that that you needed to know because you find yourself using it often so we have service control policies we have tag policies we have backup policies we have service opting AI policies okay these three were the ones that I mentioned the key ones that you need to know now service control policy is seen as a preventive G rail preventive Gil because you can use scps to prevent what people can do in an environment for example yesterday you saw how you used an SCP to prevent people from creating a resource if that resource is not tacked properly so it's a really good way to implement a tagging strategy in a brand new environment if you go to an environment that is already had that has been existing for a while you want to be very cautious before you apply an SCP because if you have some automations in place that SCP can break those automations say for example you have a pipeline and that pipeline is meant to create some resources when you implement an SCP that pipeline would not be able to create those resources because you you haven't modified the pipeline to start tagging the resources properly or to comply with the so it's one of those preventive G rules that are you you you always want to be cautious before you implement it tag policies tag policies is meant to help you with your tagging strategy it's meant to help standardize tax standardized tax give standards to tax so say for example example we have a cost center check I want I want that every E2 instances that you create in an environment should have a cost center tag so I would say I want the cost center to be one word and the C should be a Capital C I can create a tag policy that would give that standard to the tag so that if you go and you create a c Center like this in your tag it's going to tell you that it's incorrect same thing with the value I can say that when you want to put in the value it should C Center should just be numbers C Center should not include letters name should just be letters Nam should not include numbers so you can create those standards around how you want tax to be because some people can just say Okay because I'm mandated to put C Center I'll just put C Center I'll put something gibberish as a value but you can use attack policies to standardize how you want the key and values to be so that everybody follows the same standards okay and then backup policies obviously is used to centralize backup inside your environment does that make sense AUD it makes sense uh for instance now with the for cental T that you want to standardize for instance I want to understand will the T policy Now operate like a service control policy in a way that if you go and put let's say cost center in lower case instead of the way you want it to be in upper case right will it prevent that maybe the ec2 from launching like how service control did today how's it going to what's going to be the effect yes it would it will prevent it it will act you it you can you can set it up to prevent it or you can set it just your T policy so you can Implement T policy along with scps to prevent it if the if it doesn't comply with the specific tags that you have in your tag policies or on its own as a tack policy it will just indicate to you that okay you have this resources that are attack improperly okay but yes chck policy you use it in combination with scps thank you you're welcome all right so let's get into what we have planned for today yesterday we we started looking at uh we were looking at governance right governance with an understanding of how easy it is for anybody to get started on AWS you can start small by setting up your AWS account launching your computer and your storage Services inside but as your workload increases and you start to scale you start seeing the need to have a multi- account inside your environment and that's because it will be very challenging for you to have everything encapsulated in the same account if you have about 30 developers working for your company and all of those 30 developers are working in the same account it's really really challenging to write really refined policies that would restrict the developers from having some accesses in their environment so having a multi account strategy it's really going to help you to put things together or strategize things or structure things in a way that is much more cleaner in your environment and then we went and looked at AWS organization which is a service that helps organizations to manage their multi account implementation because when you're using AWS organization it you can easily you have benefits of centralized um Consolidated billing you have benefits of managing your accounts C centrally managing your accounts from one place it becomes way easy for you to implement policies when you're using um AWS organization it helps with cost allocation right for example I can say I'm creating this account and this account belongs to the finance team and so every resource that's created in that account I just know that okay as long as it's coming from this account I would allocate this cost to the finance budget because it's the finance teams account and have this account this account belongs to the manage the the marketing team and all cost associated with this account would be tied to the manage marketing team so it's really easy for you to allocate cost efficiently when you have that multi account implementation with AWS organization now but even with AWS organization even with the setup of using AWS organization as organizations skill more and more you'll see that they will still face some challenges such as ensuring that developers are building and innovating in a way that will take advantage of the agility and speed in the cloud so even with a S organization even with AWS organization you will still find [Music] organizations or should I say companies facing challenges around giving developers the ability to take full advantage of agility and speed that the cloud offers while remaining compliant even with AWS organization you still find organizations that have challenges around their developers because AWS or the cloud environment any Cloud environment is a much more agile environment agile in the sense that when a developer wants to create a service when a developer wants to deploy an application they don't need to go through the process of putting in a procurement request to get a server purchase the server have the server delivered to them before they contest whatever they're working on they can just normally you have access to the cloud you can easily just spin up an ac2 instance and you'll be able to test what you want to test so it becomes really agile and speed too because you can do that much quicker as opposed to when you are in an unem environment but again the real test or the real question becomes how you will have these developers take advantage of their agility and speed in the cloud and remain compliant how do you keep these developers moving getting creative because you want your developers to remain creative you want them to keep doing what they're doing you want them to become in know remain Innovative but again how do you make sure that their creativity is not impacted with lots and lots of policies and constraints that you have in your environment okay so imagine that your developer wants to create something one second I'll be right back guys one second oh we have have people in the lobby yeah mag we were so we were talking about um the challenges that even when organizations have when you're using AWS organization you can still face some of these challenges right and a typical a typical scenario where you face challenges will be around the fact that you have developers that want to take advant AG of the Speed and Agility that AWS offers AWS offers everything as a service which means that when you need a database you should be able to get it quickly when you need an intitute instance you should be able to get it quickly when you need an S3 bucket you should be able to get it quickly but now on the other hand you have the cloud Center of Excellence team also known as a cloud it so cloud of Excellence also known as a ccoe ccoe cloud Center of Excellence team and this team is typically the governance team in an in an environment they are meant to make sure that when developers are developing and they want to achieve Speed and Agility and all of that they should be compliant they should not go and create an S3 bucket and make it publicly available they should not go and create an E2 instance and open opportunity to the general public they should not use store sensitive data in an S3 bucket they should use certificates to encrypt data they should use keys to encrypt data and all of those things the cloud Center of Excellence is there to make sure that compliance is in place especially if you're dealing with an organization that is holding customers sensitive information the customer the the the the the organization has some compliance rules they have to adhare to and if they are not compliant then they can easily be sued for that I think it was Wells fago it was Capital One who had an issue where people's information were compromised and they had a whole legal fee to pay because of that so at the same time so so so the point is as important as it is that the job of developers are there to drive revenue for the company the job of the ccoe team is also very important even though the CCO team is not Revenue drivers so a lot of companies have always had conflicts between developers and ccoe teams because developers will say I can can do this thing in less than one week but because of all of these guard rails and all of these rules we have in place it's taking me longer to deliver at the same time the CCO team is going to say we need to put all of these rules in place to make sure that you're doing things the way you should do the way it needs to be done so this was a challenge for so many companies so many organizations they wanted to strike a perfect balance between agility and speed and compliance they wanted to they they want to have a perfect balance between freedom and control the developers want freedom the cloud Center of Excellence team wants control they want to control what developers can do so developers are the dery drivers ccoe team is not driving the revenue but they play an important part and so because of aw has created another service that is called control tower control tower control tower is a service that provides that balance between freedom and control it provides that balance between what developers want agility and speed and control so it basically gives the company or the organizations now the ability to set that Baseline that developers will be able to adhere to from day one when you set up your AWS organization okay so control tower is a service that gives organizations the ability to set up a secured multi account environment that is based on all of these AWS best practices okay gives organizations the ability to set up a secured multi account environment based on AWS best practices okay based on AWS best practices so what what AWS has done is what what AWS did is they have gathered all of their findings from their customers over the years all of their customers that have been using AWS they've looked at what is common in terms of security requirements across the board in terms of uh um all of the different G Dr control the best practices in all of these different domain that would security and Agility in the environment they put all of that together and they offered it as a service that's called control tower okay control tower has some key features four key features actually so if you look at my screen you see that it says control tower enables agility and governance agility because the work of the developers will not be hindered because of rules so control tower is meant to give you that balance between agility and governance so the first thing that it offers is it helps to set up what we call a landing Zone control tower helps to set up your AWS Landing Zone think of a landing Zone as think of a foundation when you want to build a house right when you want to build a house you don't start by building the doors the windows the roof and and painting places you start with a foundation so think of a landing Zone as that Foundation that you need to set up your multiac account structure on top when you have a solid foundation even if the winds come the rains come the hurricanes come your house would will remain solid okay and so that is what control tower does it sets up your Landing Zone by installing what we call security baselines so it does this by sets up your AWS Landing Zone by setting up baselines in your account by setting up baselines in your account okay so am I've made you co-host just in case someone comes in okay so that's the first thing that control tower does and this Landing Zone comes with so many things in it it comes with guard rails already set up it comes with some service control policies already set up for you it comes with with some config rules Amazon config rules we know what Amazon config is it comes with some config rules already pre- enabled for you it deploys some resources in your environment that would help to set up that Baseline that you need and if you don't have AWS organization enabled this Landing Zone will enable a AWS Organization for you so you can see that control tower is built on top of AWS organization okay if you don't have it it enables it if you already have it enabled then it just uses what you already have enabled because it needs that to govern and centralize things okay this is the first thing that control tower does sets up your Landing Zone and if you see here it says your Landing zone is that single point of managing your entire organization the second thing that it does it is control tower centralizes identity access and logging control tower centralizes identity access and logging identity access and logging now when you have a multi account structure when you have mult let's say you have five accounts all of those accounts have Im so let's say if I need to give Victor access to those five accounts I'll go to account one I'll create an IM am user Victor I'll go to account two I'll create an IM am user Victor I'll go to account three I'll create an IM user Victor right up to account five when you do it like that it becomes so comp because if Victor have if Victor have separate passwords to get into those accounts first of all it's a lot of work for Victor to to handle secondly if I have to implement policies on how to control Victor's access to all of these different accounts I'll be doing them individually because the user is created within the construct of the account so it is a lot of administrative work that is unnecessary so control tower is here to take off that administrative work and centralize identity access for you and it does that by creating or by enable enabling an already existing service that's called identity Center okay identity Center okay it's actually called I am identity Center so identity Center is a big brother it's I am's big brother so it enables that service now within identity Center you can centralize how you manage your multiac account structure so I'll go to Identity Center I can create a user so if you look at I am within I am you have users and groups and roles but now with identity Center you have users you have groups you have what we call permission set permission sets is just like roles for IM am it functions the same way like roles you have policers and then added to that you have accounts these are the features within identity Center now if I go into identity Center and I create a user and I call that user Victor I can decide to put Victor in group admin admin group and then I can decide to attach a permission set to that group inside that permission set I have policies okay so inside that permission that's why I say permission set is like a row because you have a permission set let's say you have admin permission set and then inside the admin permission set I can have admin policy I can have billing policy Etc so I can take now the admin permission set I attach it to that group and then I add attach an account to that group I can say I just want to give Victor account to the dev ask to the dve account you can manage all of that within identity Center that's why we're saying that control tower centralizes identity access you don't need to go to IM you go to IM to create custom policies because your custom policies will still be defined within IM but now when you create those custom policies identity identity Center can get it from there so now you don't manage users anymore at the level of I am you're managing more at a more elevated level which is at identity Center level so that's one piece here centralizing identity access the next thing that it says is it centralized logging it centralizes logging now one of the things that we've learned over our sessions is that whenever you make an API call in AWS that API call is reg recorded in cloud trail and this means that cloud trail records locks so think about an environment that has 500 accounts and we have people gating into those accounts on a daily basis and making different API calls and then you're part of the security team and you hear that there's a security breach in account number 49 9 you need to have access to that account to go in there to be able to understand what what happened and then that same time you hear that there's another issue in another account you need to go into that account to be able to analyze what happen so it is a lot of work for the security team to jump or to help from one account to another to basically understand or get locks from there and analyze those locks it's a lot of work so control tower centralizes logging and the way that it does is it creates when you are setting up your control tower when you're setting up your control tower control tower creates an account for you that is called the log archive account it creates an account that's called The Log archive account the log archive account and this loog archive account is meant to centralize all of your logs across all of your environment if you have 500 accounts all of those accounts will be pushing their locks into the lock archive account so that if you're part of the security team and you hear that there's a security Bridge somewhere all you need to do is to just go into the log aive account and then you check the logs in there and you'll see what happened in the account you can also take those logs and build a dashboard build a dashboard so that if you have a security Bridge you just look at the dashboard the dashboard you see the the area in the dashboard that's red it's going to tell you that this is the account that has has the issue okay so the log iive account is what helps to centralized logging and within this account what control tower does is it creates an S3 bucket when you're setting up your Landing Zone it comes with an S3 bucket it creates an S3 bucket for you it creates an SNS topic for you so that when there's a security incident all you need to do is to just subscribe to that topic you sub the security team just needs to subscribe to that topic once you subscribe to that topic you get notified when there's a security Bridge or when there's a security incident so this comes as part of your Landing Zone setup control tower also enables AWS config because your config logs also have to go to the lock archive account and all other locks all other infrastructure locks application locks you can send centralize all of those and push them into the Lo C you can have one source of truth in your environment which is that L archive account okay that's one of the things that the second thing that control tower offers centralizes identity access and logging the third thing looking at our stuff here the Third thing that control tower does is it automates compliant account provisioning it automates compliance account [Music] provisioning it automates compliant account provisioning now one of the things that Soul Tower does is it uses a service that is called service catalog it uses a service that's called service catalog it goes into service catalog and it creates a product called account Factory it creates a product that's called account Factory and it uses code to create this product which means that you can go into account Factory you can go to service catalog and you see the code but the beautiful thing with this whole setup is the account that product that it's create that that that product that creates the account account Factory is meant to create provision your new account when you want to create a new account you go into account Factory and you click on launch product all you need to do is to just pass your email address and the name of the account just like what we did yesterday the difference between account Factory and creating your account from AWS organization is that with AWS organization it's just a bank account with account Factory that account is powered by control tower which means that when the when when when the account is being vended when the account is being created all of those baselines that control tower has control tower will set all of those baselines automatically on that account and automatically enroll that account into control tower that's why it says compliant account provisioning okay compliance account provisioning because the account that's being provisioned will already come with all of control tower based lines on it okay account provisioned from account Factory will be automatically and rolled into control tower and will have all of control tower baselines on it okay this is different from the account you're provisioning with AWS organization account created with AWS organization is just a bare account but now account Factory gives you more because it comes with all of those baselines I'll take questions momentarily let's touch on the last thing that control to offers establishing guard rails establishing guard rails control tower establishes guard rails a actually back and I'll take a screenshot just yes please thank you you're welcome um and the one before this as well this one I'm not that no all right yes thank you yeah the the one before this yes thank you you're [Music] welcome moving on sure okay establishing guard reals AWS actually calls it now controls they don't they no longer call it God rails but they mean the same thing God rails are basically these rules that you have in place that you can basically Implement in your environment so what control tower does is it sets up these guard rails or these controls in your environment and the controls come in three categories you have mandatory mandatory controls and the mandatory controls are the controls that you don't have a choice when you're using control tower you're mandated to it's already enabled it's already enabled and I think I had a screenshot of those controls give me one second let me see I think I have it on this iPad let me pull that up m [Music] it's good so that we go through some of those controls for you guys to see but if you don't if I don't have it here then we can oh okay founded [Music] [Music] all right let me reshare so these are examples of those guard reils that control tower offers they're now called controls but these are these are examples of a so you see I said it comes in three categories right we have those that are mandatory mandatory means that you don't have a choice it already comes enabled for example disallow po policy changes to the lock archive account the Lo archive account is meant to centralized logging in that account you cannot delete logs control tower already sets all of those things so that somebody will not do the wrong thing and then go into the lock account and try to delete delay the log so one of those mandatory guard reals is that you cannot change any policy that control tower has applied to that Lo a account because that Lo aive account is meant to be the source of truth if Auditors if you have external Auditors from the federal government that comes to audit your environment all you need to do is to give them 10 AR access to the Lo lock archive account and that lock archive account will be the source of Truth and it's a pre preventive type of control because it prevents you from doing certain things the next category is the strongly recommended so I said we have three categories we have the mandatory we have the strongly recommended and then we we have the elective the mandatory are the ones that you don't have any choice the strongly recommended is the one that AWS is telling you that we are not going to enable this for you but we strongly recommend that you enable it we strongly encourage you to enable these controls because it's going to help your com your environment remain compliant and secure for example this the first control is even though it's detective it says enable MFA for the user AWS is not going to automatically enable n for your rud user in all of your accounts but AWS is telling you that we encourage you to do so that's why they they they it has they have it under the strongly recommended category this allow public read to S3 buckets that's BPA disallow public read to S3 bucket so this is a det effective control and AWS is strongly recommending that you block public re to your public re access to your buckets but again AWS doesn't understand the specific use cases so it's not mandator mandating you to basically enable that it's under the strongly recommended category and then we have the elective category the elective category is basically where a is saying that these are other options that you can choose if you want to these are other options and AWS has a ton of them this is just this is just a this is just an example of it a a has a ton of already existing elective guard rails that normally when you set out your control tower your security team has to go under those guard rails and slowly go one by one one by one and see the one that applies to the your specific en environment and enable it one by one and enable what applies to you that's how you set up That Base Line based on your specific use case it says the last one says disallow delete actions on Amazon S3 bucket without MFA so this is where you can automatically enable MFA delete I think we talked about MFA delete in our S3 class it's been a minute so maybe some of you might have forgot to but this is how you can automatically enable MFA delete so that you don't delete an S3 bucket without authenticating the second time to say that yes I want to delete this bucket but again it's an elective guard rail or it's an elective control which means that AWS is not mandating you to do it it's not that strongly recommended it's elective which means that you should consider enabling a control like that okay okay so those are the four main things that control tower gives you it sets up your Landing Zone the process of setting up your Landing Zone takes about 45 minutes to 1 hour we all are going to set up our Landing Zone tonight and when we set it up you you it will take probably do it before we go on break so that during that process it takes about 45 minutes to an hour and then your Landing Zone will be fully completely set up once it sets up your Landing Zone the second thing is um it centralizes your identity access and your logging because it creates that log archive account it enables IM am identity Center for you and then it establishes guard RS in your environment it automates the process of creating accounts by using those Services called service catalog account Factory okay and then if you look at this design we have that continuous mon management and monitoring right here continuous management and monitoring which means that one of the things that control tower dots is it turns us it turns on recording on your AWS config remember that recording feature so it automatically turns that on because it needs to continuously be recording everything that's happening in your environment so that it can manage it so everything happens continuously okay all right I'm going to pause and take questions I know that it's been a lot to takeing so go ahead definitely go ahead and ask me any questions and then after that we proceed okay yeah go ahead yeah so um Furious this this appears to be a very very powerful very powerful tool um the control to um so I'm just trying to imagine so if I had to to create an AWS environment from scratch this is where I have to go basically to set up the account and once you set up the account you can set up the various areas like the da test you know in integration and all that and production this is where you do it this is where it's done this is where it's done so the default um guard rails that come with aw us those ones are standardized can the actual Corporation have their own tweaks of these um these things that that will apply to the our own use case in their own establishment can they do something like like customize yes these things yep yep that's a great question and I have and and and that was what I was going to talk about next customizations for control tower okay so we'll dive into that momentarily and then your your question in that area will be answered okay thanks MAA um quick question I think it's it's around the same topic I just wanted to know if the the mandatory controls can be overridden by any by let's say the rout account so control tower is set up in that Root Management account not root account your management account and the mandatory controls you don't have the ability to do anything that's why it says mandatory right it's like AWS is telling you that if you want to use this service then know that these things will be automatically applied and you cannot change it you cannot control it you cannot do anything you cannot you cannot disable it it comes automatically enabled that's why it's called mandatory it's a strongly recommended and the elective that you have some flexibility in in that area um does it mean it's not suitable for government organizations it is suit it is suitable for government organizations depending on their use case depending on what they want to achieve okay and that's why most of the times you the it's the job of the CCO team to understand the service understand what it brings in before you start implementing it some some organizations will say okay we just leave we just stick to AWS organizations for now until we get a subject matter expert that understands the ins and out of control tower before we we get into control tower and then speaking about customizations for control tower it brings another level of comp complexity that you need to make sure that you have somebody that understands those customizations okay so can it be integrated with like a hybrid um environment no it's AWS specific what I've seen companies do is they have replicated something similar their own version of control tower in other environments so that they make it kind of similar to AWS and you can do because control tower is powered by code it's just a bunch of code that AWS is deploying across your environment to set up that Landing zone right so some some companies will pick up higher developers that will come and try to create something similar to control tower for their own premise or for their other Cloud platforms to set that up okay thank you very much you're welcome a uh automating uh uh complant account provisioning the with the account factoring I want to know is it the same as service catalog or is that it operates like service catalog is account Factory is service catalog okay so account Factory is let's talk about service catalog there's no service on AWS that's called account Factory there's a service on AWS that's called service catalog okay service catalog is an AWS service that helps you to pre provision services for consumption okay that's what service catalog does it helps you to pre-provision services for cons consumption what do I mean by that let's say you're working in an environment where you're the only one that knows AWS you're the only one that knows how to create S3 buckets ec2 instances VPC subnets security groups all of those things now you have a bunch of developers all those developers know is they know how to write their code and build their applications but they need infrastructure to deploy those applications too now you don't want to wait for them to build that applications before they start putting in requests and you start writing the code to deploy the services for that applications you want to pre-provision it so what you can do is you can go to service catalog you can write a terraform code or any cloud formation template to create a VPC and then you go into service catalog and you create a prod that's called VPC and you put in that t that that that code there that creates a VPC you write another code that creates an E2 instance you write another code that creates an S3 bucket and you go into service catalog and you create a bunch of products there you can create a VPC product an S3 product a a security group product an ec2 product and so on and so forth when that developer wants to create when that developer needs a server to test their applications the developer will no longer come to you and say oh J I Need a server that developer will just go to service catalog select the ec2 product it's just a click click on ec2 product click on launch product and it creates that developer and E2 instance and it gives them the IP or it gives them whatever information that you want for them to have and then now they can get in use the IP and S into the instance and deploy the applications and do whatever they need to do so that's why I say it pre Provisions maybe I should say pre-provision compliant product because if you want all easy2 instances to use a particular Ami this is where you put that in the code you specify the Ami that they must use when they want to launch the ec2 product they would they don't have a choice to go and pick different Amis or pick different instance types they'll pick only ones that you have within that product and then you can completely block access to the E2 console so that they using an SCP so that they don't have access to that E2 console anymore now so it helps helps you to basically set up that compliant environment that's why it's part of control tower account Factory is just another product in service catalog okay and it's just the product that helps you to vent accounts to create new accounts okay yeah all right any other question yeah I have one that I was going to ask before we got into this particular space so so the ccoe is sounds like it's it's um a governing I wouldn't say what qualifies you to to be in that group say in an in an establishment what kind of qualifications would you have to have to be part of the cloud Center Excellence team you can you can apply for a job as a Solutions architect and then they bring you in and they ask you if you understand the governance services and they'll bring you into that governance team okay so you it it's the qualification is just you understanding the AWS architecture because you can do different things as part of the CCO team you can be part of that CCO team and you'll be required to write some service C create some service catalog products to help the develop development team you can be part of that that that team and you can be required to write some scps to control what people are doing in the environment you can be part of that CCO team and then maybe all of the controls that AWS is offering doesn't align with what you want to achieve and then they'll ask you to create a custom control okay so any of the the the the Sol understanding the a BL architecture also is the key skills that you can be part of this that that will make you part of this team thank you you're welcome myner I I believe what I meant by like um hybrid is in the sense that if I was to have like some instances in an un environment can I still connect it to say if I have um like control tower vpcs in the control tower within in the same region can I still um connect it to it and take sort of implement some controls to take logs in in those instances sitting sitting on PR absolutely yes you can you can because if you if you're using centralized logging in your log archive account right and the log active account is centralizing things like cloud trail logs Cloud watch logs W logs EBS elastic load balancer elb logs VP PC flow locks all of the locks these are all centralized in the lock and account and if you want if you have your virtual machines on premise and you want the logs from those virtual machines to be sent to AWS what do you do you go and you install what I'm waiting for you guys to talk oh the agent of course you install the the cloudwatch engine on the VM on the virtual machine when you install that cloudwatch engine on the virtual machine it's just a software that you run a few commands on that VM and you installs it now that VM will start sending locks to cloudwatch and when the locks hits Cloud watch Cloud watch will push it to the lock account so it centralizes it does that make sense that makes sense thank you you're welcome all right so let's look at the architecture of control tower let's look at the architecture of control [Music] tower so this is what control tower gives you when you set it up when you set it up okay if you look at this carefully let's go over everything in detail it starts with the master account okay now this is this is an old architecture so AWS change the word Master because Master sounds like in the slave trade deals this so aw has changed that from Master to management okay so you never hear AWS saying Master anymore it's always going to be management so you have the management account which is the account that you currently have AWS organizations in it that will be your management account inside that management account you have control tower when you set up your control tower it will start by enabling or enabling your AWS organizations for you if it's not already done all of you guys already have your AWS organization set up but if you didn't have it set up control tower will do that for you when it sets up your AWS organization the next thing that it does is it sets up identity Center the name single sign on change from it Chang from single sign on to identi Center so it's going to set up your identity Center and that identity Center comes with an identity Center directory it comes with an IDC directory and that directory is just an a preconfigured directory that has a certain users already pre-created in it you have your control tower admin user already created you have um other users already pre-created by control tower okay that's what the directory is made up of but you have the ability to add more users into that directory you also have the ability to integrate identity center with any other external identity Center that identity Center or SSO tool that you have let's say you're using you're using Microsoft active directory so if you're using Microsoft act directory you cannot you don't want to manage two identity centers you can take AWS IDC and integrate it with your Microsoft active directory if you're using OCTA you can take AWS IDC and integrate it with OCTA actually we're going to do the one of the integration so that you guys see how it works because sometimes you get on a job and the first thing that they want you is to help that with that integration effort okay so that's what control to does it sets up your IDC and creates the directory for you then it creates Let's Start From Here service catalog within this service catalog you have that account Factory product that already comes with it then stack sets stack set is just cloud formation it enables tax set STX set is a feature in cloud formation that gives you the ability to sit in the management account and create a resource in one of the member accounts from the management account you do that using stack sets so it enables or it sets up stack set for you then these are organization unit organizational units it creates two organizational units for you and you have the ability to create more than two if you want to so it starts by creating a security OU it's no longer a core OU it's a security OU I think I have a cleaner um architecture I don't know why I picked this one this one is better okay yeah this one is better okay so it creates a security OU so if you look right here this is a security OU it creates a security OU for you and then can you please make it a little larger if possible little larger okay one second I don't know if I can but let me see apparently I can't okay should I go back to the other one is this better no no that's fine the cleaner one is fine okay all right so it sets up your security organizational unit security or like we said yesterday it's just a bucket right it creates that bucket for you now within that bucket it that's where you have two accounts so when you're setting up your control tower tonight you need two other email address you need one email address for the log archive account so if you can see right here you have the log archive account you have the log archive account account so you need an email address to tie to the log acave account you also need an email address to tie to the audit account okay because those are the two accounts that comes automatically with control tower so you need two other email address the loog account like I said centralized AWS Cloud tray AWS config locks and your other locks you can all you can configure it to push all of those locks in the loog arive account it automatically creates an S3 bucket for you and it sets the account Baseline the account Baseline is all of those things that it push to set up your Landing Zone then in the audit account it creates config Amazon config aggregator Amazon config aggregator basically helps to push config rules the same config rules aggregate all of your config rules in all of those accounts and then it sets up security notifications using Amazon SNS that's what the audit account is meant for and then you have cross account roles cross account role is just this role that gives the security team the ability to jump into one or two accounts for example I told you guys a story yesterday of how one time I went out of the country I left my laptop here and then there was I got a trigger on my phone on my pager because I needed to clean up my account so that was a security alert the security team used the cross account role to get into my account and be able to delete whatever I had going on in my account at that time okay and that's one of the things that control tower already sets up for you you don't have to do it and then now the second OU which is a Sandbox o so so the security o you look at this architecture carefully the security OU has the audit account and the lock account in it the sandbox OU has provisioned accounts so it is in this sandbox or that you can you can choose to say okay I'll just set this up as my sandbox environment or my Dev environment and then you can start creating multiple other U within control tower so you have the ability to create as many U as you as you can with within within control tower but this is this is just a picture of what control tower gives you that helps to set up that Landing Zone and make sure that you're operating in a way that you can achieve speed agility compliance governance control all of those things all at the same time you will not see a developer now wanting to create an E2 instance and then running into lots of challenges because of security the security team you can use service catalog to pre-provision all of those products for your developers to use and it makes things way easier for them okay all right so let's talk about customizations for control tower let's talk about customization we need to set up our Landing Zone because it takes about 40 minutes to to to be fully established let's talk about customizations for control tower so one thing about control tower is that it has it sets what we call a standardized Baseline it has a particular standard it gives everybody the same thing but like Victor asked some companies may have different things that they want to achieve some companies may choose to say okay when I'm vending a new account using account Factory I don't want to have the default VPC created in that account which will make sense because the default VPC comes with a 172 do something side there maybe that company is operating within the 192 cider range or maybe they are operating within the 200 cider range so the 172 CER Ranger comes with a default VPC it's completely off what they're doing and they don't want it because the default VPC comes with all public subnets maybe they don't want all of that exposure in their environment you can use customizations for control tower to customize your environment so that it aligns with what you want want to achieve you can automatically set it up to delete all all default vpcs across all regions you can set it up to create vpcs you can say okay because every account when every account is vended I want that account to come with one VPC already created in the account and that VPC should be in the 192 CER range so you can automatically customize it to create that VPC for you when account is being vended or you can say I want some policies to be already pre-existing in the account when the account is being created I want some S3 buckets I want certain things to happen in the account so customizations for control tower customizations for control tower is meant to give you that ability to customize your control tower to achieve your specific use case Okay customizations for control tower gives companies the ability to customize control tower to meet their specific use case to meet their specific use case okay and I've given an example it could be that you don't want default VPC it could be that you want to pre-provision some certain services like a VPC it could be that you want to apply some policies in the environment so you can use customizations for control tower to customize your environment to to to to align to with what your specific use cases so the three I say two two main things that two main tools that you can use to customize your control tower so AWS has CF well I'll talk about CFC C and AWS has a tool that's called L za lza lza means Landing Zone accelerator Landing Zone accelerator we don't have to implement this but you can just know it because it helps you to um it will help you in your interviews Landing Zone accelerator Landing Zone accelerator Landing Zone accelerator so Landing Zone accelerator is one of those tools that really help a lot of companies to implement lots of different things that they want to customize in their environment at scale if the company is using cloud formation as their um infrastructure as code tool then lza will be a good customization that they can use because LZ is written in yamamo LZ is written in yamamo just like Jason LZ is using written in yaml so it makes it really easy for them to use but again this is just a tool this is a tool that will set up that customization what it does what LZ does is LZ creates a pipeline using AWS developer tools that you can just use that pipeline to push the different customizations into the environment but it you you write those customization using yo okay and then we have another customization that's called account Factory for terraform account Factory for terraform also known as AF account Factory for terraform is meant for organizations that are a terraform shop if the organization is using terraform for as their infrastructure as code tool then AWS has created account Factory of Terra for terraform as the customizations that they can use okay the customizations that they can use and then cfct cfct cfct means customizations for control tower so cfct is actually going away or AWS is encouraging its customers to use lza instead of C CFC because they are duplicating it cfct AWS is encouraging customers to move away from C cfct to lza because that is that is um slowly going away okay but it's written in Json which is typically what if you're using control tower uh cloud formation cloud formation is written in Json so CF helps to build that customization so what I've seen is a lot of companies will yeah they'll start with AWS organizations just like what we had yesterday and then they'll use AWS Organization for a while and then they'll choose to move into control tower when they feel that they're capable to or they have the skill set to manage control tower after control tower then they'll start moving into how they can customize the environment to suit their specific use case and then they'll choose if they want to use AF or cfct or lza okay but that's pretty much how um organizations will use this tool to centralize governance in the environment and bring that balance between agility and control so tonight we are going to um tonight we're going to set up our control Landing Zone we're going to set up our control tower Landing Zone and then once we do that it will we'll go into have a walk through of the dashboard and then after we have a workr dashboard we go into how we can use identity Center we go into how you can use account Factory we look at all of those key things so that you guys have an understanding or some familiarity with those things and then in our next class now we'll use control tower to integrate it with any other identi single sign on to out there most likely oor so that you can understand exactly how that integration works because it will help it will help you even if you you go in an environment that has already already has have has the integration you basically understand where where they're coming from okay all right what did you say cfct stands for again customizations for control tower yep customizations for control tower but it's one of those tools that a still has it out there just because there are some customers that are still using it they don't just deprecate cfct they don't just deprecate a service um just like that they they but now when any new customer is coming in and they have to customize their control tower AWS we speak more about lza we speak more about LZ and try to tell them that okay L has more benefits than [Music] cfct all right so let's go ahead and set up our Landing Zone just because that takes some time let's set it up and then when we come back from break we will um move into um exploring our contract our Landing Zone better I'm going to stop sharing then we have someone share log to your a account and again we need two email addresses right for the lock account and the audit account so the the the ones we created yesterday we don't have to use right or we're just starting from AR fresh completely that hierarchy we did in the Rong book sure that right no we don't have to do use and after after this you can clean up all of those okay and I think the Run book for tonight has the steps to clean everything up so that you can just have your single account or you can choose to to manage it as a multi account environment okay you can clean up and just close the account you guys know how to close account right I don't think I have before it shouldn't be too hard though no it's not too hard you just go to set settings and then you close the account but if you if your account belongs to an organization you have to first of all leave that organization because you have to make it to become a standard Loan account and then you you close it AWS just wants to be sure that you can um the account can operate on its own before you close it or that you have permission to close it from the organization okay have you shared the r book yet m not yet so we we just setting up the landing Zone and then after that we'll look at the WR book after break all right so if you logged into your AWS account and you go to AWS control tower click on set up Landing Zone okay scroll down all of this is just informational stuff so you see where it says home region it's just confirming that you want your home region to be North Virginia which is where you're currently located if you prefer that your control tower home region should be another region then this is where you can choose that and then when you scroll down it goes to region name you can choose other region that you want control tower to manage and then deny settings is basically saying that I want to deny access to this region so you can deny access to whatever region they have but that's all so here you don't really need to do anything so go ahead and click on next and then see we talked about the security OU security o is the foundational o that a has created so they have the name security o and then if you scroll down you see additional o and I think the name is sandbox but you can change it to any other name that you want so if you don't want it to be sandbox you can use another name and then scroll down and click on next and then now you need to create your two account so you put in your email for your log archive account it it great up it's not great up the one that's great up is your management account email yes course can we use the plus um on our regular account you need a unique email an email that's not TI with an already existing account so the question was the plus thing we used you know the yes yes yes Dynamic email so yeah you can you can just use your your email say if your email is Victor gmail.com you can just use Victor plus log arive to just make make it um and then vctor plus audit okay [Music] so you do that and then you go into and putting your audit account email [Music] no no you didn't put the Plus for the audit account the audit the one typing on one second something plus audit do we go next mhm yes click on next uh Prof M if we were to close the accounts are we able to still use the same unique emails that we've been using to account yes to oh okay yeah you can thank you okay so here you leave everything as eight it's scroll down this is just saying if you want to encrypt your cloud trail logs from control tower you want to enable organizational logs just leave everything as e and then um don't encrypt it click next because if you encrypted it's going to ask you to use key put in a key and then scroll down that's it are we going to come back and add account to the sand box all you yes you can do that after your Landings on the setup okay after the landing on the set up okay yeah so typically a take 60 minutes but it's going to take shorter maybe because all 30 of you are doing it at the same time it might take a little longer but 30 40 minutes should be done so if we take our break and then we come back from our break hopefully most of you should be done okay super all right so let's take 15 and then when we come back we'll dive into all looking at the control tower dashboard look at account factory look at all of those things which will be fun okay okay so please please please um The Landing Zone comes with a little bit of cost I think is on average you know AWS is always pay as you go so depending on the things you use that's how much you um that's how much cost is going to acur but I I strongly strongly encourage you guys to so get comfortable with with this governance aspect of AWS man managing M to account setups with the um control tower I'm sure Prof Susan already mentioned this control tower is based on um a couple of AWS servic it's using AWS config in the background it's using a organizations in the background it's using um identity center it's using service C a bunch of services in the background so I was tempted to ask you you know the scenario you you you um kind of highlighted yesterday when there was this young man that that kind of um um misconfigured a particular service and in in in in the OU and you had to go investigate uh was it this control tower getting to crowd Trail or went straight to cloud trail or was it through control tower that he got to cloud trail to read the logs so depending on how you have your control tower set up some people opt out of having the general Cloud TR thing shipping it loging account but for us we do have it so it's U when you're doing control tower and you enable a cloud trade loging so you have a a loging account and all the other accounts are shipping um stuffs to um uh the logging account so that's where we we got the information from gotcha okay looks like the The Landing zone is now complete good so we have complete every body yeah mine is complete yes well mine is complete beautiful mine too beautiful beautiful beautiful beautiful good stuff so you can just um go to the three dashes at the top left that's a word for this thing forgotten so you can see the dashboard you can see a a couple of other things there so this is the general dashboard for your control tower because your Landing Zone has not been active for very long time you might not have a lot of information here me a second please so you can go to the dashboard can you um close the confirmation window so that just tells you the different things that are there um you go to organization here you would see information about um the different organizations that are in your account click on organization please good so now I think you're still locked in as your normal I am user did you people create um user and identity Center no we just just uh try to just enable The Landing Zone yeah but we during the enabling process there was a dialog box that Tau you either to create a user identity Center or not that's why I'm asking so but basic basically you have um um as you can see you created a Sandbox OU a security OU you already have an OU in your account called jch def OU which is what we created yesterday you can see that this OU is not part of your control tower at the moment that's why it says not enabled you can see that the OS have uh uh the M this is your management account this is also enrolled into your control tower setup interesting we good so the reason why the like the Leonard MOA is enrolled is because that was what he used in setting up the control tower that's the account he used in setting up the control tower so it enrolls it immediately okay so if you go into the open the sandbox OU you should see the lock archive and the audit accounts and both accounts in there should also show that they enrolled sorry the security OU because the security OU hosts the shared accounts security security o where is my pen good so you can see the lock archive and audit accounts you see that the both accounts are also enrolled and if you go into the JJ Tech dve o which is the O you created yesterday you should see the accounts which are there and they are all not enrolled so we're going to enroll we're going to register our G Dev o um into uh a control tower so this is how you get into an environment and if they are not using Control Tow yet you can help them um achieve better governance by using control tower so there are some overlaps between things that control tower does and and a organization like I said control to is using a organization in the background okay so it's a foundation service for for for control tower we good so control Tower also has its own um um vending machine so you can use control tower to just vend AWS accounts so you have an account Factory and in that account Factory you can configure um pre approved settings for accounts that you want then enable um the different users in your organization to just um vend AWS accounts as the one so we're going to use the account Factory to vend an AWS account vent is just create an inds account and um control tower also comes with its own IR am management so it has something it uses AWS I am identity Center in the background in the in the past it used to be called AWS SSO single sign on I think a year ago something AWS changed that and added some features so if you go to users and access so with the users and access scroll down to user identity management so here you can create um um how is it called users in your a account so when you use control tower we can create a user if you are bringing somebody into your environment you just come to identi Center and you create the user you don't go through I am itself you just create a user create groups create permission sets Rand permission sets to the users and attach the users or user groups to specific accounts and when the user locks into your environment they just see the different accounts which you've enabled for them okay we're going to try that um a couple of minutes and you can also set your Landing Zone settings so you can update your Landing Zone the different things um um you can configure for landing zone so be very careful with Landing Zone because settings because um I'm sure Prof Susan mentioned as you enabled control tower control tower created a lot a bunch of IND sources in the background those are the things that enable control tower to do what it does so once you're in your um accounts your individual accounts member accounts that you vented or you enrolled into control tower if you go into those accounts you will see some sray buckets you will see some [Music] um I am rules that are all control to controlled do not delete or do not modify this this resources because once you do that then there was going to be a drift in your control tower and it doesn't function as it is so it's it's it's um um we can fix that after the fact but a best practice not to authored settings for control controlled resources you're talking on mute Prof very much how long have I been on mute you can also you can also see you can also see the controls if you go to controls you this is where you have all the guard Ray are control to uses so the preventive detective reactive guard rays and if they mandatory if they are elective they if they strongly recommended and stuff like that so this is where you see all so by default your control to has 513 um controls or guard rails all the mandr guard R are olled by default or the um implemented by by default um so um strongly recommended or the elective then you can enable those guard rails in your control tower settings sorry how many did you say by default I think right scroll up you'll see it 513 oh I see it okay thanks how did you get to this control the got real go to all controls which ones means proactive what do they mean no um some detective G um from the name it detects so something needs to happen then this g r will detect that it has happened then it gives you a report that this has happened then proactive means what proactive is very similar to preventive but there's a difference for example preventive gun R prevent an action from happening preventive guard R in the background uses um scps detective guard R in the background uses a config proactive guard in the background uses what we call Cloud information hooks so proactive can also prevent something from happening so if you you want to perform an action in your member account and you have proactive guarding the cloud formation hooks would evaluate whatever resource or whatever action you want to perform and if those um if that action confirms or is out of compliance with this proactive Guardians which you've enabled then it's denied for example proactive gther can evaluate if you're creating an EAS instance that does not conform with taging or whatever setting which you have and it can deny that instance from from from creating why do I say that they are very similar to to to preventive because in that case it has prevent the results from from from from creating however you can also have proactive Gatherings that are watching a resource that has already been created for example you've already created an e East S3 bucket and this S3 bucket now has some cut reils and you're saying that oh for this S3 bucket we do know one member accounts to change some settings or you also you Al you have um um um how do you call some policies in member accounts that you do not want um um users to change settings or add permissions to this policies so in that case you have proactive GES and those proactive GES will Pro proactive okay those proactive G would watch what the user is trying to do and if those um actions are not uh allowed for modification then it's denied but preventive g r on the not share would prevent a resource from creating because it needs to confirm to the uh um compliance of the G which you and implemented in the your control to setting does it make sense yes P thank you great back of my mind I'm trying to see what I did not figure out so here you still locked in as your I am user so let's create a control tower user then lock in as a control tow user so you can see the view okay so in order to create a control to our user we go to users and access let's start from there did you already lock in and you saw all the three accounts the audit control uh lock archive and the different o I'm not sure because you don't have the control tower user right I think you showed it as we were clicking on initially unless I don't know what dasboard yeah yeah the control tower dashboard that's what I'm trying to to not the dashboard you here you're able to see the dashboard because um you are using an I am using which is also an admin user in the management account so it has permissions for control to okay so let's go to users and access and let's create a control to us them so you see uh go to under user identity management to view in IM am identity Center to click users so we already have a user here called mulu [email protected] I I don't have any user here you sure oh oh oh okay go to users yeah yes so can you click um um um use this control to portal go back to the users click on the user thing so by default this was created click on that I want to see the user so there is a user portal which click on Ed accounts let me see so good this is it scroll back go back to the dash dashboard where you were with the user [Music] portal theism getting started organizational units go scroll down go to users and access where is that portal yeah this is what I want the user portter URL top right wait wait can we all see this yeah so click on that now you have the default user inside can you log in as your default user so you guys you guys created a user without knowing that's what I was asking for [Music] can you log in I think mine defaulted to my root user yes email so do we use that or change yes by default by default the main user would would default email so should I change that to the regular no you don't need to change it's okay okay because this is the control tower admin user we going to create another user that uses um subsequent information click on forgot password so you can always change this information so I want you to log in as this your user so you can see the display of the control tower using okay or hold on you go back to your email address go back to your email the mul [email protected] there should be an invitation there from Identity Center just just open your email let's see sorry we will not read things that don't concern us mhm we just confirm in the background if you have an invitation from Identity Center to join control to I expect you to have an invitation then yes a subscription or something yes something like that yes yes yes yes Jo so accept that invitation and um set up the password in the background once you accept it it should give you should open you a portal for you to set this password which you wanted to do here then you can lock in that user do we all have that email I expect everybody to have that email yes sir [Music] do you have to use the authentication app yes you have to use an authentication app so that's one of the security features of control tower you must have MFA here but I think um anyway just go ahead follow the on screen instructions and and Ure that you have the stuff are you doing it in a different screen or you're having latency is the email supposed to say we should subscribe is that what you said you should accept an [Music] invitation we good do we all see it is there somebody without that email don't have who doesn't have [Music] it so go to the email address which you used in creating the account that email address should have an invitation from Identity Center to join control to Identity Center or something like that oh here Emma do you see it no the email I got it was talking about subscript so I'm wondering what that before the subscription there's a the subject line is invitation to join AWS I am identity Center good oh okay yeah I forgot now one here um what is this is this doing anything to our road account because we've already done this with Road account is this doing anything to are we redoing this I thought we already did all of this for the RO account right so we have the authentication yeah so this isation why you're you're doing this is because it Ed the same email for that account which you enabled control to that management account to send you an invitation to join the Iden Center so the permissions which you're having here is going to be very similar to your normal IM am admin permissions mhm but this now would be a user in identity Center you can hold before if if you want to go back to that users and access in the control tower you click on the user which we saw the control tower admin is written there I think that's a username or the display name if you look at it it should say no MFA you understand what I mean mul go back to I here go to come here maybe we will see what I'm I'm trying to talk about come here so you see this is what I'm talking about this is a user in um control tower and this user has no MF right now the user is still using the same address but this is a user in identity Center and the user is the control tower administrator does it make sense to you yes it does even though this user's email address is email address yeah that's okay I think that's what confused me a little bit okay so we're changing our password that's what it is this is the this does not change the password for the I am user itself this is a user in identity Center you're different oh oh so we can use a different password here and you can use a different password here it be okay that's why you were using mul I'm very sure you were using your password for your I am user here right that's why I was telling you that it was not going had a problem I use the same password and it work now because you've configured it as the same password oh yes yes after yes yes now because you've configured the same password for both users but when you started you were putting in the password for that I am user in control to I was telling you that it does not know that credential why is it taking too long can you refresh good so this is what we I expect you to see can we all see this so this is how users when they access AWS using control tower identity centers this is how they going to see your different um um accounts so if you join a an environment that you have 500 accounts 200 accounts and you see this is where you're going to see the different accounts so your management account this is it so you can if you can confirm that this management account still uh account ID is the same with what you had with um your normal IM user and for you to log into this management account you click on the drop down menu it should present you the different permission sets which you have to log into this account so click on it so you see you have the administrator access and you can click on the administrator access access and this is how you log into now you're logging in as a control to user into the management account you see that so now watch what we have here this is very different from administrator access for Mula leard mul are we together yes sir so if you create a new user you remember you you created you had console sign in link for IM IM users you created passwords you created security credentials in this case all you're going to do with them is send them the control tower portal and their credential and they log in and they should be able to see um when they Access Control to they should be able to see this this portal with the different accounts that are enabled go back to the portal so if I have in my environment 300 220 accounts and I invite you Mula I can decide to give you access just to two accounts when you log in you will see just two accounts in your dashboard it doesn't mean that control tower has just two account means you've been enabled for those two accounts in that case those are the two accounts you can access but you with administrator access you'll be able to see all the accounts can you see right here that now you do not see the accounts for the other um OU which is not enabled in control tower you see that yes good any question no question we go ahead so let's advance so while you're locked in as your control tower admin user let's go into lock into our management account which you already did in the next St so now we here as our management account so we control tower admin user and we can go back to control tower so go to service control tower so you should able to see everything as the same um as you saw before can we scroll scroll down so now if you go to users and access you should be able to see that we have the the the user Now with an MFS setup scroll down viewing Aden Center yeah I already okay I already saw that it was a time I was trying to show you that chose one MF users so you can see that yes an MF device has been set up for this user do you remember that before you could not there was no MFM yeah and then I refresh it where where I was there I refresh it S I was speaking my was mute Victor we good Emma Fran shant you've been very quiet yeah Landing Zone even though I've created the administration ad it's asking me to set up are you yes I'm in the administrator access are you sure you're in the administrator account um I am yeah it's showing that I'm in the administrator account it's stream show um show over this thing I enabled multiple sharing just share let me see what you have you have there remember that the control tower is in the admin account so if you've locked into a different account then you it can still show you to set up The Landings onone there yeah I'm sure now um so there's my access portal and when I access [Music] um to control tower I'm not seeing so have to stop so you is asking you to set up a landing Zone did you use North Virginia for your Landing Zone I use North Virginia I haven't left this region in a while no bro I'm not sure sure should be an or just try to refresh because I I do not expect you to see if you don't I don't expect you to see this the problem is that he's in the audit account you got to go to your main you know your management account the first one what is oh the first one yeah yeah yes your management account because you a account control is not part of the audit and other accounts that's why I ask which account are you in now if you go to control tower you should be able to see it all right thank you so it made no sense right because I could see that you have control to setup okay we're good if we are good here then let's enroll our OU yesterday into control tower so you go back to um control tower dashboard as your control tower admin user so you can also enroll this using the the other user but it's always good to use your control tower user ID center Manish user control tower that's recommended so um you can create your AWS account create an I am admin user use that I am admin user to create to launch control tower then you uh keep the admin user now in a vote and you all con everything in your environment using control tower identi center users does it make sense yes sir it makes sense but it was moving fast who was moving fast The Voice makes sense but and the voice was moving fast do I talk too fast no you don't no no just just this ending point you move too fast all right Evette you have a question I have a problem sir um I've been trying to to log in but I couldn't do it because they see I have this error message even though they say it's not me they say we couldn't complete your request right now like I tried to use my authentication app on authenticator app on my phone but I couldn't access my IM am idenity Center you sure let's take two minutes and look at your problem sure okay Alan Mao and dener you good yes sir okay registering your authentication app um go back refresh the patient away so it's saying that it's not you it's us yeah username so I guess is going to be your it's going to be the please don't do it here go back to your email address and configure this using the link that was sent to your email address should I stop sharing or if share you can just P the screen and move to your email then you do it once you done then can share it down okay were you able to set your password in the using the Access Link in your email yeah I did that okay if you have here this will also work if you have if you've set if you've already um reset um set up set up your password got yeah put in the password which you set up here now click on authentication app scroll down next yeah use your camera to scan that can I use the scan the scanner or my camera go to your give me a minute one second let's if you go to the authentication app there's a plus sign there are you using Google or you're using Microsoft gole authenticator so as you open the Au app there's a plus sign then once you click plus then you you would give you open the camera or something for you to scan this app okay then once that's done it starts displaying you uh codes in I think 30 seconds Windows you put in the code in here ensure you have this code running uh you do this while that code is still displayed in your window do not allow it to to to expire it's to Spain let me just try the new one now so I have two should I do the one that says a wsss [Music] o what do you I I have two like there the first one that says Amazon web service and it has my give me a minute yes is the SSO because you're using the same authenticator app and you're using the same email address you have two um um it displays two MFA quotes for you the first one is related to the the initial I am user which you you yeah I'm using the second one I'm using the SSO but yes not working I don't know refresh again and do it refresh your browser do you think she should rescan it again Prof I I actually used something else to to log in when I had this problem I had the same error I just went in and put in the uh it said try another way and it didn't you know a pin instead yeah there are different ways I think it gives you three different options there right but I'm very curious to why your MFA is not working mine didn't work either so but I didn't want to dwell on it I can easily TR so you can troubleshoot in the background and and Victor can just um and tell you how he sort sorted it out so you get the access so there's security key use the third option builtin authenticator yeah that one yeah and then just remember that there's a pin you kind of used um for your Gmail account when you're logging into your system like the pin of your laptop right yeah the pin of your laptop or something like that if you remember that I don't think I do then then you you can't use this one I can't do it but just forgot my P so to see what you is going to show you there a POS to reset your pin that me you have to do it two minutes wait the P window is asking you for supposed to be your password to sign in into your the password you s into into your computer laptop laptop that's the P ising you okay you should go back yeah laptop yeah that's what you use on Windows when window brings out this stuff that used to log on show you the different permissions different permission sets which you have for logging into those different accounts okay let's go ahead yeah because um Leonard is logged in as one of those user audit yes he's using the AWS administrator access to log into the main account his main account which is the management contr management account when I you can did it the other way like the using my regular account that became the admin account I don't I just get my um username and and um some some numbers but then when I click on one of the those users the audits or the log archive the AWS administrator access that's when it pops up on top as as that that's why I'm asking are we to use that user or we're supposed to use the other IM account that is now a tower admin I guess a switches that in the background do you still have your normal IM user displayed here or you have something displayed uh uh like this I have something displays displayed like this if I log in with what um you can share your screen okay let me share my screen screen so um um in the background I guess AWS switches switches the user because you already have that user because I think when you go with the IM user you have a link to that account right there's a link to that account somewhere if you click on then AWS is probably doing the switch but you do not have the display you do not have that portter right that from the beginning of the control tower portter let's go ahead do you can we see what you doing and let's go ahead just one hour it's a dark screen it's about coming up you're on the wrong you're probably on the wrong um monitor has stus screen sharing screen just screen share am I we're seeing a black screen we can't see you can you stop okay can you see now okay it kind of locked stop stop and again is there somebody going to work in the next one hour work it's Friday night okay yeah yeah yeah I'm going okay U this is what I'm saying if if I click on this one I get this just like just like a um yeah go back to the access port go back to the access access portal yeah so here you're seeing the display for the three different accounts that are in your control to right now so I am guessing Emmanuela is your main account yes good and the other ones are the lock AR and the security OU accounts yes so now this is how you access the different accounts it's giving you administrator access to the to the audit and the lock AR account and also to your main account so those are the permission set AWS administrator access those are the permission set that by default it gave you to those different accounts because this is the control to AD mean user good so which one are we using now where learnard is administrator account if you go into audit and lock archive you will not see anything control related oh so I should click on this one so your yes your control tower is in your main account your control to management account okay okay so let's go so in here we want to register the OU yesterday which we created and we we can all see that it's not part of our um control tower okay so we we just go back to control tower let's go back to the control to [Music] dashboard this is the sorry you got to search for it it's you go so we go to organizations so scroll down you see there's an organization here that's not enabled click on it we select go to actions and register OU and that's it so you scroll down you see that you have two accounts in this and they are not registered so you can um um just scroll down leave everything as default and you register the OU so it's going to take some some time to register this OU and all the accounts you must acknowledge that so you can scroll down you'll see that it's trying to enroll those accounts into control tower but this is how you get into an organization and they not using control tower but they already have a organization in use and other bunch of things in use then you can start enrolling um um accounts into control tower all right I actually have a project um that we've been my company has been contracted just to set up their control environment that's all what they need from us once we do that then we leave do you have to train them to use it yes we have a um um teach and tell as we call it after we set it up we we do it teach and tell or two two or three guys on their side to be able to to do that and and and prepare um um documentation so documentation in confence on how everything in set of how everything work so that then subsequently they do stuffs on their own is it part of the work of the um develops when it comes to set up control to this is not really Devil's work this is you are you you expert yeah is it an architectural something yes in in AWS there they different categories of stuff control to AWS organization is what it falls under the category Cloud governance so this is about setting up govern govern Cloud governance for them so that best practices has followed and stuffs like that okay this is not yes so we so give me give me a minute give me a minute let me just um say this to one extent I would also say this is devops because we are setting up everything for them not on the console we using terao you understand so you see you need to understand AWS then you can do the devops things for it you see how these things are related you just can study Dev on isolation yes okay yes sir so now you need to understand terraform we need to fix the pipelines for all those things to work that's devops but what is it doing in the background is AWS you need to understand AWS to do to do that the person with the question I have oneor sorry somebody was asking I wanted to ask one quick question so what you did for that group was was consultancy in its in its Essence right so yes it's consultancy yeah so did you also have to set set up something like a cloud Center or Excellence team for them or did they have that or is that part of the brief they have that's what we talk about the the teach and tell we not setting a full flesh Cloud ENT Center excellent so um this how it is done is not reaching in stone every company will tell you this is just what we need and Bas we are a consultancy we can tell you that this is our premium if you pay all this money this is what we give you you say no I want the cheapest option or so okay we'll do this then we'll have a one day two day teach and tell So the plan is we will set up the control tower for them put everything organizations which they want then um write a documentation then have a teaching tell for two days the first day is a teach and tell the second day is them some some some um one of the employees do what we ask them to do or what we show them in the teach and tell to show that at least they are on the run so after that we pack our things and leave if they have another problem then they will call my company again and pay more money got you got you okay thank you sir one final question I just wanted to know um as part of um regarding devops are you going to constantly be using documentation to set up things in the environment what do you mean by conly using documentation like um maybe we trying to implement like a security policy or you know maybe an AM policy do we go do we always make reference to um documentation or is just things that we supposed to know what do you mean by make reference to documentation um I think in in our lectures um we they kept make we kept making reference to best um best practice so I presume there will be some sort of documentation with a standard on how things are supposed to be achieved or there's a Ed documentation for everything so if you're setting up best practices for an environment then you have the Bible to consult sorry you have the documentation to consult but do do um have do um companies have their own sort of um controls that you have to you must adhere to yes some companies have what we call they are Baseline compliance this is what we have so each company have its standard but we also have companies that have no clue about what they're doing then as the expert that's coming in you have to set up those baselines for them so another short story we actually did this for a company because they contracted us did this for a company then when we left the company thought that we we as at this so they are not so sure that um we are confirming to AWS best practices so they subcontracted AWS itself in the background that please come and what this company has done so AWS came did everything evaluated everything and gave them the basically a report card for what we did and so that's how it can also be uh the case so if you go into an environment and they have no clue and there are most so many of them and you have to set up everything for them so because I think we a little bit cheaper than AWS they decided okay AWS will just cross check you then give us a report card and subsequently they came back to us okay we they gave us a pass you gave you guys a pass Mark so it shows you guys know what you're doing does any answer a question yes thank you so if it's sorry um so if it's a new environment let's go ahead let's let's have this conversation after the fact okay okay okay Pro quick question so yesterday when we when we set up the AWS organizations we set up the scps inside of the S um the AWS organization so in this case we are setting up U um inside of the control tower do we still back to AWS organizations to configure the CPS no like I said contr is using a organization so those different gut R detective preventive what's the third proactive yeah if you see control tower has what we call mandat G R so all the mandatory preventive g r they're using scps in the background M all the mandative proactive G they're using cloud formation hooks in the background all the mandatory what is it elective guard r or mannative detective guard Ray they're using AWS config and the background so control tower think of it as um a higher layer is just extending the capabilities of AWS control tower of sorry a organization all right so Control Tow is is up here it's using organization it's using all the different AWS services to do what it does all right right I think I'm thinking about it because yesterday when we look at some of the policies like the taxs were very specific let's say if it's ec2 tag in we're very specific on what um that policy could do if it's attached one OU right so in this case we are not very specific so I'm guessing you just go through the the um the controls and see which one is applicable is that correct you can also you can also customize your controls all right okay perfect okay so you can also customize your controls so it's not this is AWS recommended so by default because you're using control tower they have what we have mandatory so AWS has over the years with billions of millions of companies that are using AWS they said that they have evaluated their security posture and say okay we need these things these things are mandatory so you to have a good secury posture those are the mandatory GES these ones are not they are very good but not very critical you can see them after the fact so those are detective G then you can have elective so elect into it if it if if you wants a gther which is AWS does not give you a manage policy for it you create it to yourself okay got it okay let's go ahead please I don't want us to go over time good [Music] um now why our OU registering in the background let's create a new s so us them let's create a new so give me a sec we have to create an account Factory but I would like us to we can also do that using the sandbox on you which you created you can create that in the background let's just create a new user and pission set so you see what we are talking about so yes so uh um my I couldn't create Landing Zone in my my account because I've been using the account for over two years right so I couldn't create uh so I just set up a new account and everything is ready now what is the next thing I should do to get up to speed here just give us a sec we'll get to you at the end of the class because um I think we would would look into your case a little later all right all right sir so we have just let's complete the Run book then we can I'll will help you set up whatever you need to set up there okay okay yes sir so we don't store the rest of the people because of uh this case so let's go back to uh the users and groups so users and access and we want to create a new user bottom VI user in identity Center or you can go to Identity Center itself but this is a shortcut to it so we want to create did you already create a couple of users um when we're setting up um the control to the admin user ad admin user admin user yeah it popped up if you see the um email the sandbox we we did create there was a user we we logged cre we logged in with and I think it it use is using that as a as a user here too because I have the same thing okay let's just add a user and go ahead click on us yesterday yesterday there is one user yday all the two s sound for yesterday no no one today yeah this is from yesterday so let's let's go ahead please okay you want to add a user so we want to call the user auditor for example so for example you you can have Auditors that are coming to auditor your environment so let's just create a simple auditor one we just auditor so um the auditor user would have would need um an an email address right so you would basically give the the send the the auditing user um the EM address details so that it can set up their own um what is it [Music] called passwords and stuff the identity Center because identity Center is going to send them an invitation so you need to set up all the things here and um okay please give me a sec we have in the WR book we we are creating two users I we have an example for creating the auditing user but we also have an example for creating a user which is part of the devops team so for both users we're going to need an need email addresses for that I'm just trying to avoid we do not do the repetition you can you can test that in your in the background so let's just call let's create a group or we can we can call this user here devops one does it make sense what I'm saying not yet I'm confusing I'm confusing you let's create a user called devops one okay good and um we need to generate a onetime password to share with the user you need an email address so put in an email put in your second email or something like that in here that's the thing with Control Tow you need a lot information concerning emails so you can put in an email them so what do you mean second email put in the class another email address oh okay do just do plus devops because you already have SBX it has to be unique yeah use devops like you you just created I guess um okay yes just so what next scroll down let me see you dis play name Lun M and stuff and uh scroll down scroll go to next we do not have a group so we can we can create a group so let's call the group um devops admin you can put in a description for the group devops admin it's a group just call it devops admin scroll down click on create group so we go back to the users and let's create our user I needed to put the user in the group that's why we had to go the route of creating the group or we start by creating the permission sets just [Music] hold go any of them would work so let's create a user you call it develops admin one you call devops you're creating a group here this is a group this is not a user is it a user we are we are under the user yes yes yes so you need to add the user to the group scroll down add user so that's the information concerning the new user which you created you can copy that into your clipboard and keep it somewhere we want to create a permission set I'm not sure how how did we get here when you when you click when you create the user it gives you this so everything is in the wrun book I'm trying to to pick the the because in the Run we have some some repetition for creating the auditor user by using a different permission set and we want to create our devops user with a custom permission set let's go ahead I'm trying to avoid you guys we have overtime should we add another user or what should we do no so we want to create permission set yeah I think you guys have lost me here why are you lost not sure where where you how you got from the user to groups and um I've created a but I can't find the I can't put a user in the group yeah yeah what happen is goes to another tab so look at the other tab are you trying to add the user to a group or you try trying to create a group I already created a group that but but then after that how you got to that next phas where you are so so create the user in the because of creating the user it will give you the option of adding that user to a group then you need to select the group oh okay I got you so do you see that one second I think when you when you click create group it opens another tab so just that's what I was trying to tear oh is that what happened that was what to next the next it's the it's the same thing if you go back to creating a user it should still give you the same thing and give you the option of creating adding the user to the group that's what I missed I see it now it's there's a tab that I we just have to stick that in there uh okay do you have our user in the group now we want to create a permission set so permission sets is how we give um permissions to users and groups and stuffs like that okay can we create our permission set so click on create permission set so if you're following the Run book I am under lab four creating users groups and permission sets so we want to create a permission set click on create permission set you select the custom permission sh set option and why you click on next because you have predefined permission says has already gifts for you but you can also customize your own permission sets so you're customizing your permission sets just like I am you can have your own set of um permissions which you want which are not ads managed so you can use your customized your customer manage policies or you have inline policies or you have AWS manage policies so you can use any of those options so for Simplicity let's use a manage policy from ads so use open the drop down menu and we we we filter for um code pipeline so this could be any policy we want so we want to Ure that this devops users have access to AWS code pipeline you can filter that with what I have in the the the the name of the permission or the policy in the chart so just filter that that's it right there C pip pipeline I think can you move the point the so we can read move this to the you can either filter or you move this to the right so we can yeah good Zan can you good great thank you very much so once you select the AWS code pipeline you scroll down and you click on next you can give your permission set a name so you can call it Dev Dev Dev team whatever so that we know that this is what we or devops team once that's done we can review and create the permission set scroll down we create a permission set now that we've created our permission set we have a permission set so we scroll we go back to account so we go back to the consoles okay something was blocking me go to AWS accounts assign uses or groups so let's let's use one of let's use one of the accounts in the new um J OU so put the drop down menu you would hardly give give um um new members access to your management account right so for example this is your devop team and you have a couple of accounts you want them to access so you can click on the two accounts jch Dev and jch Dev 2 so please go back sorry I was looking at a different screen so yes you select the two accounts in your o your J Dev assign users or groups we want to assign this to the group we just created so look for the group we just created scroll down devops yes let's click on next now we want to give the permission set which we just created so scroll down you should look for a permission set I think you called it Dev team or devops team are you submit so now we've created a permission set and we've given the permission said we've created a user added that user to an an I am identity Center group assigned a couple of accounts to the identity Center group and gives give it the that account the permission set now we want to log in as that user which you created Remember You copi The credentials for that user so go back to the credentials for that user you can sign out then you lock in using the username and pass and password in uh that clipboard you understand what I mean Franchesca yeah say sign out and back with the username we copy yes good so now we should be able to see only the accounts that we' assigned to that permission set and the name of the and the permission set to that user you make sense what's happening is there another way to find the username and password because I don't remember seeing that at all yeah when you created the user they it they generated all the credentials for you so if you do not see it we we'll just create it again just give me a sec let's where's Mula I'm here I'm here what's happening nothing is latency no not actually latency he said I should log in right so I want to sign in so in that um um user there aort for it actually this is your IM am user we don't know want to use this we want to use the AWS portal okay I was supposed to sign up here right yes oh yes sign out here and in that clipbot which you copi this the portal for the user and everything so use the username you remember the username which you give yeah let me just check it's it should be what you copied in your clipboard yeah this is it so you call it devop [Music] one and that's the password always try to do copy and paste [Music] please death Ops one copy next you put in the password so you're still going to assign MFA to this user so we need to assign authenticator so just click on next authenticate this user [Music] yes we need to need need to change the password because the one time password which you generated so just put in something you can put in something in the screen and after that you delete the user then nobody can use it so as you're putting it AWS is telling you the things that it needs it needs an uppercase and a lowercase character so you put a lowercase yeah copy and copy that and put in the next um um confirm the password and keep it in your clipboard if you do not know what you just did send new password I should put a passw that's it yeah yeah so you copy it somewhere so you know you have it if you have to log in again as a user somewhere do you see so when you create and give somebody access to your control to this is going to be the vi do you understand what we doing yeah Pi we good well I had to I have to just watch you guys do it but because I so do you see now the the the the permission set that this user has is called devop team because that's the permission set we created this user is logging in and he's seeing just two accounts in our control tower setup because we these are the two accounts which we enabled for this user do you see what I mean so in your control tower setup you normally have I think now like five accounts they cannot see all those accounts because you did not assign those accounts to this user that's why I said in your control tower environment for example you for example like us we have about 190 accounts but you giving the user permissions to just the accounts they need so for example this devops user is joining a devops team and we want him to be able to work with just this account so right now he's he can lock into both account and remember the permission set which we gave him the permission set was only for AWS code pipeline so let's lock into any of those accounts is there is there so now we are signing in into that account access denied because what are we looking at this is the default console let's go to a service go to something like like like ec2 we should not this user should not be able to see ec2 because of the permission set that would was given to this user at the beginning but if we go to 's code pipeline so just click on code pipeline now he should not have any issue because we gave him full code pipeline permissions okay are we together yes Prof so this would answer the question that I asked earlier right because um the permission set in this case you can also term it as your policies yes it is your per policies so in control tow is refer to as your permission set so you can give this permission sets now depend depending on what we want for example we using it we have have a team right now which my company just brought in they call him a CMS customer success managers CS CSM I don't know why I always call them CMS customer success managers and about last week I needed to set up a new permission set for them all we want them to see is the billing dashboard they can't see any other thing because they have no clue so we we set up the permission set we write a conflex page and every customer success manager you just go back to your idam identity Center we already have a group there called customer success manager you just create the user and add that user to the customer success manager group and they inherit the permission s to the customer success manager and they are able to log in and see just the dashboard to enable billing and write billing reports at the end of the month and that's it does it make sense yeah yeah maybe we can maybe we can demonstrate um giving limiting some sort of ec2 access or something but we could do it on in our small groups yeah we'll do that in our small groups think any problems so far then we can I think we have covered the most important things we can then create an account now using account Factory then that should be it okay okay are we good should I start Francesca Emma are we good yes no who said no what's the problem Emma the account at the user account the devops I didn't get the the login credentials maybe I said it up wrongly or something so I got lost from from that when you started loging share let's share your screen and let's look at it for 2 minutes then we can go to account Factory and we are done for today I think we still have about 15 20 minutes T are you good you have to speak German to ti so Emma we have all these accounts you have five accounts in your control tower now let's go to your management account I think it's called Emmanuel yeah okay lo I have that open already I don't know maybe I logged out it LO it's showing like is because you sign into a different account okay so you remember that once you sign into a different account in the console everything switches to that account okay so let's let's go to emanuela management account we go to Identity Center that's it on recently visited so we go to users so that's the devops user which you created click on it so you do not have all the credentials that you need so you can disable user access or you delete the user completely and we create a new user I would prefer you delete whatever let's go ahead it's okay let's create a new user so disable just means you have suspended the user this user cannot do anything and then you can go back and re reenable so let's create a new user called devops 2 we want to generate generate okay that's to generate generate yeah one time password for the user then scroll down or give the user a display name so this will be Emmanuela that's what the user would use to log in scroll down next we want to add that user to a group we already created a group called admin one that's it that there good you go to next scroll down add the user once you click on add user is going to give you the information we need so you can copy that in the clipboard Club copy so when you go to copy copy everything so you can paste that somewhere this is the information you'll send to that user okay okay good did you get passed to the other place where you where they did the permission sets yeah yeah yeah I got pass okay so did you already assign your permission set to a group and ass oh click on show password so you can copy that password like this you won't be able to get the password no no no no no no it's already copied in the your copy which you copied there it copies everything oh you copied it already yes yes okay so there's a copy button there once you click on that copy button it copies everything yeah got I got it here okay you got it so do can I close this now yeah you can close that so this also works like your what is it called secret keys that if you close this you not able to see it again so now you can go in and log in as I user because if you remember now we are simulating that it's a different user it's a new uh employee that just joined the team and you are the control tower administrator for this company and they say please give this user access to um our devops account or to this specific spefic customer account or to the specific environment so you just go there you add that user to a group that group already has a permission set then you assign the accounts to that user okay okay so but if I log out it's going to give me the regular um a AWS um login screen what if I lo I sign sign up here right click on sign up sign out let it yes see and then sign in right sign in let me see it gives me this do you know why why why because by default it takes you to the normal I am user there is a login there's a control tower portal URL it there at your end which one the tab the second tab left hand side left but you can also see that in what you just copied in your cboard if you go back to what you copied in your cboard there should be a port there too that's the access portal URL from htps right right up to start so this is what the person is going to use to be able to go to control um oh I see control tower so that will take you to control tower pter it will not take you to the normal I am logging page well it takes me to this same page yeah you can sign that's the that's a p you need to sign out here oh I need to sign out here yes yes because you're in the same br you go Incognito just go Incognito and you do it then you can log in as a new user okay so paste in the the portal there then you can then sign in as a your devops user okay okay thank you we good let's go to account yes yes you know the when you talked about uh locating the bill the code that's where I stock and I'll I'll do that later but where where we were doing the um permission sets and you had to look for AWS code billing full access it didn't pop up for me on the list of things um of permissions so but I'll I'll troubleshoot that later so um just go go through and show it but it's there because we have the different types of permission setes custom do we want to use an AWS manag policy do you want to use a customer manage do you want to use an inline so we're using AWS managed can you come back with this question please mind so right now M you're logged in as the devops user yeah so you will not be able to see all those things you need to log back in as your controlor administrator that's your access portter right there so go back there I think that's where that will be it now this is the devop user so you need to log in as your control to administrator yeah just so how do we get um access to the access portal from the account you can get it from the user itself each time you click the user and identity Center management there's the access SP URL is I think top right or something like that do you see it um let him let him log in and we show you I'll show you so go into your management account as admin access yes go to users ID center sorry that's it right here recently visited go to users click on devops one okay I want to see the access Portal information um um click on the drop down thing there generate information click on that generate information gener yes where is this thing go back to users click on your admin user or controlor admin user click on this user this one yes yes we should be able to see portal somewh I'm looking for the portal the portal URL okay the port URL okay let me see go to accounts n Go to not groups go to profile let me see account profile profile is where came from right yeah where there there there is a there is a place that gives you this information somewhere okay let me see go back to dashboard go to control tower pleas who control tower control tower uh I guess us just um I can actually stop the recording for this this only show show the devops what it shows me for the devops you know the one that we just um Creator what do youan by it shows you for the devop it shows every stuff it's the same the same port it's the same portal it's a same URL then you use your credentials to loog in so let's go ahead we good um Mara yes I'm good so Victor you had a problem I did bit but you know it's just like I'm dragging everybody back so I'll it's okay I think we are done we have just uh to use account Factory to launch an account and that would take us 5 minutes so we could look at your issue which was to assign permission so go back to permission sets yeah it was permission sets yes permission set so you go to you go to huh users and permissions permission says let me see um let me see something supposed to be so it's under ident Center yeah yeah yeah this is I was set and we want to create a permission set yeah so we are looking for custom permission sets because you can use the predefined you go to custom so this means custom is your own you can customize it as you want but we want to in this case go back to custom go to next so you can use you can see use AWS manage policies which are still available as a normal I am user you can use your own customer um manage policies if you already have customer manage policies you can use inline policies you remember we talked about inline policies and stuff like that so this is where you're doing it then you search here for pop code pipeline if you want to give the person admin access you do that if you want to give him just for Alexa search any of the AWS manage policies that you want to attach to the user attach it to that got it thank you now let's go to account Factory so a control tower also makes life easier for creating accounts so in the control to dashboard this identity Center go to control tow dashboard uh it was somewhere yeah yeah so you will get used to moving between the services very soon okay that's it account Factory up and this is the vending machine for you to create an account so you can see right the top right create an AWS account so you can customize the configuration for the AWS accounts under the AIT account Factory configuration but you just want to use the default so you just go to create an account you fill in the details for creating an new AWS account so we want to use again another unique email unique yes every AWS account needs a unique email address so plus something so you can call it just control to account so put CT account CT ACC so that you know that this is from account Factory I always use City to denote anything control related I always use Capital City okay what I'm getting ER trying to get here it just takes me to the devop the devops um accounts that we created you are you are you're logged in as a devops user you not have access to control tower okay you need to sign in and you lock back in as a control tower administrator user you understand what I mean yes sir good you remember that that Dev user we give that person only permission set to what will code pipeline so the person will not go to control and mess things up for us okay yes sir good so we the account that you even locked into I don't think you have control tow there as I've got now good so you need to put a display name for this user or whatever mul I'm talking to you so access configuration you can copy the same account email and put it here is going to create user and identity centers you can give the first and the last name and you just hit create no I and you select um the OU where you want to place this account in so if you already have different OS in your organization you want to place this account now in an OU you see it's giving you two OS it's giving you your sandbox OU and your JJ Dev OU you do not have an option to the security o you because the security OU the accounts that are there are AWS you can bring in your account but after the fact you can't make any changes to those accounts in the security OU okay so you can create more accounts in any of the OS that are not security o are not the security OU so select any of those OS and you hit create account then the account will be created then you can go down to that OU and you would be able to see um the new account in there and that's it you see that point where you said the security the security that I don't understand it can you please just like this part like this part that trying to explain about the OU part I'm saying that this OU you see is giving you the different organ OS that you can put the account which you're about to create into it does not give you the option of the security OU because when youate launching setting up your Landing Zone you have the option of creating new lock archive and audit accounts or bring other AWS accounts which are already existing but once the set the landing Zone has been set up you cannot make changes to the security OU again you cannot Add accounts into it you cannot rename the accounts that are already there and stuff that's why the security OU is not part of um the the OS that are enabled here if you have 10 different OS in your control tower all those o will be displayed here for you to select which o you want to put your account into make sense yeah that is doesn't sound convincing what's the um I am identi Senter user email is you can use the same like what you use for the account use this one okay I can stop the recording now yep what about the clean up Sir in the wrun book go to the wrun book and look at it so let just clean up my account please everything from y look at it look at it look at it and clean up yourself that's how you also learn so um control to itself it's not something that cost you a lot of money no just you don't need to really didn't need control tower I have my control tower in my personal account running for I don't know how long now because um it's also a playground for me to to to try stuffs right control tower is not something like an e to instance that you'll spin up and and and and and and and and um and Destroy at any time team so if I want to anyway it's because I'm doing a lot of governance things that's why I'm also left my control tower there but it does not CW a lot of cost if it's not in much use so if your accounts that are in control tower you're not spinning up things and SP and destroying them there you don't acre a lot of costs so what you can do is you can go back to control tower and um clean it up by removing all the your playground accounts inside so remove all those accounts you go you will sign into the account then you leave the organization then you close the account once you close an A account it takes a about 90 days to finally close that account for you okay so or and or you can go to conf AWS config and you stop recording that's another thing that can can acre you C we've already used config here so you can do all that right how many mons are we into a program so I I'm expecting that you guys can figure this out at least together if not you can always pck me then I will help the stop sign the wrun book the last time you P me what happened you replied after two days me 00 what no come on now it's not possible it's 100 the the the issue with me ping me I I'll respond the issue with me is I had this is the only environment where I'm using slack that's why most of the times I I but I I'm always ready just send me a message I would I'll respond to you ASAP okay yeah thank you okay did I stop the recording nope you didn't