Introduced at re:Invent in 2018, AWS Control Tower is increasingly becoming a serious alternative to the original AWS Solution for a landing zone. New regions, simplified implementation in existing multi-account environments, and much more has been improved in recent versions. Especially with the introduction of AWS Control Tower in the Frankfurt region, the service becomes much more interesting for German oriented customers.
In this article, I will briefly explain how to update an existing Control Tower based landing zone and the associated accounts, and also discuss some of the new features of the latest updates.
AWS Control Tower update
Landing zone update
To upgrade to a new version of AWS Control Tower, a full update must be performed. A full update includes an update of the landing zone, followed by an update of all enrolled accounts in the registered Organizational Units (OUs).
To upgrade your AWS Control Tower environment, navigate to the Landing Zone settings in the AWS Control Tower console. The status indicates that a new version is available. In the Version tab, select the latest version to update, acknowledge the notification pop-up and confirm with “Update landing zone” one last time. The started process usually takes about 60 minutes.
The update extends Control Tower to the five additional AWS regions – Canada, Frankfurt, London, Stockholm and Singapore. This is the first new feature that has recently become available in Control Tower. Since version 2.5, AWS Control Tower is now available in these ten AWS regions.
Organizational Unit update
After the landing zone update has been completed, the shared accounts (Master, Audit, Log archive) have also been updated. All provisioned accounts are in the updates available state and must be updated “manually”.
This is where the second update comes in handy. AWS Control Tower now offers bulk update for up to 300 accounts. With just one click in the Control Tower console, all accounts in a registered organizational unit (OU) can be updated. This is particularly useful in our case. After updating the landing zone, a re-registration of the OU is all that is required. This eliminates the need to update one account at a time (which is of course still possible) or to use an external script to perform the update for multiple accounts.
Re-registering the OU usually takes several minutes, depending on the number of accounts that need to be updated. Usually around 2-3 minutes per account. You must wait until the update has been successful before starting the re-registration of the next organizational unit.
Extend Control Tower governance to existing OUs
The third new feature allows existing organizational units to be brought under the management of Control Tower. Existing OUs created via AWS Organizations can now be brought under Control Tower’s control, along with all the accounts they contain (max. 300), thus extending AWS Control Tower’s governance to an entire organizational unit (OU).
To do this, the existing OU in your AWS Control Tower landing zone must be re-registered. AWS Control Tower performs a precheck for the affected accounts and then attempts to enroll them. Further information can be found in the Documentation.