Don't forget to update your AWS Control Tower

Keeping your AWS Control Tower Landing Zone up to date is important to ensure you are taking advantage of the latest features and fixes, but this task is often forgotten. Here is a quick guide to get your AWS Control Tower up to date.

Don't forget to update your AWS Control Tower
Photo by Bernd 📷 Dittrich / Unsplash

A landing zone is a foundational architecture that establishes the account architecture, security, governance, networking, and compliance framework for you to build upon.

Long story short, this is the slab for you to build your house on.

Luckily for us, AWS provides us with a managed service, AWS Control Tower. AWS Control Tower helps us automate and manage our landing zone.

Now like most AWS managed services, AWS Control Tower gets new features and updates from time to time. However due to the nature AWS Control Tower and AWS not wanting to make automatic changes to the foundations of your architecture, these updates need to be manually deployed.

Now i've personally seen that updating your AWS Control Tower landing zone can be often forgotten about in the busy day to day will all live in, so here is reminder that we need to do it and a guide on how to get it done.

What are the updates?

To date, AWS has released 7 updates for AWS Control Tower (You can find the release notes here)

These updates range from extended AWS Control Tower to new regions, adding new guardrails as well as funcationality improvements.

How to update AWS Control Tower

First, let's see if we even need to update. Log in to your AWS Single Sign-on portal, then go to the management console of your management account (your main root account).

Once we are in the AWS Management Console, go to the AWS Control Tower Console and click Landing zone settings

Here we can see that my AWS Control Tower version is currently 2.3, I have a new version available (2.7) and my Landing Zone is enabled in 5 regions.

We are going to select version number 2.7, then click Update

On the next screen we get an overview of the updates that are going to be applied to our landing zone, next steps and if we want to expand our governance into other regions.

Agree to the terms and click Update landing Zone

This will start the update process.

For my simple lab setup (2 OUs, 7 Accounts, 20 Preventive guardrails and 3 detective guardrails) this took 16 minutes.

We can now see that our AWS Control Tower is up to date, now we can move onto updating our accounts.

Updating AWS Accounts

We also need to update the AWS accounts to the new version so we can enable new guardrails.

There are two ways to do this:

  1. Go to AWS Service Catalog in the management account and update each provisioned product (detailed here)
  2. Automatically update all accounts in an OU by Re-Registering the OU

We are going to go with the second method. As you can see, here is a list of my accounts and all the accounts I need to update are in the Custom OU

Go to Organizational Units and click the OU that has accounts you need to update.

Up the top right, click Re-Register OU

You will get the following prompt, have a read and then click Re-Register OU when your ready to start.

This will start us off another progress bar.

For my simple lab OU (4 accounts), this took 12 minutes.

All accounts are now up to date and enrolled.

What's Next?

We have now completely updated our AWS Control Tower Landing Zone and all AWS Accounts to the latest version.

I recommend having a look at the Guardrails and see if theres anything new you want to deploy, you can sort these by release date to make finding them easier