Don't forget to update your AWS Control Tower

Don't forget to update your AWS Control Tower

A landing zone is a foundational architecture that establishes the account architecture, security, governance, networking, and compliance framework for you to build upon.

Long story short, this is the slab for you to build your house on.

Luckily for us, AWS provides us with a managed service, AWS Control Tower. AWS Control Tower helps us automate and manage our landing zone.

Now like most AWS managed services, AWS Control Tower gets new features and updates from time to time. However due to the nature AWS Control Tower and AWS not wanting to make automatic changes to the foundations of your architecture, these updates need to be manually deployed.

Now i've personally seen that updating your AWS Control Tower landing zone can be often forgotten about in the busy day to day will all live in, so here is reminder that we need to do it and a guide on how to get it done.

What are the updates?

To date, AWS has released 7 updates for AWS Control Tower (You can find the release notes here)

These updates range from extended AWS Control Tower to new regions, adding new guardrails as well as funcationality improvements.

How to update AWS Control Tower

First, let's see if we even need to update. Log in to your AWS Single Sign-on portal, then go to the management console of your management account (your main root account).

Once we are in the AWS Management Console, go to the AWS Control Tower Console and click Landing zone settings

AWS Control Tower Menu

Here we can see that my AWS Control Tower version is currently 2.3, I have a new version available (2.7) and my Landing Zone is enabled in 5 regions.

AWS Control Tower Landing Zone settings

We are going to select version number 2.7, then click Update

AWS Control Tower Version Update

On the next screen we get an overview of the updates that are going to be applied to our landing zone, next steps and if we want to expand our governance into other regions.

Agree to the terms and click Update landing Zone

AWS Control Tower Update Landing Zone

This will start the update process.

AWS Control Tower Update Status

For my simple lab setup (2 OUs, 7 Accounts, 20 Preventive guardrails and 3 detective guardrails) this took 16 minutes.

AWS Control Tower Update Complete

We can now see that our AWS Control Tower is up to date, now we can move onto updating our accounts.

AWS Control Tower Up to date

Updating AWS Accounts

We also need to update the AWS accounts to the new version so we can enable new guardrails.

There are two ways to do this:

  1. Go to AWS Service Catalog in the management account and update each provisioned product (detailed here)
  2. Automaticlly update all accounts in an OU by Re-Registering the OU

We are going to go with the second method. As you can see, here is a list of my accounts and all the accounts I need to update are in the Custom OU

AWS Control Tower Account List

Go to Organizational Units and click the OU that has accounts you need to update.

AWS Control Tower Organization Units

Up the top right, click Re-Register OU

AWS Control Tower Re-Register OU

You will get the following prompt, have a read and then click Re-Register OU when your ready to start.

AWS Control Tower Re-Register OU prompt

This will start us off another progress bar.

AWS Control Tower OU Update

For my simple lab OU (4 accounts), this took 12 minutes.

AWS Control Tower OU Up to Date

All accounts are now up to date and enrolled.

AWS Control Tower Accounts Enrolled

What's Next?

We have now completly updated our AWS Control Tower Landing Zone and all AWS Accounts to the latest version.

I recommend having a look at the Guardrails and see if theres anything new you want to deploy, you can sort these by release date to make finding them easier

AWS Control Tower Guardrails

comments powered by Disqus