2.2.2.2. Standardizing & Automating Account Provisioning (Organizations, Control Tower)

2.2.2.2. Standardizing & Automating Account Provisioning (Organizations, Control Tower)

Manual account creation doesn't scale. At 50+ accounts, you need automated provisioning that applies consistent baselines from day one.

AWS Control Tower automates multi-account setup:

• Landing zone: Pre-configured environment with security and logging accounts
• Account Factory: Self-service account provisioning with guardrails pre-applied
• Guardrails: Preventive (SCPs that block actions) and detective (Config rules that detect violations)
• Dashboard: Central view of compliance status across all accounts

Customizations for Control Tower (CfCT) extends Account Factory with custom CloudFormation templates applied to new accounts — baseline IAM roles, VPC configurations, security services.

# Programmatic account creation via Organizations API
orgs = boto3.client('organizations')
response = orgs.create_account(
    Email='prod-app1@company.com',
    AccountName='prod-app1',
    RoleName='OrganizationAccountAccessRole'
)
orgs.move_account(
    AccountId=response['CreateAccountStatus']['AccountId'],
    SourceParentId='r-root',
    DestinationParentId='ou-prod-xxxxx'
)

Account baseline automation (applied to every new account):

1. Enable CloudTrail → send logs to central log archive
2. Enable GuardDuty → delegate to security account
3. Enable AWS Config → aggregate to security account
4. Deploy VPC via StackSet → standard networking
5. Configure SSO → assign role-based access groups

Exam Trap: Control Tower's Account Factory creates accounts asynchronously. The CreateAccount API returns immediately with a status — you must poll or use EventBridge to detect completion. Automation that assumes the account exists immediately will fail.