Configure Accounts using AWS Control Tower
Overview
The Druva AWS Control Tower integration is built for enterprise users of AWS Cloud. You can now automate the setup of your multi-account AWS environment and simplify data protection and disaster recovery at an enterprise level.
This guide provides information on configuring Druva CloudRanger using the AWS Control Tower, thus leveraging the resources pre-configured by AWS Control Tower as part of the initialization.
Benefits
AWS Control Tower integration allows you easily manage your multi-account AWS environment and automate account configuration. You can now protect any existing AWS accounts, as well as new accounts as soon as they are created.
To get started, you will need to provision the requisite permissions to these AWS accounts, which will allow Druva CloudRanger to manage your data protection and disaster recovery failover events. For more information on the AWS Identity and Access Management (IAM) resources to set up for each AWS account, see Create AWS Access Role.
Solution Overview
The solution is deployed using AWS CloudFormation template and integrates with the AWS Control Tower lifecycle events. When a new account is configured using AWS Control Tower, the AWS Lambda function is triggered to launch an AWS CloudFormation StackSet instance. This instance then creates the required IAM resources in the new account.
The overall solution implementation is illustrated below:
Account Configuration using AWS Control Tower
Before you Begin
- Log in to the AWS Control Tower management account with administrator permissions.
- Ensure that you are within the region where AWS Control Tower is deployed.
Proceed with configuring new accounts:
- Log into your Druva CloudRanger console and navigate to the AWS Accounts page.
- Click Add New Account.
Note: To continue adding a new account using AWS Control Tower, proceed with the steps below. Alternatively, to configure accounts using CloudFormation Template, refer to Create AWS Access Role.
- Navigate to the AWS Control Tower tab.
- Copy or download the CloudFormation template to manually create the stackset and provision the access role for your AWS environment.
- Click Launch AWS Control Tower to be automatically directed to the CloudFormation section of your AWS account.
- Copy the CloudFormation template URL from your CloudRanger console and paste it into the Amazon S3 URL field. Click Next.
Specify the following information on the Stack Details page.
| Field | Description |
| Launch Account List | [Optional] If there are any existing accounts enrolled within Control Tower that you would like to protect using Druva, enter them here in a comma-separated list. |
|
Organization Key ID |
[Mandatory] Copy the Organization Key ID and Organization Token from your Druva CloudRanger Add Account page. |
|
Stack Region |
The Region for the StackSet residing in the AWS Control Tower management account. |
|
Stack Set Name |
The name for the StackSet in the AWS Control Tower management account. |
|
StackSet URL |
This represents the template URL and should not be modified. |
-
Add any tags, as applicable. Click Next.
-
Select the I acknowledge that AWS CloudFormation might create IAM resources with custom names check box, and then click Create Stack to generate the CloudFormation stack.
-
Refresh the stack until the Status reads CREATE_COMPLETE.
To follow the progress of the stack, you can view the events and details of the newly created stack.
Note: Once the stack creation completes, refresh your AWS Accounts listing page on Druva CloudRanger to view new accounts configured via AWS Control Tower. Once you add the CloudFormation template, any new accounts configured or updated will automatically be updated on Druva CloudRanger.
For more information on AWS Control Tower, refer to the AWS documentation.