Deploying AWS Accounts
This step-by-step process outlines how to deploy AWS accounts using atmos workflows and ClickOps steps. It covers necessary preparations, such as configuring the AWS Organization, increasing account quotas, and verifying account configurations. The guide details the deployment processes and post-deployment configurations, including setting up account settings, enabling AWS RAM for Organizations, and performing certain manual configurations via ClickOps.
| Steps | Actions |
|---|---|
| Deploy AWS Organization | atmos workflow deploy/organization -f quickstart/foundation/accounts |
| Prepare accounts creation | Click Ops |
| Deploy accounts | atmos workflow deploy/accounts -f quickstart/foundation/accounts |
| Deploy accounts settings | atmos workflow deploy/account-settings -f quickstart/foundation/accounts |
| Finalize account setup | Click Ops |
1 Prepare Account Deployment
Review the "account" configuration in the stack catalog. This is the hardest part to change/fix once the accounts are provisioned. If you aren't confident about the email configuration, account names, or anything else, now is the time to make changes or ask for help.
You should double-check the following:
- Check that
stacks/catalog/account.yamlhas the values you expect, especially account email format - Run
atmos describe component account -s core-gbl-rootto inspect the final component configuration (e.g. after all the mixins have been imported) - Plan the run with
atmos terraform plan account -s core-gbl-root
2 Deploy the AWS Organization
3 Confirm the Root Account is configured as an Organization
The previous step will create the AWS Organization and configure the core-root account as the "root" account. Take the time now to verify that the root account is configured as an AWS Organization and that AWS RAM for Organizations is enabled, which is required for connecting the Organization.
Check Organization Status:
# Check if AWS Organization exists and get its details
aws organizations describe-organization
# Or specifically check if RAM for Organizations is enabled
aws organizations describe-organization --query 'Organization.FeatureSet'
The FeatureSet should return ALL if RAM for Organizations is enabled, or CONSOLIDATED_BILLING if it's not enabled.
4 Raise Account Limits
If you haven't already completed the Account Quota increase, now is the time to do so. To deploy all accounts, we need to request an increase of the Account Quota from AWS support, which requires an AWS Organization to be created first.
From the root account (not SuperAdmin), increase the account quota to 20+ for the Cloud Posse reference architecture, or more depending on your business use-case.
Alternative: Use AWS CLI
You can also use the AWS CLI to request the quota increase:
aws service-quotas request-service-quota-increase \
--service-code organizations \
--quota-code L-E619E033 \
--desired-value 20
Where L-E619E033 is the quota code for "Default maximum number of accounts" under "AWS Organizations" in "us-east-1".
5 Deploy Accounts
Again review the "account" configuration in stacks/catalog/account.yaml. In particular, check the email address and account names. In the next step, we will create and configure all accounts in the AWS Organization using the configuration in that stack file.
Once confident, begin the accounts deployment:
This workflow creates all AWS member accounts in the AWS Organization using the configuration in your stack files.
6 Deploy Accounts Settings
Once you've created the accounts, you'll need to provision the baseline configuration within the accounts themselves. Run the following:
The workflows will kick off several sequential Terraform runs to provision all the AWS member account settings for member accounts in the Organization.
7 Unsubscribe from Marketing Emails (Optional)
For each new account, unsubscribe the account's email address from AWS marketing emails:
- Go to AWS Marketing Preferences
- Click "Unsubscribe from Email"
- Enter the account's email address
- Check "Unsubscribe from all AWS marketing emails"
With centralized root access enabled, member accounts do not require individual root credentials. If you need per-account root credentials, see Create Account Root Users.
Next Steps
Now that all accounts are deployed and configured, you're ready to set up CloudTrail for audit logging across your organization. Setup CloudTrail