Required before deploying the TREEHOOSE TRE solution
Total time to configure: Approximately 105 minutes
Ensure all steps below are executed in AWS region: London (eu-west-2).
Time to configure: Approximately 85 minutes
Log in to the AWS Management Console using your organization's Management account and Admin privileges.
The solution must be deployed in a multi-account environment created and managed using AWS Control Tower. The structure is shown in the image below.
Optional: If you want to create more environments (e.g. Dev), then replicate the structure of the TRE Environment (Prod) group in the image and repeat steps 1E and 1F.
Time to configure: Approximately 5 minutes
- Go to Service: AWS CloudFormation
- Select the Stacks menu option on the left side
- Press button: Create Stack with new resources
- Select option Upload a template file to upload CloudFormation template file: landing zone encryption and press on button Next
- Provide Stack name: "ControlTowerSetup-EncryptionKey-ManagementAccount", press on button Next twice and then press on button Create stack
- Confirm the stack status is "CREATE_COMPLETE"
Time to configure: Approximately 25 minutes
- Go to Service: AWS Control Tower
- Press button: Set up landing zone
Troubleshooting Note: If you see the message "Your AWS Environment is not ready for AWS Control Tower to be set up.", please refer to the troubleshooting guide.
Leave every option set to default in the Control Tower Landing Zone Setup, except:
- Step 1 Page - Ensure Home Region is London. Enable Region deny setting. Add Additional AWS Regions for governance: US East (N. Virginia) - us-east-1
- Step 2 Page - For Additional OU, add TRE Solution Prod
- Step 3 Page - Provide email addresses for the Log Archive and Audit accounts. Enable KMS Encryption and select the ControlTowerSetup-Landing-Zone key created in Step 1A
- Step 4 Page - Ensure the list matches the diagram above for the Default Setup for the 3 initial accounts plus TRE Solution Prod, then press on button Set up landing zone
Wait until the Control Tower Landing Zone Setup completes successfully.
Time to configure: Approximately 5 minutes
Ensure the encryption key setup in Step 1A is also automatically applied to all enrolled Control Tower accounts.
- Go to Service: AWS CloudFormation
- Select the StackSets menu option on the left side
- If you get message "Enable trusted access with AWS Organizations to use service-managed permissions.", press on button Enable trusted access
- Press button: Create StackSet
- Select option Service-managed permissions
- Select option Upload a template file to upload CloudFormation template file: landing zone encryption and press on button Next
- Provide StackSet name: "ControlTowerSetup-EncryptionKey" and press on button Next twice
- For Deployment targets, ensure Automatic deployment is set to Enabled and select region eu-west-2 (London), then press on button Next and Submit
- Click on the stack set created and confirm the status is "ACTIVE"
Time to configure: Approximately 5 minutes
- Go to Service: AWS Control Tower
- Select Account factory
- Follow these instructions to modify the default network configuration. The intent is to ensure AWS Control Tower doesn't create a VPC for every account created
Time to configure: Approximately 5 minutes (2.5 minutes per OU)
Manually create the remaining OUs in the diagram's TRE Environment (Prod) group.
- Go to Service: AWS Control Tower
- Select Organizational units
- Press button Add an OU. Use OU name TRE Projects Prod and place it under Parent OU TRE Solution Prod. Wait until registration completes successfully
- Press button Add an OU. Use OU name TRE Data Prod and place it under Parent OU TRE Solution Prod. Wait until registration completes successfully
The current organizational structure should match the image below.
Time to configure: Approximately 40 minutes (20 minutes per account)
Manually create the remaining Accounts in the diagram's TRE Environment (Prod) group.
- Go to Service: AWS Control Tower
- Select Account factory
- Press button Enroll account. Set Display name to TRE-Project-1-Prod. Place it under Parent OU TRE Projects Prod. Provide the required email address and press on button Enroll account. Wait until account creation completes successfully (check state under Accounts)
- Press button Enroll account. Set Display name to TRE-Datalake-1-Prod. Place it under Parent OU TRE Data Prod. Provide the required email address and press on button Enroll account. Wait until account creation completes successfully (check state under Accounts)
The resulting organizational structure should match the image below.
Time to configure: Approximately 5 minutes
Log in to the AWS Management Console using your organization's Management account and Admin privileges.
- Go to Service: AWS Cost Explorer
If the service is not already initialised, a message will appear like in the image below.
Time to configure: Approximately 5 minutes
Required for all accounts created under the TRE Data Prod OU.
Log in to the AWS Management Console using your TRE Datalake 1 Prod account and Admin privileges.
- Go to Service: AWS Lake Formation
A prompt will appear to add the current account as an administrator for Lake Formation. Select the option like in the image below and press on button Get started.
Time to configure: Approximately 5 minutes
Required for all accounts created under the TRE Projects Prod OU.
Log in to the AWS Management Console using your TRE Project 1 Prod account and Admin privileges.
- Go to Service: Amazon AppStream 2.0
- Press on button Get Started, then Skip. This will create a role in the background which will be used later in the deployment process.
These steps are optional, but recommended for implementing best practices on AWS.
- To secure the Management account, please follow these instructions
- To manage SSO access to your AWS accounts, please follow these instructions
- To allow IAM users to view Billing on AWS, please follow these instructions
- To learn how to manage AWS Organizations effectively, please follow the best practices notes and the recommended OU setup