Self-service creation and deletion of sandbox-style accounts.
Self-service creation and deletion of sandbox-style accounts
:exclamation: PLEASE READ THE CAVEATS OF THIS SOLUTION BEFORE CONTINUING
The following is required before proceeding:
Click the above link to deploy the stack to your environment. This stack creates:
If you prefer, you can also manually upsert the template.yml stack from source.
If you chose to have the stack create a hosted zone for the account root e-mails instead of you bringing your own, you should ensure the nameservers of the new zone are associated with an accessible domains (automatic if the domain was created within Route 53).
Also make sure SES sending service limits are appropriate for the amount of e-mails you intend to receive.
Currently, the only tested region is
us-east-1. The stack deploy time is approximately 8 minutes.
To remove this solution, ensure that both S3 buckets have their objects removed then delete the CloudFormation stack. The SES Receipt Rule Set will revert back to
default-rule-set. An attempt will be made to terminate the Connect instance, however you should verify this occurs.
In order for you to easily build upon this system, the system makes heavy use of tags for system automation and configuration.
The account manager (as seen at the top of this page) is a custom application that SSO users can access to create accounts or delete previously created accounts on-demand. It will be available to any user who is in the
AccountManagerUsersSSO group. The application is accessible via the users SSO dashboard:
The application will ensure only accounts owned by the creator are shown, unless the creator explicitly shares the account with other users, in which case it will be shared with all users who are also in the
AccountManagerUsersSSO group. Accounts which are created can optionally require a monthly budget to be set, which if exceeded will automatically trigger a deletion of the account (the maximum budget is an option during installation). Note that actual account spend may exceed the budget as pricing metrics can be delayed up to 6 hours or more for some services.
During installation, if you select
Deny Subscription Callsparameter, a number of calls will be denied to created accounts via an SCP such as calls to create reserved instances, register domain names or apply S3 object locks.
You can also elect not to include the SSO functionality by selecting
falseduring installation for the
Enable Account Creation Functionalityparameter. You do not require SSO to be enabled within the account if you select this option.
E-mails that are targetting the addresses of the root account will be forwarded by default to the master e-mail address.
You can specify a different destination per account by placing a tag with the key
AccountEmailForwardingAddresson the account in Organizations. This is set to the SSO user automatically if the account was created with the SSO Account Manager application and the
Send Root E-mails to Userparameter was set to
You can also override the format of the subject line for forwarded e-mails. During installation, you can change the subject line to any string with the following variables available for substitution:
In order to elect to delete an account without the use of the SSO Account Manager, simply tag an account within the Organizations console with the following (case not sensitive):
Tag Key: Delete
Tag Value: true
Once tagged, a process will perform the following actions on your behalf:
The above process takes approximately 4 minutes.
If the account more than 7 days old, the process completely remove the account from Organizations. If the account is less than 7 days old, a tag with the key
AccountDeletionTimewill be set with the timestamp the account was deleted at and another tag with the key
ScheduledRemovalTimewill be set with the timestamp the account will be removed from Organizations.
You can also elect not to include the deletion functionality by selecting
falseduring installation to the
Enable Account Deletion Functionalityparameter.
There are some other features and options that may be specified during installation. These include:
Unsubscribe Marketing E-mails- if set to
true, newly created accounts will be unsubscribed from all AWS marketing material
SSO Account Manager Application Name- sets a custom name for the SSO Account Manager
Automation IAM User Username- sets a custom username for the IAM user used to perform Connect and/or SSO functions
Maximum Monthly Spend Per Account- enforces a custom upper limit on the monthly budget new accounts can request, or disables budgets completely
Deny Subscription Calls- if set to
true, a service control policy which restricts the use of subscription-based calls, like reserved instances, will be applied to new accounts
Control Tower Mode- if set to
true, accounts will be created with the Control Tower Account Factory, rather than via Organizations directly