Support KMS landing zone & nested OUs

[jofwar]

Hello! wondering if your planning to support KMS while deploying the landing zone and creating nested OUs under Control Tower? Thanks

[costastf]

Hi @jofwar , sorry i missed this, i did not have the notifications on :( . Would you like to elaborate a bit on the KMS part? As for the nesting OUs, yeah i would love to, but currently trying to get a few more people involved with the development of this because my time is going to be very limited for the upcoming months. I will have a look at the nested OUs soon, please elaborate on the KMS part.

[dogfish182]

@costastf Since quite recently AWS supports providing a KMS key to your landing zone installation. it will encrypt certain resources (trails, not buckets)

Can be added when creating a new landing zone or can be added to an existing landing zone via

Control tower -> landing zone settings -> modify settings -> KMS encryption

[costastf]

@jofwar v1.1.0 has support for nested OUs.

[costastf]

@jofwar please be aware that v1.1.0 implements pretty partial support for nested OUs. It only supports one level deep hierarchies currently just to unblock some needed developent. This feature is quite tricky to implement fully as there can be up to 5 levels of nested OUs and there can be name collisions and duplications on different levels. That is something easy to implement on a GUI since it can present the different levels on a tree structure (which is how the control tower ui works) but pretty hard to present in an api way. Please consider this WIP for now and when a more finalised version with this feature implemented gets released v1.1.0 will likely be retracked from PYPI.

[costastf]

@jofwar v2.0.0 properly implements nested OU support in creating OUs and accounts.

KMS feature will need to wait.

[iainelder]

I created a landing zone using Superwerker's Control Tower CloudFormation template..

It basically is a wrapper around ControlTower.deploy that passes the email addresses of the log archive account and the audit account.

Now I want to add a KMS key so that Control Tower uses it for encryption.

Today I think the only way is to modify the landing zone settings in the Control Tower console.

It would be awesome if awsapilib:

• supported configuration of a KMS key ARN in ControlTower.deploy
• supported updating the KMS key ARN via new method ControlTower.modify_landing_zone (or similar name)

[costastf]

Absolutelly agree, this completely dropped from my radar. I am still trying to fix the authentication of root issue. I think that after that things would be easier. I will put this back on my radar.