Follow these steps to set up your core accounts:

1. Create a new account using the recipe in Chapter 1, AWS Fundamentals. Pay special attention to the security recommendations, since this will be the master account for your new multi-account AWS environment. Give users strong passwords, and always configure multi-factor authentication!
2. Log in to the new master account as a user with full administrative privileges and navigate to the Control Tower console. Click the Get Started button to set up a new environment.
3. Configure the email addresses for each of the subordinate accounts that will be created for you by Control Tower:

See the How it works section that follows for a full description of each account.

4. Select your desired region.
5. Check the box to grant Control Tower the administrative privileges it needs to administer accounts on your behalf.

6. Launch your Control Tower installation and go to the Dashboard, where you can watch the progress as it creates resources and accounts for you in the background. While the setup is in progress, you will receive a few emails, so keep an eye on your inbox so that you can verify your email address and confirm the subscription to Simple Notification Service (SNS) notifications related to the new accounts:

7. When the landing zone is fully launched, take some time to explore the Dashboard and inspect the various components, including Organizational units, Accounts, Preventive guardrails, Detective guardrails, Recommended actions, and Non-compliant resources.
8. You should have received an email with the following subject line: Invitation to join AWS Single Sign-On. Click Accept Invitation to create credentials for the master Single-Sign-On (SSO) user. Keep in mind that this is not the same identity that you used to create the master account, even if it does share the same email address! You will use these credentials later in this recipe.
9. On the side navigation bar, click Guardrails and scroll down to the bottom. Click Disallow public read access to S3 buckets. Note that this is a detective guardrail, meaning that provisioned accounts will not be prevented from creating public buckets, but you will receive a notification if a bucket is marked as public. We will test this guardrail in subsequent steps.

10. Scroll down to Organizational units enabled and click Enable guardrail on OU. Choose the custom OU and enable it. It may take a few minutes to appear in the list of enabled OUs. You should see an email with the subject line Config Rules Compliance Change to alert you to the configuration change that was made to the Custom OU:

11. Log out of your account and then log back in with the SSO credentials you created in Step 8.
12. Once logged in, you will land on a screen titled Your applications. Click the orange cube to see a list of accounts that you can access with this user:

13. Click your Master account and log in to the management console as an administrator.
14. On the side navigation bar, select Users and access, and then click View in AWS Single Sign-On:

15. On the SSO Directory page, click Add User. Create a new user account.
16. Add the user to the AWSAccountFactory group:

17. Complete the user creation process. Log out of the console, and also log out of SSO. Then, log back in as the new user you just created. This is important because we need to be logged in as a user who has rights to provision accounts, and we want to simulate a real-world scenario: a user provisioning an account and then creating non-compliant resources.
18. Go to the Service Catalog service dashboard.
19. In the Service Catalog, choose AWS Control Tower Account Factory. Click Launch Product.
20. Fill in the parameters, tag options, and notifications for the new account. Launch the product and wait for your new account to be fully provisioned. When the process has finished, you can use AWS SSO to sign in to the new account.

21. Once you're logged in to the new account, create an S3 bucket and give it public access. (Note that this is bad practice and you should never create public buckets! Don't put any files into this bucket!) Use the following bucket policy to open the contents of the bucket to the world:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "s3:",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::my-noncompliant-bucket-name/",
            "Principal": "*"
        }
    ]
}

The following screenshot shows what the bucket policy screen will look like:

The S3 console makes it very obvious when you have created a public bucket since it is considered bad practice!

22. Log out of the console and out of the SSO. Then, log back in as the administrator. If the guardrail on the Custom OU has had time to propagate, you should be able to go back to the guardrail screen and see the warning under Noncompliant resources:

At this point, you have created the basis for a secure, enterprise-ready account foundation on AWS. If you do not plan to continue using these accounts, be sure to go to each account and clean up the resources, as you may incur some future charges.