Control Tower e AWS SSO


This document describes the AWS Control Tower activation project and access via AWS SSO with Azure AD.


Infrastructure used to perform all configuration steps:

  • AWS Organizations
  • AWS Control Tower

Customer Need

The Ambev customer requested the creation of a new environment for the DOM Project, without influencing the settings of the other environments already created in AWS.

Another point to consider is access to AWS through users already created in Azure AD, without the need to create other users in the AWS environment.

We held a few meetings with the customers design team and the AWS team of architects to
come up with solutions that would help us with the customers needs. We had great support from AWS through Rodrigo Monteiro and David Garibaldi introducing us to the AWS Control Tower and AWS SSO solutions and providing some training on the Well-Architect Framework and topics on AWS security.

Control Tower Deployment

After defining the architecture of the accounts, we carried out a survey of the activities necessary to activate the AWS Control Tower that would be necessary to segment the accounts into Organizational Units (OUs) as shown in the image below:

After activating AWS Organizations in all legacy AWS accounts, we were able to activate the AWS Control Tower feature and created the 6 AWS Accounts with their respective.

AWS SSO Deployment

After deploying the accounts where the environments would be provisioned, it was necessary to configure access for the Azure AD groups to access the AWS environment without the need to create new users.

Together with Eduardo Horacio from the Ambev Security team, we created the Enterprise Application in Azure AD, configured it with AWS SSO and it was possible to synchronize
some groups that would have customized roles, specific to each type of use in AWS.

After this configuration, it was possible to access the AWS management panel using
Microsofts MyApps as follows:


At the customers request, the current infrastructure was studied and a way to set up a new
environment was sought without influencing other environments. We used AWS solutions to
achieve the project's objectives and with the implementation of AWS Control Tower, the

client was fully served by bringing a better segmentation of the accounts, in line with the fundamentals of AWS; Well-Architect.

With the accounts created, we performed the second configuration, which allowed Ambev users who were already using Azure AD to access AWS through a single means, eliminating the need to create new users, bringing greater security to the environment and maintaining
the companys security and compliance parameters.