Kickstart and manage your AWS Organization via Terraform — PrimeHarbor's opinionated alternative to Control Tower.
📖 Full documentation, setup, and parameter reference: aws-kickstart.org
The default branch is latest and always holds the most recent changes. Each release is a
frozen, tagged version (e.g. 0.3.0).
- Track the newest code:
source = "github.com/primeharbor/org-kickstart" - Pin to a release:
source = "github.com/primeharbor/org-kickstart?ref=0.3.0"
We target quarterly releases, but may cut a new version sooner when significant new AWS organization-management features warrant it. See the Releases page.
Control Tower sucks. It's a massive beast designed to support highly regulated companies with a cloud compliance framework that's more than what most companies need. Control Tower is hard to adjust, missing some key features, and lags behind AWS Best practices (it took a long time for Organization CloudTrail and GuardDuty Delegated Admin to be supported). You need a PhD in AWS Service Catalog to modify anything. It heavily leverages AWS Config, making it very expensive for small orgs.
Most orgs implement Control Tower because their AWS SA was told to tell them to, or because they needed some form of "account factory", and you can easily click a button to fully provision an account.
The Org Kickstart is intended to be a landing zone for the rest of us. Deployed in a brand new AWS account (after a few Artisanal steps are completed), it will deploy the good parts of ControlTower/Landing Zones with out all the expensive cruft.
org-kickstart is indented to support all the basic things needed to setup a properly governed and secure AWS organization from scratch. It will:
- Create a Security Account (required)
- Delegate access for GuardDuty, Macie, Inspector, Security Hub, SSO, and CloudFormation to the Security Account
- Configure GuardDuty, Macie, Inspector, Security Hub in every default region for all accounts.
- Create a CloudTrail bucket in the Security Account, and enable an Organizations CloudTrail in the Management (Payer) Account
- Set the alternate contacts for Billing, Operations, and Security for all AWS accounts.
- Create four default Organizational Units (OUs), along with any custom OUs defined in tfvars:
- Workloads (required)
- Governance (required)
- Sandbox (required)
- Suspended (required)
- Create a default AI Opt-out policy and apply it to the root OU (required)
- Manage the AWS Account and OU placement
- Create a CloudFormation Delegated Admin StackSet to deploy an Audit Role in all accounts that trusts the Security Account
- Create an S3 Bucket for Billing Reports and an Athena compatible CUR report on a customizable frequency
- Enable all the important Organization Integrated Services: (required)
- IAM Access Analyzer
- AWS Account Portal
- AWS Backup
- CloudTrail
- AWS Config
- Firewall Manager
- GuardDuty & GuardDuty Malware Protection
- Personal Health Dashboard
- AWS Inspector (v2)
- License Manager
- Macie (v2)
- CloudFormation StackSets
- Resource Access Manager
- Trusted Advisor
- Security Hub
- SSM
- AWS IAM Identity Center (SSO)
- Manage Service Control Policies, Declarative Policies, and Resource Control Policies and allow templating of RCPs/SCPs/DPs
- Grant Admin Access to all accounts via AWS Identity Center
- Create a AdministratorAccess AWS Identity Center PermissionSet
- Create a Identity Center Group
- Assign the PermissionSet and Group to every account
While this is intended to be the "highly opinionated" solution "for the rest of us", many options are configurable or can be disabled. Only the items above marked "required" cannot be disabled.
You will need to create the new AWS account and enable IAM Identity Center (SSO) by hand before using org-kickstart — see BOOTSTRAP.md (or the Bootstrap guide).
Then copy examples/local-deploy into your own private repo to manage your
organization. The complete walkthrough — repo setup, an annotated tfvars example, and the full
parameter reference — lives on aws-kickstart.org.
org-kickstart can adopt an existing organization. See IMPORTING.md and the
Importing guide. Note that org import
is experimental and incomplete — review the plan closely to confirm what is imported versus
created. A number of features can be disabled when adopting a more complex org (e.g.
cloudtrail_bucket_name = null, disable_sso_management = true, deploy_audit_role = false).