# Customizations for AWS Control Tower (CfCT) overview *Customizations for AWS Control Tower* (CfCT) helps you customize your AWS Control Tower landing zone and stay aligned with AWS best practices. Customizations are implemented with AWS CloudFormation templates and service control policies (SCPs). This CfCT capability is integrated with AWS Control Tower lifecycle events, so that your resource deployments remain synchronized with your landing zone. For example, when a new account is created through account factory, all resources attached to the account are deployed automatically. You can deploy the custom templates and policies to individual accounts and organizational units (OUs) within your organization. **Note** The target organizational unit (OU) configured in CfCT must have AWSControlTowerBaseline enabled in AWS Control Tower. For details of AWSControlTowerBaseline, see: [Baseline types that apply at the OU level](types-of-baselines.md#ou-baseline-types). The following video describes best practices for deploying a scalable CfCT pipeline and common CfCT customizations. [![AWS Videos](http://img.youtube.com/vi/https://www.youtube.com/embed/fDtxiBW_J8I/0.jpg)](http://www.youtube.com/watch?v=https://www.youtube.com/embed/fDtxiBW_J8I) The following section provides architectural considerations and configuration steps for deploying Customizations for AWS Control Tower (CfCT). It includes a link to the [AWS CloudFormation](https://aws.amazon.com/cloudformation) template that launches, configures, and runs the required AWS services, in alignment with AWS best practices for security and availability. *This topic is intended for IT infrastructure architects and developers who have practical experience architecting in the AWS Cloud.* For information about the latest updates and changes to Customizations for AWS Control Tower (CfCT), refer to the [CHANGELOG.md file](https://github.com/aws-solutions/aws-control-tower-customizations/blob/master/CHANGELOG.md) in the GitHub repository. # Architecture overview Architecture Deploying CfCT builds the following environment in the AWS Cloud, with an Amazon S3 bucket as a configuration source. ![\[Customizations for AWS Control Tower architecture diagram\]](http://docs.aws.amazon.com/controltower/latest/userguide/images/customizations-for-aws-control-tower-architecture-diagram.png) CfCT includes an AWS CloudFormation template that you deploy in your AWS Control Tower management account. The template launches all the components necessary to build the workflows, so you can customize your AWS Control Tower landing zone. **Note** CfCT must be deployed in the AWS Control Tower home Region and in the AWS Control Tower management account, because that is where your AWS Control Tower landing zone is deployed. For information about setting up an AWS Control Tower landing zone, refer to [Getting started with AWS Control Tower](getting-started-with-control-tower.md). As you deploy CfCT, it packages and uploads the custom resources to the code pipeline source, by means of [Amazon Simple Storage Service](https://aws.amazon.com/s3/) (Amazon S3). The upload process automatically invokes the service control policies (SCPs) state machine and the [AWS CloudFormation StackSets](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/what-is-cfnstacksets.html) state machine to deploy the SCPs at the OU level, or to deploy stack instances at the OU or account level. **Note** By default, CfCT creates an Amazon S3 bucket to store the pipeline source. If you have an existing AWS CodeCommit repository, you can change the location to a [CodeCommit](https://aws.amazon.com/codecommit/) repository. For more information, refer to [[Set up Amazon S3 as the configuration source](cfct-s3-source.md)](cfct-s3-source.md). **CfCT deploys two workflows:** + an [AWS CodePipeline](https://aws.amazon.com/codepipeline/) workflow + and an AWS Control Tower lifecycle event workflow. **The AWS CodePipeline workflow** The AWS CodePipeline workflow configures AWS CodePipeline, [AWS CodeBuild](https://aws.amazon.com/codebuild/) projects, and [AWS Step Functions](https://aws.amazon.com/step-functions/) that orchestrate the management of AWS CloudFormation StackSets and SCPs in your organization. When you upload the configuration package, CfCT invokes the code pipeline to run three stages. + **Build Stage** – validates the contents of the configuration package using AWS CodeBuild. + **SCP Stage** – invokes the service control policy state machine, which calls the AWS Organizations API to create SCPs. + **CloudFormation Stage** – invokes the stack set state machine to deploy the resources specified in the list of accounts or OUs, which you've provided in [the manifest file](the-manifest-file.md). At each stage, the code pipeline invokes the stack set and SCP step functions, which deploy custom stack sets and SCPs to the targeted individual accounts, or to an entire organizational unit. **Note** For detailed information about customizing the configuration package, refer to [CfCT customization guide](cfct-customizations-dev-guide.md). **The AWS Control Tower lifecycle event workflow** When a new account is created in AWS Control Tower, a [lifecycle event](lifecycle-events.md) can invoke the AWS CodePipeline workflow. You can customize the configuration package through this workflow, which consists of an [Amazon EventBridge](https://aws.amazon.com/eventbridge/) event rule, an [Amazon Simple Queue Service](https://aws.amazon.com/sqs/) (Amazon SQS) first-in first-out (FIFO) queue, and an [AWS Lambda](https://aws.amazon.com/lambda/) function. When the Amazon EventBridge event rule detects a matching lifecycle event, it passes the event to the Amazon SQS FIFO queue, invokes the AWS Lambda function, and invokes the code pipeline to perform downstream deployment of stack sets and SCPs. # Cost Cost The cost for running CfCT depends on the number of AWS CodePipeline runs, the duration of AWS CodeBuild runs, the number and duration of AWS Lambda functions, and the number of Amazon EventBridge events published. For example, if you run 100 builds in one month using **build.general1.small** where each build runs for five minutes, then the approximate cost for running CfCT is **\$13.00 per month**. For full details, you can review the pricing webpage for each AWS service you are running. The Amazon Simple Storage Service (Amazon S3) bucket and AWS CodeCommit Git-based repository resources are retained after you delete the template, to protect your configuration information. Depending on the option you select, you are charged based on the amount of data stored in the Amazon S3 bucket and the number of Git requests (not applicable to Amazon S3 resource). Refer to [Amazon S3](https://aws.amazon.com/s3/pricing/) and [AWS CodeCommit](https://aws.amazon.com/codecommit/pricing/) pricing for details.