AWS Control Tower Immersion Day
Posted by Chris McKinnel - 1 March 20215 minute read
In 2020 CCL became an AWS Immersion Day partner which saw CCL staff members get trained by AWS and be qualified to plan and deliver AWS Immersion Day content internally and to organisations throughout New Zealand.
AWS Immersion Days are basically hands-on workshops that are designed to totally immerse attendees in AWS technology and show them how to build solutions on the platform.
From the AWS Immersion Days website:
AWS Partner Network (APN) Immersion Days offer AWS Advanced and Premier Consulting Partners access to workshop content and tools developed by our AWS Solutions Architects and packages it for AWS Partners to use exclusively with their customers. Included in this package is a full suite of event management resources, including presentations, hands-on labs, and other assets that are custom built and address key customer questions.
Last week I ran ran an AWS Control Tower Immersion Day for internal CCL staff. It was a large undertaking as around 40 people attended the Immersion day across 4 cities, and was a large investment by CCL in its people if you consider what those 40 people would have been doing if they weren't in an all day training session.
We also had a couple of AWS people attend who were excited to see not only the level of investment, but the breadth of AWS resources CCL has at its disposal. With around 700 staff, CCL is a big engine and there are hidden pockets of AWS skills all throughout New Zealand. Running internal Immersion Days is a great way to find and unlock those pockets of skills.
CCL technical staff hard at work up-skilling on AWS Control Tower.
I ran the Immersion Day on AWS Control Tower, but instead of just running through the AWS Control Tower Labs, which are focused on showing customers what is possible with Control Tower, I wrote some custom CCL labs that outlined what we needed to do to make AWS Landing Zones customer ready, and included deploying proprietary CCL IP that builds on the baseline that AWS Control Tower gives us out of the box.
Making customer Landing Zones is sometimes not glamorous work, but I wanted to try and show everyone what was required to get our Landing Zones customer-ready, so things like making sure account names are consistent, email addresses are updated, MFA is set up on all of the root accounts, Security Hub is setup, GuardDuty is setup, etc.
Goals of the Control Tower Immersion Day
The main goal was to start to use CCL's scale to deliver best practice AWS Landing Zones throughout New Zealand, including in the regions which tend to be forgotten when there is such a large focus on the main centres like Auckland, Wellington and Christchurch.
With so many customers adopting AWS, there are Landing Zones that need to be deployed all around New Zealand. The more CCL staff we can enable to deploy them and the faster our deploys are, the faster we'll be able to accelerate New Zealand business adoption of AWS and public cloud in general.
Secondary goals were:
- Scale out the national CCL capability to deliver AWS Landing Zones
- Improve our automation and IP by crowd-sourcing solutions to known issues
- Discover pockets of AWS excellence within CCL
- Continue to embed a learning and upskilling culture
- Continue to strengthen our partership with AWS
- Have a bit of fun!
Learnings and Improvements
This was our first AWS Immersion Day and there were a few learnings that I took away from the process!
I was fairly ambitious with the timing of the labs, and attempted to cram in a total of 7 labs. Some people got through them all, but others got stuck on environment related issues (see below). With so many attendees, we probably could have chopped a couple of the labs out and dedicated more helper resources to unblocking those that were struggling.
Not surprisingly, not everyone uses a Unix-based operating system! We foolishly wrote our Landing Zone IP in a way that was best suited to run on Unix-based operating systems, which ended up causing a heap of issues on the day with our staff who were probably 90% Windows based.
This is probably a great excuse to wrap the deployment of our IP in some kind of GUI where our people deploying Landing Zones can self-service. Who knows, but what we do know is we'll be doing some work around this to make sure everyone has a smoother experience next time, and more importantly if they go to do this for a customer.
Account closure documentation with Landing Zones / Control Tower has some conflicting information that can be confusing. We had one attendee that was told he needed to unlink each of the Control Tower accounts before he could close them, and he went down the rabbit hole with AWS support.
I ran out of time and didn't write a detailed lab for closing accounts, so this could have been totally avoided.
Feedback Received
While we did a lot of learning, the feedback received was overall really positive. CCL staff were super keen to get involved in building out their own Landing Zones and see the nuts and bolts of what is being deployed for customers on a day-to-day basis.
The CCL Security team were particularly engaged, with each of them attempting to poke holes in our process and security guardrails.
This was a great event and was well run, despite the ambitious timing I felt that it was well paced and we were able to complete most of the work without issues.
It was very well set up and the material was great.
Excellent "big-picture" intro to how Control Tower fits with my own company's landing zone IP.
It was a good pace and I definitely learned a lot about the topic(s) of the day.
Achieved its goal of walkthrough of Control Tower Immersion.
Filled with useful content and attentive helpers.
I learnt things and had fun.
It was a very hands on and collaborative session.
Very informative. Interesting and engaging.
Overall it was an awesome day, and now we're on to the next one. Our first Immersion Day for external customers is happening in a couple of weeks!