AllCode and URComped’s Control Tower Migration
URComped is a third-party marketing company for various casinos that helps direct casinos with competitive offerings to potential customers. URComped makes extensive use of casinos’ previous plays and games to evaluate expected losses to be labeled as marketing expenses.
AllCode was brought on board to perform an AWS Well-Architected Framework Review (WAFR) and to assist URComped in getting SOC 2 Compliant. In the process of remediating the WAFR, we had to migrate URComped from an existing Organizational Unit (OU) to a new OU that was built with AWS Control Tower This proved more challenging than expected.
About URComped
URComped is a platform that gives users a list of the best possible offers from a variety of casino and gambling-centric cruise lines. After signup, casinos can provide images and details about their organization and offerings for URComped to evaluate. From there, standard customers will be able to search for cruiseliners and vacation spots that are featured at such casinos and choose what they want based on what they want to play and what the best offerings are on display.
The URComped platform is written in Microsoft’s C# leveraging IIS, HangFire, and RDS SQL Server. The C# application was originally deployed using Elastic Beanstalk, but Elastic Beanstalk support for .NET is being sunset, so we migrated them to dockerized services whose images get stored in Amazon Elastic Container Registry (ECR) and deployed to Amazon Elastic Container Service (ECS) through the use of CloudFormation templates.
The Challenge
AWS Control Tower offers a new layer of flexibility to a cloud environment. It is easy to set up, comes integrated with governance features, and enforces best practices for an AWS environment. However, it is difficult to set up an existing AWS environment. A Control Tower can not be established with a default AWS VPC (virtual private cloud). Unfortunately for URComped, they already had multiple AWS resources tied to their existing VPC.
How AllCode helped URComped
The job required a migration of accounts and resources from the previous AWS Organization to a new Organization with a Control Tower already set up.
Preparation of Existing Assets
To ensure the best experience, everything that is migrated will need to be one-to-one exactly. This includes permissions and parameters of what AWS resources are incorporated into the new environment need to use the same. Well in advance of the migration, we made a list of the resources in the existing account that URComped still needed to integrate with the new Control Tower account and the new AWS Organization.
The New Management Account
With the exception of already having the accounts and resources, we were effectively building a new AWS Organization from scratch. Since we cannot just pull the central AWS account from the old management account since it still manages it, we made a new one to build the new organization around. After setting up the new environment and putting into place security and compliance settings, we can now properly construct the new Organization.
The Destination Organization
AWS does have multiple tools to ensure this move is as smooth as physically possible. AWS Organizations will create an organization that includes the new Control Tower with the new account we had just made. AWS resource access needs to be set up correctly, requiring us to make full use of AWS Resource Access Manager (RAM). Once the old Organization is emptied out, it can be shut down and the old management account can be orphaned and also shut down or brought over to the new environment. Once it is inside, permissions can be restored to the original management account.
Testing Functionality
There is far too much to go wrong during this phase. As stated earlier, parameters must be one-to-one Validate that the resources are accessible in the new Control Tower account. We stress-tested the new Organization thoroughly to ensure that business processes would function as expected and that compliance policies are being correctly applied to any resources.
Finalization and Launch
We fully documented the process, including any changes made to the resources during the integration process, so that URComped’s own team can still manage their own AWS Environment. Before we fully concluded, we provided the staff with additional training on the new process and policies set up on the new account.
How Migration Helped URComped
Using Control Tower for an AWS Environment makes operations much safer. Including the enforced policies and safety measures, it grants greater visibility of all events that occur going in or going out of an AWS Organization.