This sample repository helps you to deploy a simple solution to watch for newly created accounts in your organization and submit a support case requesting the new account to have Enterprise Support enabled.

WARNING: This repository and its contents are only meant for Enterprise Support customers, as it is required to interact with AWS Support API and enable Enterprise Support to child accounts.

This solution should be deployed to your main account, where the new accounts are created.

This CloudFormation template will create in your account:

1. An IAM role with permissions to execute your Lambda function, and interact with AWS Support API.
2. AWS Lambda function, that will submit the support case requesting Enterprise Support to be enabled in the newly created account
3. EventBridge Rule, which will be matching the event for CreateAccountResult and passing this event to AWS Lambda
4. AWS Lambda Permission, which allows the event from EventBridge rule to trigger the AWS Lambda.

1. When you create a new account in your organization, a new event CreateAccountResult will be generated in your CloudTrail.
2. The EventBridge rule will match this event if the creation state is SUCCEEDED and trigger the AWS Lambda function for processing, passing the whole Event body to the function.
3. The Lambda function will parse the Event body and look for the Account ID of the newly created account.
4. Having the Account ID, the function will connect to the AWS Support API and submit the support case, requesting Enterprise Support to be enabled on the newly created account. The support case will be created with a Production System Impaired severity.

To facilitate the implementation of this solution, you can simply deploy the CloudFormation template from this repository. You can also find the EventSample.json and rule.json used for this implementation on the samples directory and use this information to build the same manually if you prefer.

• Download or clone the repository

To start the deployment, clone this repository to the desired location, or download it as a ZIP file. On this example, I will be downloading it as a ZIP file.

• Extract files

Extract the files from the ZIP

• Open your AWS Managed Console

Using your preferred browser, open the AWS Managed Console.

• Navigate to the CloudFormation console

• Create a new Stack

On the top right corner of the page, click on Create stack -> With new resources (standard)

In the Prerequisite - Prepare template session, make sure the Template is ready option is selected.

For the Specify template, select Upload a template file and choose the template/EnableES.yaml file you downloaded from this repository.

Click in Next.

On the Specify stack details section, provide a name to your stack. This name will be added to the name of resources created on the stack. I will choose EnableES as stack name.

Click in Next.

On the Configure stack options section, you can provide Tags if you wish. Leave all the remaining fields as default.

On the bottom of the page, click Next.

On the Review STACK_NAME page, scroll all the way down, make sure the check box I acknowledge that AWS CloudFormation might create IAM resources is checked, and click in Create stack.

The setup process might take a few minutes to complete. Click on the Refresh icon until you see CREATE_COMPLETE for the stack.

To validate the setup was completed successfully, check the Resources tab of your newly created Stack.

Click on the EnableESFunction Physical ID to open the AWS Lambda Function.

It will open the AWS Lambda Function in a new tab of your browser.

In the Lambda Function page, you should be able to see the EventBridge (CloudWatch) as a trigger for the code. Seeing the EventBridge (CloudWatch) as the trigger for the code indicates the Lambda permissions are set correctly and EventBridge is able to invoke the function.

Click in the EventBridge (CloudWatch) to see available triggers for this function.

Only EventBridge (CloudWatch Events): NewAccountRule should be listed as a trigger.

You can click on Details to verify the Event pattern to match this rule.

On the left panel for your Lambda function, click on Permissions to validate the IAM Role associated with the function.

You will see there is a role associated with the function. This role name must start with EnableES-EnableESRole- and is the role that authorizes the function to be executed and to communicate with AWS Support API, submiting the support case to request enabling Enterprise Support on the newly created account.

If you click on the role name to see the details about the role, expand the AutoES policy to see the operations the role is allowed to perform.

If you confirm all the the steps of this document were executed as expected, the next you create a new account in your organization, it will automatically submit a support case requesting Enterprise Support to be enabled in the newly created account with a Production System Impaired severity.

Once you confirmed the automation to request enabling Enterprise Support on the newly created account works as exected, if you decide to delete all the associated resources:

• Navigate again to the CloudFormation console,
• List your stacks
• Select the EnableES stack
• Click on Delete
• Click on Delete stack to confirm your action
• Wait until the deletion is completed