Sign up for our newsletter! →


From AFT to ATO: The Prequel

Written By
Michael Greenlaw HanaByte blog on AFT to ATO

How to Get Started with FedRAMP Automation

This blog is part of a series: Check out part 1 here!

In the last installment of this blog series, we covered how to create a new AWS environment using AFT and the beginnings of using AFT pipelines to generate infrastructure. The purpose of this installment was originally to continue our journey; however, I was fortunate enough to speak on this topic in-depth at HashiTalks. Due to its technical nature, we thought it better to complete the blog series by taking a step back and providing a discussion about what the tool is, the problems it solves, and how it can empower us.

AWS Control Tower Account Factory for Terraform (AFT), is a tool built through the collaboration of HashiCorp and AWS. The idea is to allow us to leverage Terraform-based account provisioning and account customizations, while providing a way to govern said accounts with AWS Control Tower. This is done by creating accounts and Organizational Units (OUs) in Control Tower, using Terraform to create pipelines within AWS CodePipeline, then importing the CT accounts/OUs into pipelines. Thus allowing for provisioning and customizations to be applied to the accounts. Once all steps are completed, you are able to manage the state of the Control Tower governed accounts with Terraform. This enables you to customize accounts with a supplied automation pipeline; however, what is the importance of these features?

The importance derives from complications that arise when going for Federal Risk and Authorization Management Program (FedRAMP) approval. When companies begin their journey to obtaining an Authority to Operate (ATO) with AWS, an often-recurring issue identified by HanaByte is the scale of the authorization boundary. The authorization boundary can officially be defined as “all components of an information system to be authorized for operation by an authorizing official. This excludes separately authorized systems to which the information system is connected.” Simply put, it is a boundary that separates our FedRAMP-govern cloud environments from non-regulated federal data environments. When considering the effort required to create a logical separation of boundaries within a preexisting application’s cloud environment, it can be much easier to create an entirely different account or organization of accounts. In such a case, we now need to create AWS Accounts, Organizations, guardrails, pipelines, Infrastructure as Code (IaC), etc., all of which AFT either does or streamlines for us. It empowers us to bridge the gap between a greenfield AWS account and receiving an ATO, through 4 key features and benefits:

  • Automating Account Creation
  • Infrastructure as Code
  • Centralized Governance and Compliance
  • Scalability and Customizability

Automating Account Creation

The initial process is to create accounts using AWS Control Tower. From an engineer’s perspective, this task is not fully automated, but it does achieve the goal of having the account imported into our Terraform pipelines. Upon post-importation, we’re able to create new accounts using standardized Terraform templates that provide us with predefined IAM roles, policies, and resource limits. This process not only accelerates the provisioning and customization of accounts, but effectively ensures error-free account configurations.

Infrastructure as Code

By defining AWS account configurations in Terraform manifests, we are able to utilize version control to collaborate and iterate on account settings and customizations. The pipelines and AWS Step Functions are generated automatically, and the solution natively integrates with CodeCommit providing the capability to keep all tooling native to AWS.

Centralized Governance and Compliance

By encapsulating governance policies and compliance controls within Terraform templates, AFT can enforce standardized configurations across all AWS accounts. Additionally, using the global configurations, changes can be applied to all accounts being tracked by the AFT Terraform state. This centralized approach not only bolsters security, but also streamlines auditing and compliance efforts.

Scalability and Customization

As environments scale, so does AFT. Adding new accounts via Terraform automatically generates new pipelines, streamlining creation of workload accounts. By utilizing Terraform modules in this process, AFT is able to repeatedly create and destroy customized environments tailored to your compliance needs.


With continuous updates and relatively low deployment costs, AFT continues to be a top contender for Terraform automation of AWS Control Tower resources. It empowers us to create scalable, governed and compliant environments from scratch, while simultaneously streamlining our ability to create tailored FedRAMP customizations. There are many different ways to approach FedRAMP, and many tools to select from. Thus, it’s imperative to assess one’s environment before embarking on such a journey, as picking the right tools can drastically reduce time to ATO. HanaByte is your partner in cybersecurity that specializes in compliance and automation, and would love to help you start your journey to ATO.

Browse Our Categories

Relevant Blogs

hanabyte blog, Hana ohana, Hanabyte
HanaByte Culture

The Significance of Top-Down Support in Shaping Company Culture

Leadership within an organization serves as the compass that sets the direction for the entire team. They epitomize the values and ethics that define the company. When leaders genuinely embrace the culture, it sends a strong message to the employees, emphasizing the importance of these values in their day-to-day activities.

Read More →
Patrick Davis for HanaByte blog on SASE

How SASE Can Benefit You

Secure Access Service Edge (SASE) is a “cloud architecture model that combines network and security-as-a-service functions together and delivers them as a single cloud service.” (Fortinet Cyberglossary) This solution allows hybrid organizations and their hybrid or remote workers to benefit from corporate security mechanisms anywhere they might be located, securely extending the network edge.

Read More →