A previous version of this post was published in December 2020 in the AWS Marketplace Blog. Welly Siauw, Sr. Technical Account Manager, AWS, contributed to this blog post.

AWS Control Tower: Multi-account setup and governance

Amazon Web Services (AWS) best practices for a well-architected environment recommend that you should separate your workloads into multiple AWS accounts. Using multiple AWS accounts provides a natural billing boundary for costs, isolates resources for security, gives flexibility for individuals and teams, in addition to being adaptable for new business processes.

AWS Control Tower helps customers of all sizes, across the globe, looking for the easiest way to set up their new multi-account AWS environment, and govern at scale. You have the confidence knowing accounts in your organization are compliant with established policies while your teams provision new AWS accounts quickly.

Using AWS Control Tower, you can set up an automated landing zone that employs best-practice blueprints for identity, federated access, centralized logging, and account structure among others.

Instant observability: Key to governance and operational agility

The AWS Control Tower dashboard provides continuous visibility into your AWS environment including AWS Organizations organizational units (OU) and accounts provisioned, guardrails enabled, and the compliance status of OUs and accounts against the guardrails. This dashboard is a good starting point for high-level visibility into your landing zone. Most landing zones develop over time. As you scale, the number of teams, workloads, and the number of organizations and accounts in your landing zone increases.

To scale with agility, you need instant observability and the ability to move faster. This is possible with the consolidation of operational data across all of your workloads and infrastructure, spanning across multiple accounts and regions, and sometimes across on-premises hybrid environments. This is critical for robust governance, risk management, and operational agility—at the scale of operating on potentially tens or even hundreds of accounts.

prometheus logo


Landing zone observability with New Relic

New Relic is an AWS Partner Network (APN)Advanced Technology Partner, focused on making observability available to all and simple to embrace. New Relic One is New Relic’s observability platform, available for free in the AWS Marketplace.

This blog post describes our new AWS Quick Start solution for landing zone observability and why it’s powerful. Learn how to:

  1. Deploy the Quick Start in your AWS environment.
  2. Use instant observability for proper governance and operational agility in your landing zone with New Relic.

AWS Quick Start for New Relic’s AWS Control Tower integration

AWS Marketplace now offers third-party software solutions for AWS Control Tower. You can find New Relic’s AWS Control Tower solution in the AWS Marketplace under the operational intelligence use case. In the spirit of making observability simple and available to all, New Relic is committed to providing open source solutions to our customers and everyone looking for observability. As a result of our strategic collaboration agreement with AWS, we are launching AWS Quick Start for New Relic’s AWS Control Tower solution, which streamlines the observability of your landing zone. With this solution, enrolled accounts in your AWS Control Tower managed organization are automatically observable with your New Relic One account from the moment they are launched. It also lets you observe existing accounts with New Relic, in case you've already set up your landing zone.

Why use the Quick Start?

  • Instant observability: Your accounts are automatically observable right from the moment they are launched or enrolled. No delays or configuration needed.
  • Frictionless onboarding: Use simple one-click deployment that finishes in a few minutes using the AWS Management Console or AWS Command Line Interface (AWS CLI). If you’ve already set up your landing zone, any existing accounts (already enrolled) will also be observable from the get-go. No work needed to onboard them. Moreover, you no longer need to link your landing zone accounts from your New Relic account, it’s all done for you automatically.
  • Effortless: After the Quick Start deploys in a few minutes, spend no further time managing your monitoring setup, as you scale your landing zone. More time at hand to build features and deliver value to your customers.
  • Moving faster with centralized governance: With New Relic, you can manage all operational data from your landing zone along with all the workloads running on it (and anything else not running on AWS) from one place, with no need to hop back and forth between multiple AWS accounts or another set of observability tools. With New Relic Explorer you gain access to immersive, high density, at-a-glance health or compliance views of your multi-account environment in New Relic, with no time spent setting things up. You can find sudden changes and anomalies faster so you know what to pay attention to at any given moment.
  • Flexible: Instrument your entire landing zone (default), or choose which accounts or organizations to monitor with New Relic.
  • Scale with ease: Monitor large landing zones spanning multiple AWS Regions and hundreds of accounts.
  • Ubiquitous: Launch and enroll your accounts using the tool you prefer, observing them instantly.

Quick Start overview

The Quick Start deploys the New Relic AWS integration into your landing zone accounts. The Quick Start is deployed using AWS CloudFormation. New Relic AWS integrations require you to grant New Relic permission to read operational data from your AWS accounts. This is achieved by using AWS Identity and Access Management (IAM) cross-account access. The New Relic AWS integration uses the Amazon CloudWatch API to obtain telemetry data for the AWS services you choose to observe. New Relic also pulls AWS tags from AWS Resource Groups Tagging API and other metadata from AWS services in order to decorate telemetry with enriched metadata collected from AWS Services APIs. This is done using API polling-based integrations to collect telemetry for more than 50 AWS services.

Note that this contrasts with our new Amazon CloudWatch Metric Streams integration mode where all metrics from all AWS services and custom namespaces are available in New Relic at the same time, without needing a specific integration to be built or updated. Support for the Metric Streams integration mode will be added to the Quick Start in the future.

Also note that the Quick Start enables all the AWS services supported by New Relic so you don’t have to manually turn them on as you begin using a new service. You can always disable any integrations so you don’t pay for something you don’t use. In order to disable integrations at scale, see our NerdGraph examples

The following architecture diagram illustrates the deployment view of the Quick Start in an AWS Control Tower environment.

Let’s walk through the key resources deployed as part of the solution:

  • An Amazon EventBridge rule that accepts a lifecycle event, delivered to it every time an administrator successfully enrolls a new or existing AWS account in AWS Control Tower.
  • An AWS Lambda function (named Onboarding), launched as an AWS CloudFormation custom resource. It creates a CloudFormation stack set, named New Relic StackSet. The stack set includes the New Relic cross-account trust IAM role.
  • A Lambda function (named New Relic StackSet) that is triggered by:
    • An Onboarding function (when the Quick Start stack is deployed)
    • An EventBridge rule (whenever an account is enrolled)
    The function launches the New Relic stack in:
    • Optionally, all existing accounts that you specify when launching the Quick Start (enrolled before the Quick Start is deployed).
    • All newly enrolled accounts (enrolled after the Quick Start is deployed).
  • A secret, named New Relic NerdGraph API key, retrieved from AWS Secrets Manager
  • A Lambda function, named New Relic Register, that invokes the New Relic NerdGraph endpoint to link your AWS account with your New Relic account.
  • An Amazon Simple Queue Service (Amazon SQS) dead letter queue that collects any errors whenever the New Relic Register function results in an unhandled error.


You need the following to implement New Relic's integration with AWS Control Tower:


Now let’s deploy the Quick Start in your AWS Control Tower environment. You can also refer to the Quick Start deployment guide for details.

Create an AWS CloudFormation stack

You must deploy the Quick Start in your AWS Control Tower management account in the home AWS Region (the AWS Region where your AWS Control Tower landing zone was set up).

  1. If you prefer to use the AWS Management Console, you can launch a CloudFormation stack using this link. In the Parameters section, supply the following information. See Parameter Reference for further details.
  • NewRelicAccountNumber: Enter New Relic account ID.
  • NewRelicAccessKey: Enter New Relic NerdGraph API user key.
  • NerdGraphEndpoint (Optional): Enter New Relic NerdGraph API endpoint  if your account is using the EU data center.
  • LaunchAccountList (Optional): Enter comma-separated string of account IDs of existing AWS accounts enrolled in your AWS Control Tower managed organization, that you wish to monitor with New Relic. To find existing enrolled accounts, navigate to AWS Control Tower accounts.

You can also use the AWS CLI to launch the stack using this command:


aws cloudformation create-stack \

--stack-name NewRelic-AWS-ControlTower-Integration \

--template-url https://aws-quickstart.s3.amazonaws.com/quickstart-ct-newrelic-one/templates/control-tower-customization.template.yml \

--capabilities CAPABILITY_NAMED_IAM \

--parameters ParameterKey=NewRelicAccountNumber,ParameterValue=NEWRELIC_ACCOUNT_ID ParameterKey=NewRelicAccessKey,ParameterValue=ACCESS_KEY ParameterKey=LaunchAccountList,ParameterValue=AWS_ACCOUNT1\\,AWS_ACCOUNT2
  1. Ensure the stack gets created successfully. To view the created resources, see the values displayed in the Outputs tab for the stack.

Verify New Relic integration

After an account is enrolled into AWS Control Tower, it is automatically linked to your New Relic account so you can monitor it instantly.

Sign in to your New Relic account, and then hover over the Infrastructure link on the top navigation bar and select the AWS menu item from the menu list. You will be taken to the AWS page. The New Relic account ID shows up in the header area next to New Relic ONE logo. Make sure the account ID matches the one you used in this implementation. Your new AWS account will be listed on the page. Click on the Account status dashboard link to view the account dashboard. For more information, see Introduction to AWS integrations.

Governance and operational agility in your landing zone with New Relic

New Relic provides you with all the operational data from AWS that you can use to build focused dashboards to stay on top of your multi-account AWS environment.

Let’s take a closer look at some of the most common use cases around governance.

Compliance and auditing

Compliance and auditing are keys to proper governance and risk management. AWS offers multiple services for simplified and automated compliance and auditing processes to save you time and effort. To help you scale your compliance and auditing operations, you can build a centralized compliance dashboard in New Relic. The dashboard uses operational data from multiple AWS services including AWS CloudTrail, AWS Config, AWS Security Hub, and AWS Trusted Advisor. This allows you to continuously monitor your risk management controls. Prioritize your compliance and auditing findings across multiple AWS accounts to highlight emerging trends and possible issues. This gives you the ability to rapidly troubleshoot when needed.

Compliance and auditing dashboards in New Relic collect data from multiple AWS services for centralized and continuous monitoring across your landing zone.

Financial management

Cloud financial management is a vital part of good governance and accelerates both top and bottom-line results for your business. You need complete, near real-time visibility of your cost and usage data to make informed decisions. AWS has a set of solutions to help you with cost management and optimization. This includes services, tools, and resources to organize and track cost and usage data, enhance control through consolidated billing and access permission, enable better planning through budgeting and forecasts, and further lower costs with resources and pricing optimizations. With New Relic, you can do all of that from one single place with consolidated cost data available across accounts and Regions. You can build a New Relic dashboard that shows you the cost and budgeting data of your landing zone so you can manage your costs and look at opportunities for optimization.

The cost and budgeting dashboard in New Relic gives you a consolidated view of your entire landing zone. Go top-down and then drill down into specific accounts for details.

Operational excellence 

With New Relic, you can eliminate blind spots that occur with fragmented operations tooling and bring them together into one place. With the powerful intuitive visualizations and anomaly detection capabilities in New Relic Explorer, you can manage your on-premises infrastructure and the AWS Cloud, manage applications easily and efficiently, at scale and with safety—all of that operating at the scale of multiple accounts on AWS. You can use New Relic Lookout to instantly catch sudden changes or find anomalies in your AWS workloads, across your accounts, without writing any code or toggling feature flags. Lookout is available for all AWS services that report metrics to Amazon CloudWatch and the ones you monitor with New Relic. You can also easily customize what Lookout queries and runs against, and you can configure Lookout to build exactly what you need.

The New Relic Lookout view of AWS Lambda instantly depicts anomalous behavior and sudden changes to your serverless workloads across your landing zone, available by default with no code to write or feature flags to toggle.