superwerker: Automate multi-account AWS environments

February 14th, 2021 605 Words

Managing and securing multiple AWS accounts gets complex. superwerker is a free and open-source solution to automate the setup and management of your multi-account AWS environments. Based on our experiences at superluminar, we teamed up with kreuzwerker from Berlin to bundle prescriptive best practices from multiple years of cloud consulting and created superwerker.

Available as an official AWS Quick Start, superwerker helps you to set up various AWS services recommended for AWS cloud environments consisting of multiple AWS accounts.


As always, AWS provides the building blocks for modern cloud infrastructure, and you need to come up with a plan to use them. With using superwerker, you can start right ahead with a well-architected AWS foundation to run your workloads with AWS:

Get Started

To get started, deploy the free and open source superwerker CloudFormation template in a fresh AWS account. You can either use the AWS Quick Start or head over to the superwerker GitHub repository.


When creating the superwerker CloudFormation Stack, you need to provide a domain name and subdomain. This is used to configure a Route53 Hosted Zone in your AWS account. The subdomain is used to automatically handle incoming emails for common AWS notifications and can be used when creating new AWS accounts as well.

superwerker installation

After configuring the domain, for example and a subdomain like aws, you can create the CloudFormation Stack. During the stack creation process, an AWS CloudWatch Dashboard is created to display the installation status. This living documentation shows you the assigned name servers you need to configure in your DNS configuration for the provided domain:

superwerker dashboard

The superwerker will installation process wait until you have configured your DNS settings correctly. Afterwards, CloudFormation begins to configure the included AWS services and features.


Based on AWS Control Tower, superwerker uses AWS Single Sign-On to manage access to AWS accounts. Together with AWS Organizations and the usage of multiple AWS accounts to distribute workloads and application environments, this forms the very baseline for a secured multi-account AWS environment.

AWS Single Sign-On

When done with installation, head over to AWS Single Sign-On. Create a new user account, so you can stop using the root account for your AWS management account. To use the account for administrator actions, assign it to the AWSControlTowerAdmins user group.

superwerker Single Sign-On - Users

superwerker Single Sign-On - Groups

AWS Control Tower

You can create new AWS accounts using AWS Control Tower. For new accounts, access the Account Factory and provide the needed information.

superwerker Control Tower

For every new AWS account, you need to provide references to an AWS Single Sign-On user. If the email address is not already registered, a new SSO account is created for the account.

Organization Units

Using AWS Organizations, Control Tower; and custom Organization Units, you can group and organize your AWS accounts. Per default, Control Tower configures a core Organization Unit for the log and audit AWS accounts.

AWS multi-account setup

You should come up with a structure of custom Organization Units to manage your AWS accounts. For example, create an Organization Unit for every application in your organization and create separate AWS accounts for every application environment. With this approach, you can easily structure your growing pool of AWS accounts in a well-architected multi-accounts AWS environment.


superwerker is an open-source project created by kreuzwerker and superluminar; both AWS Advanced Partners. superwerker is available on GitHub and AWS Quick Starts.

View on GitHub Source code is published using the MIT License.