In late Spring 2020, planners, schemers, and engineers at Amazon and Cutover had started to collude around a wonderful joint customer. Murmurings were heard about serious challenges on governance and the acceleration of their project - possible projects and solutions involving Control Tower and Service Catalog were mentioned. Glossaries were glazed over, blogs read, and marketing spiel ignored as the dust settled.
AWS services like Control Tower and Service Catalog are lesser-spotted and thought of as the reserve of Big Corporations. Retrospectively, like most companies, we know better now - and perhaps wish we’d gone Control Tower heavy at Cutover from day one. But that’s by the by - as soon as Summer/early Fall 2020 hit, the initial rumours of integrating with these products had become cemented and deadlines raised their looming figures - the AWS Console receiving clicks in areas we didn’t even know existed.
Meetings were held - C-level execs, directors, sales and cloud engineers sat virtually with AWS engineers (soon to be friends) as a plan was hatched:
- How do we give Cutover role-based access to clients’ AWS estates by magic?
- Can we make a skeleton-key system allowing Cutover to perform permitted AWS actions in client accounts, even accounts that were made five minutes ago?
- What will we do with this power?
The answer to these questions (excluding the last) was presumably yes - and we got to work.
Unlikely though it may seem, this being Cutover’s first (officially official) code collaboration with AWS - it seemed both sets of engineers had the same thinking, but there needed to be some engineering effort on AWS’ side (creation of roles, events, and a method to trigger posting metadata to Cutover…all in CloudFormation) and Cutover’s side (secure, fast consumption and storage of the metadata and fancy bells and whistles to use it…managed by Terraform)
The two parts:
- In the client AWS cloud - an automated setup will create the following components in your AWS management account:
- An AWS Secrets Manager Secret containing your Cutover keys and configuration
- An integration StackSet that will be used for creating the required permissions in Control Tower managed accounts
- A CloudWatch Events Rule to trigger off Control Tower Lifecycle Events
- A Lambda function along with an IAM Role to handle the Lifecycle Event and interact with the Cutover API
Client-side AWS infrastructure diagram:

Once the CloudFormation templates are applied, creating your new accounts with Control Tower will post to Cutover with account metadata (if you have enabled this with Cutover)
- In the Cutover AWS cloud - global infrastructure to receive and store the metadata and hand it over to authorised Cutover instances:
- Terraform-managed global accelerator, application load balancer, lambda functions, and global dynamodb table.
- AWS Global Accelerator - traffic travels via Amazon’s private global network through 80+ global edge locations.
- Serverless lambda microservice to consume posted data
- DynamoDB Global Table - storing encrypted account metadata
- Finally, Cutover integration tasks to leverage received roles using AWS services in client clouds, Service Catalog and other uses cases.
Cutover side AWS infrastructure diagram:

Once a Cutover instance receives the role name, and given it has permissions, Cutover integration tasks are thereafter allowed to orchestrate actions in the permitted account(s) - stay tuned for more AWS integrations as we develop them - or you ask for them!
You can find more in our GitHub repository, which contains everything you need to set up the integration on your side.
Speak to your local cloud engineer or contact awssales@cutover.com for more information.

Senior Engineer at Cutover
London, UK