Superwerker on the AWS Cloud

Quick Start Reference Deployment


February 2021
Joern Barthel, Sönke Ruempler, and Sebastian Müller, Kreuzwerker GmbH and Superluminar GmbH
AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by Kreuzwerker GmbH and Superluminar GmbH in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.


This guide provides instructions for deploying the Superwerker Quick Start reference architecture on the AWS Cloud.

This Quick Start is for users who want to quickly get started with the AWS Cloud without needing to spend a lot of time making decisions and tracking down information.

Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.

Superwerker on AWS

Superwerker is a free, open-source solution that lets you quickly set up an AWS Cloud environment without the need for a consultant or extensive research on AWS services. Superwerker is built by AWS Advanced Partners who have decades of experience setting up and automating Cloud environments using best practices that ensure maximized efficiency, agility, and low maintenance. For information about the AWS Partners, see Kreuzwerker GmbH and Superluminar GmbH.

All sizes of companies can benefit from using Superwerker. Start-up companies and small-to-medium companies can especially benefit in cases where time-to-market and financial aspects are concerns. Regardless of company size, Superwerker lets you focus on your core business without spending time on setting up and maintaining your AWS Cloud environment.

AWS costs

You are responsible for the cost of the AWS services and any paid third-party licenses used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation templates for Quick Starts include configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, create AWS Cost and Usage Reports to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. These reports provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, see What are AWS Cost and Usage Reports?

Software licenses

Superwerker is a free, open-source solution that operates under an MIT license. For details, see MIT License in the Superwerker GitHub repository.


Deploying this Quick Start builds the following Superwerker environment in the AWS Cloud.

Figure 1. Quick Start architecture for Superwerker on AWS

As shown in Figure 1, the Quick Start automates the configuration of the following AWS services and features:

  • AWS Control Tower for setting up and governing a secure, multi-account AWS environment.

  • AWS Single Sign-On (AWS SSO) for managing access to multiple AWS accounts and business applications with a single login.

  • Amazon GuardDuty for monitoring and protecting your AWS accounts, workloads, and data against malicious activity, threats, and breaches.

  • AWS Security Hub for aggregating, organizing, and prioritizing your security alerts and findings from AWS services.

  • AWS Backup for centrally managing and automating backups across AWS services.

  • AWS Budgets for configuring cost threshold alarms.

  • Preventative guardrails with service control policies that protect the infrastructure from intentional or unintentional mistakes, such as using restricted AWS Regions, deleting backup copies, and deactivating security features.

  • AWS Systems Manager, including its OpsCenter resource for viewing, investigating, and resolving operational issues.

  • Amazon Simple Email Service (Amazon SES) for providing secure mailboxes and IT service catalog aliases for all root accounts.

  • Amazon CloudWatch dashboard with information and links to resources, such as how to set up your AWS account, how to set up SSO with existing identity providers, and how to access GuardDuty and Security Hub dashboards.

  • Feature flippers for gradually enabling functionality as needed.

The following image provides additional details about the AWS architecture that is deployed using Superwerker.

Figure 2. Quick Start architecture for Superwerker on AWS

Planning the deployment

Specialized knowledge

This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see Getting Started Resource Center and AWS Training and Certification. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start also assumes familiarity with configuring Domain Name System (DNS).

AWS account

If you don’t already have an AWS account, create one at by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, review the following information and ensure that your account is properly configured. Otherwise, deployment might fail.

Resource quotas

If necessary, request service quota increases for the following resources. You might request quota increases to avoid exceeding the default limits for any resources that are shared across multiple deployments. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see What is Service Quotas? and AWS service quotas.

Resource This deployment creates

CloudWatch alarms


Budgets reports


Config rules


S3 buckets


Route 53 hosted zones


Supported Regions

This Quick Start supports the following Regions:

  • eu-west-1, Europe (Ireland)

  • eu-central-1, Europe (Frankfurt)

  • eu-north-1, Europe (Stockholm)

  • eu-west-2, Europe (London)

  • ca-central-1, Canada (Central)

  • us-east-1, US East (N. Virginia)

  • us-east-2, US East (Ohio)

  • us-west-2, US West (Oregon)

  • ap-southeast-1, Asia Pacific (Tokyo)

  • ap-southeast-2, Asia Pacific (Sydney)

Certain Regions are available on an opt-in basis. For more information, see Managing AWS Regions.

IAM permissions

Before launching the Quick Start, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see AWS managed policies for job functions.

Prepare your AWS account

Sign in to an AWS account as an administrator using the AWS root user or an AWS Identity and Access Management (IAM) user or role with the AdministratorAccess policy attached. This account must not be a member of an AWS organization.

Prepare for the deployment

The Superwerker Quick Start works best with a dedicated DNS subdomain to securely handle email inboxes of AWS sub-accounts.

When entering values in to the CloudFormation template, you must provide both a domain (example: and subdomain (example: aws) names for a DNS zone created by Superwerker. The installation provides Name Server (NS) entries for the newly created DNS zone. You must create an NS entry within your DNS provider to delegate the DNS zone (these records are available later in the CloudWatch dashboard). The Superwerker installation waits until the delegation is properly configured.

Deployment options

This Quick Start provides two deployment options:

  • Deploy Superwerker at once: All features are enabled by default and are installed.

  • Deploy Superwerker iteratively with feature flippers: Only certain features are enabled at a time. This option is useful when you want to test the impact of introducing certain features iteratively.

Deployment steps

Sign in to your AWS Management account

  1. Sign in to your AWS Management account at with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

This Quick Start must be installed in to an empty, newly created AWS account that is not a member of an AWS organization.

Each deployment takes about 1.5 hours to complete.

In the following steps, after you deploy the stack, refer to the documentation that is added to the CloudWatch Superwerker dashboard to complete the deployment.
  1. Sign in to your AWS account, and choose the following option to launch the AWS CloudFormation template. For more deployment details, see Deployment options earlier in this guide.

Deploy Superwerker

View template

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This Region is where the infrastructure for Superwerker is built. The template is launched in the eu-central-1 Region by default. For other choices, see Supported Regions earlier in this guide.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For details on each parameter, see the Parameter reference section of this guide. When you finish reviewing and customizing the parameters, choose Next.

  1. On the Configure stack options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re finished, choose Next.

  2. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  3. Choose Create stack to deploy the stack.

  4. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Superwerker deployment is ready.

  5. Use the values displayed in the Outputs tab for the stack, as shown in Figure 3, to view the created resources.

Figure 3. Superwerker outputs after successful deployment

Keep up to date with development team

Superwerker is a living project. The development team documents their architectural decisions (ADR) in the Github repository The ADRs and the Github issues are the best place to follow future development directions on a high level without looking at the actual source code.


Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, relaunch the template with Rollback on failure set to Disabled. This setting is under Advanced in the AWS CloudFormation console on the Configure stack options page. With this setting, the stack’s state is retained.

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Delete the stack when you finish troubleshooting.

For more information, see Troubleshooting AWS CloudFormation.


Join our mailing list and chat with us on the #superwerker channel in the og-aws Slack channel (invite link).

Parameter reference

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Parameters for launching Superwerker

Table 1. Features
Parameter label (name) Default value Description

Include AWS Budgets alarm (IncludeBudget)


Enable AWS Budgets alarm for monthly AWS spending

Include AWS Control Tower (IncludeControlTower)


Enable AWS Control Tower

Include Amazon GuardDuty (IncludeGuardDuty)


Enable Amazon GuardDuty

Include AWS Security Hub (IncludeSecurityHub)


Enable AWS Security Hub

Include Automated Backups (IncludeBackup)


Enable automated backups

Include service control policies (IncludeServiceControlPolicies)


Enable service control policies in AWS organizations

Table 2. Domain configuration
Parameter label (name) Default value Description

Domain for automated DNS configuration (Domain)

Requires input

Domain used for root mail feature

Subdomain for automated DNS configuration (Subdomain)


Subdomain used for root mail feature

Table 3. AWS Quick Start configuration
Parameter label (name) Default value Description

Quick Start S3 bucket name (QSS3BucketName)


Name of the S3 bucket for your copy of the Quick Start assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new Quick Start location. This name can include numbers, lowercase letters, uppercase letters, and hyphens, but do not start or end with a hyphen (-). See

Quick Start S3 key prefix (QSS3KeyPrefix)


S3 key prefix that is used to simulate a directory for your copy of the Quick Start assets. Keep the default prefix unless you are customizing the template. Changing this prefix updates code references to point to a new Quick Start location. This prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), and forward slashes (/). See and

Quick Start S3 bucket Region (QSS3BucketRegion)


AWS Region where the Quick Start S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing this Region updates code references to point to a new Quick Start location. When using your own bucket, specify the Region. See

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. To submit code, see the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

Visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.