⬡ Hub
Skip to content

AWS Control Tower

AWS Control Tower is a service that provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS's experience working with thousands of enterprises.

Key Concepts

1. Landing Zone

A landing zone is a well-architected, multi-account AWS environment that's a starting point from which you can deploy workloads and applications. It provides a baseline to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging.

2. Guardrails

Guardrails are pre-packaged governance rules for security, operations, and compliance that you can select and apply to your OUs and accounts. There are two types of guardrails: * Preventive Guardrails: Prevent policy violations from happening. They are implemented using Service Control Policies (SCPs). * Detective Guardrails: Detect policy violations and alert you to them. They are implemented using AWS Config rules.

3. Account Factory

An Account Factory is a configurable template for provisioning new accounts in your landing zone. It helps you standardize the provisioning of new accounts with pre-approved account configurations.

4. AWS Organizations

AWS Control Tower is built on top of AWS Organizations. It uses Organizations to create and manage accounts and to apply governance controls using Service Control Policies (SCPs).

How it Works

  1. Set up your landing zone: You start by setting up your landing zone in the AWS Control Tower console. This process creates your initial multi-account environment, including your root account, a core OU with shared accounts (Log Archive and Audit), and an initial custom OU.
  2. Enable guardrails: You can then enable guardrails to enforce your governance policies. You can choose from a pre-defined set of guardrails or create your own.
  3. Provision new accounts: You can use the Account Factory to provision new accounts. When you create a new account, it is automatically enrolled in your landing zone and the guardrails you have enabled are applied to it.
  4. Manage and govern: You can use the AWS Control Tower dashboard to view the compliance status of your accounts and to manage your landing zone.

Benefits

  • Automated Landing Zone: Quickly set up a secure and scalable multi-account environment.
  • Built-in Governance: Enforce policies using guardrails.
  • Centralized Management: Manage your entire multi-account environment from a single dashboard.
  • Scalability: Easily add new accounts as your organization grows.
  • Extensibility: Customize your landing zone with additional services and configurations.

Use Cases and Examples

Common Use Cases:

  • Automated Landing Zone Setup: Quickly establish a well-architected, multi-account AWS environment based on AWS best practices, reducing setup time from weeks to hours.
  • Enforcing Security and Compliance: Implement "guardrails" (preventive or detective) to ensure all AWS accounts adhere to defined security policies and regulatory requirements (e.g., HIPAA, PCI DSS).
  • Streamlined Account Provisioning: Use the Account Factory to enable self-service provisioning of new AWS accounts, automatically configured with pre-approved settings and necessary guardrails.
  • Centralized Governance and Management: Monitor and manage all AWS accounts, organizational units (OUs), and policies from a unified dashboard, gaining real-time insight into compliance status.
  • Efficient Scaling of AWS Environments: Manage a growing number of AWS accounts efficiently while maintaining consistent security and operational standards across all of them.
  • Cost Management and Optimization: Utilize Control Tower to monitor and optimize costs across various accounts by providing visibility and enforcing cost-related guardrails.
  • Integration with Third-Party Solutions: Facilitate the integration of third-party software from AWS Marketplace for enhanced security, centralized networking, operational intelligence, and SIEM.

Examples in Action:

  • Preventing Public S3 Buckets: A preventive guardrail can disallow the creation of Amazon S3 buckets with public read access, enhancing data security.
  • Mandating Encryption: A mandatory guardrail can enforce the use of AWS Key Management Service (KMS) for encrypting Amazon Elastic Block Store (EBS) volumes across all accounts, ensuring data-at-rest encryption.
  • Automating Logging: Control Tower can require logging for all AWS accounts and configure automatic notifications for specific security-related events, improving auditability and incident response.
  • Organizing Accounts by Function: Create OUs for different purposes, such as "Shared Services," "Production," "Development and Testing," and "Sandbox," each with its own set of controls.
  • Standardizing New Account Creation: When a new project team needs an AWS account, they can request it through the Account Factory, which provisions it with pre-approved configurations, security baselines, and access controls.
  • Monitoring Compliance Drift: The dashboard provides continuous oversight, allowing central cloud administrators to identify if any account or resource has drifted from established compliance policies.