AWS Control Tower simplifies the process of setting up a new baseline for multi-account AWS environments that is secure, well-architected, and ready to use with a few clicks. This includes the configuration of AWS Organizations, centralized logging, federated access, mandatory guardrails, and networking. Control Tower is one of the best ways to start with AWS, it helps to start with built-in governance and best practices.
Source: AWS Control Tower
AWS Control Tower is based on a number of AWS services, such as AWS Organizations, AWS Identity and Access Management (IAM) (including Service Control Policies), AWS SSO, AWS Config, AWS CloudTrail, and AWS Service Catalog.
AWS Control Tower structure
.png?width=992&name=pasted%20image%200%20(1).png)
Shared accounts
AWS Control Tower creates accounts that provide separated environments for specialized roles in your organization as a best practice for a well-architected multi-account environment. These accounts are for management, log archival, and security auditing.
Management
Used for billing for all accounts in an organization, creating new accounts, and managing access to all accounts
Log archive
Used as a repository of logs of API activities and resource configurations from all accounts.
Audit
A restricted account for your security and compliance teams to gain read and write access to all accounts.
AWS Single Sign-On (SSO)
AWS Control Tower sets up AWS Single Sign-On (SSO) to make it easy to centrally manage access to multiple AWS accounts. Additionally, it gives users single sign-on access to all of the assigned accounts from a single location.
Guardrails
Guardrails are rules that provide ongoing governance for your overall AWS environment. Each guardrail enforces a single rule and is expressed in plain language.
.png?width=478&name=pasted%20image%200%20(2).png)
Guardrails have two behaviors as preventive and detective guardrails.
- Preventive guardrails maintain your accounts' compliance by explicitly denying permission to disable or make any change to critical policy, configuration settings or resources. This is implemented by using service control policies in your AWS Organizations.
- Detective guardrails detect non-compliance of resources within your accounts, such as policy violations, and provide alerts through the dashboard. These are implemented using AWS Config rules aligned with AWS Lambda functions.
There are three types of guardrails.
- Mandatory guardrails are always enforced.
- Strongly recommended guardrails are designed to enforce some common best practices for well-architected, multi-account environments.
- Elective guardrails enable you to track or lock down actions that are commonly restricted in an AWS enterprise environment.
.png?width=1600&name=pasted%20image%200%20(3).png)
Guardrail examples
Account Factory
Account Factory is essentially an AWS Service Catalog product which helps to automate and standardize the secure provisioning of new accounts according to defined security principles such as region selection and network configuration.
.png?width=1600&name=pasted%20image%200%20(5).png)
In the Create account section, Account and AWS SSO details can be set separately.
.png?width=1440&name=pasted%20image%200%20(4).png)
Also, Terraform can be used to provision and customize your accounts with "AWS Control Tower Account Factory for Terraform" (AFT).
Summary
AWS Control Tower is a great way to start AWS and govern multi-account AWS environments.
Building and maintaining a long-term multi-account structure is simpler with AWS Control Tower. It builds a landing zone with accounts and services needed to manage AWS environments securely and easily. AWS Control Tower helps to start with built-in governance and best practices on the cloud journey to AWS.
