AWS Control Tower:

AWS Control Tower is a service that offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.

Who all Need AWS Control Tower?

AWS Control Tower is helping to setup and manage and secure multi account AWS environment. But how different it is from AWS Landing Zone.

AWS Landing Zone:

AWS Landing Zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices. With the large number of design choices, setting up a multi-account environment can take a significant amount of time, involve the configuration of multiple accounts and services, and require a deep understanding of AWS services.

Comparison of Control Tower & Landing Zone:

So if you are new AWS or you are OK to destroy your existing AWS environment and setting up things from the scratch then AWS Control Tower would be prefect choice. Otherwise you should be choosing AWS Landing Zone solution to manage your existing multi account environment. Migration option to migrate your existing accounts from landing zone and Control tower would be available soon.

Resources used by Control Tower

AWS Control Tower is an AWS managed service and it involves following AWS resources,

• AWS Organization
• IAM
• Cloudformation
• Service Catalog
• CloudTrail
• CloudWatch
• AWS SSO
• Lambda
• S3
• AWS Config and etc

AWS Control Tower Features:

Landing Zone:

kind of Capsule which holds all your OU’s, accounts, users and other resources.

Guardrails:

High-level rule that provides ongoing governance for your overall AWS environment

Account Factory:

Provides Account template to provision new Accounts

Dashboard:

Visual representation of provisioned accounts, complaint and non-complaint resources across accounts

Control Tower Structure:

The first step to enable Control Tower is setting up the Landing Zone. When we setup Landing Zone, AWS performs following actions.

• Account in which you setup the Landing zone becomes the Master account
• Creates 3 OU’s

1. Root — Parent OU contains all other OU’s
2. Core
3. Custom

• Creates 2 shared accounts under Core OU

1. Log Archive account
2. Audit account

• Creates AWS SSO for single sign on access
• Applies guardrails to enforce polices

Let’s look at the various components of Control Tower,

Master Account:

• It manages the configuration of Landing Zone
• Used for Billing
• Uses Account factory to provision new accounts
• It also manages OU’s and guardrails
• Best practice is not to run any production workloads on this Master account

Log Archive Account

• This account works as logs repository.
• It collects logs of all the API activities and resource configurations across all accounts in the landing zone.
• API trial logs are automatically pushed to Log Archive account
• Logs are stored in S3

Audit Account

• This account helps your auditing team to review the compliance and security measures across all the accounts in Landing zone
• Provides programmatic access to review all the accounts via lambda functions
• Doesn’t allow you login to other accounts manually.

Guardrails:

Guardrails are high level rules which enables governance across accounts. If the guardrails are applied at OU level, that flows through all the child accounts and child OU’s. Few example guardrails are, versioning of S3 bucket should not be disabled, public access to S3 buckets should not be allowed etc.

AWS Control towers provides two types of Guardrails

1. Preventive Guardrails

• Ensures the your accounts maintains the compliance
• It disallows the actions which leads the policy violation
• Implemented using Service Control Policies

2. Detective Guardrails

• It allows the actions which leads the policy violation. But it detects such violations form accounts and triggers the alerts
• Implemented using AWS Config and Lambda functions

Also in Control Tower these Guardrails are categorized as below

1. Mandatory guardrails

• enabled by default
• always enforced.

2. Strongly recommended guardrails

• best practices for well architected multi account AWS environment

3. Elective guardrails

Finally, few key pointers of AWS Control Tower,

• in Control Tower Nested OU’s are not supported
• Control Tower cannot be enabled from account which is already part of AWS Organization
• It doesn’t have API support yet. However It has nice management console
• Custom guardrails cannot be added and existing rules cannot be customized
• Once the landing page is enabled Name of the member accounts and OU’s cannot be changed
• OU’s or Accounts which are created outside of control tower will not be shown in the control tower dashboard
• OU’s or Accounts which are created outside of control tower cannot be moved to Control Tower
• Control is free to use. You only pay for the services which are enabled by Control Tower. Control tower uses key services like AWS Config, Service Category, S3, Lambda etc. So technically enabling Control Tower would cost you some money.