Are you getting the most out of your AWS investment? Get your free AWS Well-Architected Assessment.

2021 Fillmore Street #1128

}

24/7 solutions

(415) 890-6431

Get In Touch
a
M
Get In Touch
Setup Aws Control tower

How to Setup AWS Control Tower in Your Environment

High control and governance is a large focal point of Amazon’s Cloud services. Another solid service for maintaining the wellbeing and compliance of any AWS service is Control Tower, helping to further simplify governance with enough room to integrate third-party software for scaling. AWS Control Tower main function is for the construction and monitoring of new AWS environments regardless of size and complexity.

Features

AWS Control Tower maximizes visibility through the dashboard.  All the provisioned environments, the number of guardrails enabled, and the status of all resources present are completely visible from this single UI.  Review tools ensure that everything is compliant and what actions should be taken in the case of a lack of compliance.
 

Landing Zone

A landing zone is a multi-account AWS environment that has passed well-architected standards and meets the necessary compliance and security requirements.  Using blueprints, it is easy to automate new landing zone setup with various preset features, including identity access management in conjunction with AWS IAM (link), federated access, centralized logging in conjunction with AWS CloudTrail, and security audits.
 

Account Factory

Along with automating landing zones, procuring accounts for the organization can also be automated with various pre-configured pre-approved templates.  Builders can modify these configurations to help meet the more specific business and security policies a company can have.
 

Controls

Mapping controls with AWS Control Tower isn’t as excessively complicated and will not take as much time to map, define, and manage which accounts have access or what data gets encrypted.  AWS CloudFormation Hooks are now being used to identify and block resources that are not compliant with user-defined requirements regardless of the operation size and scale.  Finally, configuration and technical documentation is kept updated so users remain informed.
 

Guardrails

As mentioned above in the segment about Landing Zones, guardrails are governance rules for either security or compliance that can be applied either across the enterprise or to specific accounts.  Guardrails come in two different dimensions: preventive/detective and mandatory/optional.

    • Preventive/detective: This format establishes intent and prevents the deployment of non-compliant resources.  The detective part sifts through existing resources that currently exist for noncompliance.  Afterward, these guardrails will update the status on the AWS Control Tower dashboard.
    • Mandatory/optional: This format offers governance based on AWS best practices and common customer policies.  Mandatory guardrails will disallow changes to IAM roles and bucket policies, detect read access, and prevent certain cross-region access.  The optional guardrails can be enabled or disabled at any time and will detect access to Amazon S3 buckets, whether MFA for root users is enabled, and whether encryption is enabled for Amazon EBS volumes that are attached to EC2 instances.

Features

AWS Control Tower maximizes visibility through the dashboard.  All the provisioned environments, the number of guardrails enabled, and the status of all resources present are completely visible from this single UI.  Review tools ensure that everything is compliant and what actions should be taken in the case of a lack of compliance.

 

Landing Zone

A landing zone is a multi-account AWS environment that has passed well-architected standards and meets the necessary compliance and security requirements.  Using blueprints, it is easy to automate new landing zone setup with various preset features, including identity access management in conjunction with AWS IAM (link), federated access, centralized logging in conjunction with AWS CloudTrail, and security audits.
 

Account Factory

Along with automating landing zones, procuring accounts for the organization can also be automated with various pre-configured pre-approved templates.  Builders can modify these configurations to help meet the more specific business and security policies a company can have.
 

Controls

Mapping controls with AWS Control Tower isn’t as excessively complicated and will not take as much time to map, define, and manage which accounts have access or what data gets encrypted.  AWS CloudFormation Hooks are now being used to identify and block resources that are not compliant with user-defined requirements regardless of the operation size and scale.  Finally, configuration and technical documentation is kept updated so users remain informed.
 

Guardrails

As mentioned above in the segment about Landing Zones, guardrails are governance rules for either security or compliance that can be applied either across the enterprise or to specific accounts.  Guardrails come in two different dimensions: preventive/detective and mandatory/optional.

    • Preventive/detective: This format establishes intent and prevents the deployment of non-compliant resources.  The detective part sifts through existing resources that currently exist for noncompliance.  Afterward, these guardrails will update the status on the AWS Control Tower dashboard.
    • Mandatory/optional: This format offers governance based on AWS best practices and common customer policies.  Mandatory guardrails will disallow changes to IAM roles and bucket policies, detect read access, and prevent certain cross-region access.  The optional guardrails can be enabled or disabled at any time and will detect access to Amazon S3 buckets, whether MFA for root users is enabled, and whether encryption is enabled for Amazon EBS volumes that are attached to EC2 instances.

aws control tower diagram example

How to Start With AWS Control Tower

Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:

  1. Preparation:
      • Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
      • Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
  2. Setting up AWS Control Tower:
      • Create a new AWS account if you do not already have one.
      • Set up AWS Control Tower in the new account.
      • Follow the setup process and make decisions on the security and compliance settings you want to implement.
  3. Integrating existing resources:
      • Use AWS Organizations to create an organization that includes both the new Control Tower account and the existing account.
      • Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
      • Use AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
  4. Testing:
      • Validate that the resources are accessible in the new Control Tower account.
      • Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
      • Ensure that all business processes are working as expected in the new Control Tower account.
  5. Finalizing:
      • Document the process, including any changes made to the resources during the integration process.
      • Train any necessary staff on the new processes and policies set up in the new Control Tower account.

To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).

  1. Using AWS Organizations:
      • Create an AWS Organization that includes both accounts.
      • Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
      • You can delegate access to the other account by granting permissions in IAM policies.
  2. Using AWS Resource Access Manager (RAM):
      • Create a resource share in the account that owns the resources.
      • Authorize other accounts to access the shared resources.
      • Use IAM policies to control access to the shared resources.

Works With Existing or New

This service is perfectly capable of managing governance across both existing and new platforms built on AWS.  It will only charge users depending on how much it is used on whichever AWS resources.  If these steps in any way sound intimidating, Amazon also has a lab to learn and demonstrate Control Tower’s functionality.

Works With Existing or New

This service is perfectly capable of managing governance across both existing and new platforms built on AWS.  It will only charge users depending on how much it is used on whichever AWS resources.  If these steps in any way sound intimidating, Amazon also has a lab to learn and demonstrate Control Tower’s functionality.

How to Start With AWS Control Tower

Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:

  1. Preparation:
      • Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
      • Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
  2. Setting up AWS Control Tower:
      • Create a new AWS account if you do not already have one.
      • Set up AWS Control Tower in the new account.
      • Follow the setup process and make decisions on the security and compliance settings you want to implement.
  3. Integrating existing resources:
      • Use AWS Organizations to create an organization that includes both the new Control Tower account and the existing account.
      • Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
      • Use AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
  4. Testing:
      • Validate that the resources are accessible in the new Control Tower account.
      • Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
      • Ensure that all business processes are working as expected in the new Control Tower account.
  5. Finalizing:
      • Document the process, including any changes made to the resources during the integration process.
      • Train any necessary staff on the new processes and policies set up in the new Control Tower account.

To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).

  1. Using AWS Organizations:
      • Create an AWS Organization that includes both accounts.
      • Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
      • You can delegate access to the other account by granting permissions in IAM policies.
  2. Using AWS Resource Access Manager (RAM):
      • Create a resource share in the account that owns the resources.
      • Authorize other accounts to access the shared resources.
      • Use IAM policies to control access to the shared resources.

Dolan Cleary

Dolan Cleary

I am a recent graduate from the University of Wisconsin - Stout and am now working with AllCode as a web technician. Currently working within the marketing department.

LinkedIn

Related Articles

AWS Well Architected Framework Remediation

AWS Well Architected Framework Remediation

Ideally, optimization of an AWS environment should be a one-and-done task, but there are plenty of risk factors to consider and sufficient room to forget. High risk issues (HRIs) are architectural and operational decisions that could very easily negatively impact how a business works. Even with in-house help with the automated assistant tools, it is best practice to have manual third-party help to best optimize for individual needs and requirements the business may have.

What is AWS Pinpoint?

What is AWS Pinpoint?

Along with other marketing tools, AWS Pinpoint is a solution to better allow for multi-channel marketing. It is designed to work with current channels of communication and offers flexibility in its application. It is everything needed for campaigns, tracking customer interaction, and utilizing data to improve marketing efforts.

Traditional IT vs. AWS – How Small Businesses can Benefit

Traditional IT vs. AWS – How Small Businesses can Benefit

AWS solutions can accomplish a variety of problems and tasks including IT needs. Even smaller businesses that have a more limited scope that their businesses cover can look to find some way to upgrade their business operations through what Amazon has to offer. Though it may be intimidating and difficult to adapt to, there is more than enough reason to adopt AWS.