What is the architecture of AWS Control Tower and how are accounts organized within it?
AWS Control Tower is an essential service designed to ensure a compliant and secure multi-account structure for organizations using AWS. The architecture of AWS Control Tower revolves around the concept of a Landing Zone, which serves as the foundation for building an environment with multiple AWS accounts.
A Landing Zone is a configured structure that offers a compliant and secure set of accounts to begin building upon. This Landing Zone can include additional features such as federated account access through Single Sign-On (SSO) and the utilization of centralized logging via Amazon CloudTrail and AWS Config.
To enforce security requirements and maintain compliance, Guardrails are established within the Landing Zone. These Guardrails are rules written in plain English and are implemented using AWS CloudFormation. They ensure that each account within the Landing Zone adheres to specific security settings and configurations that meet the organization’s standards.
The organization of accounts within the Landing Zone is achieved through the use of Organizational Units (OUs), which are provisioned with the help of AWS Organizations. Let’s explore the OUs commonly utilized in the architecture of AWS Control Tower:
1. Security OU: This OU contains key accounts, such as the Log Archive Account and the Audit Account. It serves as a centralized store for CloudTrail and AWS Config logs, ensuring security and traceability across the entire infrastructure.
2. Sandbox OU: The Sandbox OU provides a safe and isolated environment for testing purposes. It houses Sandbox Accounts, which are used to carry out experiments and trials without risking disruption to production workloads.
3. Production OU: All production accounts and their respective workloads are placed within the Production OU. It acts as the main hosting environment for critical applications and services.
4. Non-Production OU: The Non-Production OU is dedicated to pre-production activities, enabling comprehensive testing and development of applications before they are moved into the production environment.
5. Suspended OU: Accounts within the Suspended OU are securely isolated and have highly restricted permissions. This OU is specifically designed to handle deleted, reused, or breached accounts, ensuring that any potential security risks are contained in a controlled environment.
6. Shared Services OU: The Shared Services OU contains accounts dedicated to services shared across multiple other accounts. This includes accounts for Shared Services, Security Services, and Networking, providing centralized services that can be leveraged by various accounts within the Landing Zone.
The architectural setup of AWS Control Tower, with the Landing Zone and its associated OUs, establishes a secure and organized environment for effectively managing multiple accounts within the AWS ecosystem.
Who can benefit from using AWS Control Tower?
AWS Control Tower can benefit a wide range of organizations, regardless of their size or level of experience with AWS. Whether you are a large multinational corporation with extensive knowledge of AWS or a small startup that is just starting to explore the world of cloud computing, AWS Control Tower can provide immense value. It offers Landing Zone, which helps ensure that your architecture is provisioned in an efficient and secure manner. By using AWS Control Tower, organizations can gain the confidence they need to effectively manage and streamline their AWS environment, regardless of their previous experience in the cloud.
Features
AWS Control Tower maximizes visibility through the dashboard. All the provisioned environments, the number of guardrails enabled, and the status of all resources present are completely visible from this single UI. Review tools ensure that everything is compliant and what actions should be taken in the case of a lack of compliance.
Landing Zone
A landing zone is a multi-account AWS environment that has passed well-architected standards and meets the necessary compliance and security requirements. Using blueprints, it is easy to automate new landing zone setup with various preset features, including identity access management in conjunction with AWS IAM (link), federated access, centralized logging in conjunction with AWS CloudTrail, and security audits.
Account Factory
Account Factory is an automated solution that simplifies the process of procuring new accounts for your organization. It offers pre-configured and pre-approved templates that can be easily modified to align with your specific business and security policies. By leveraging these templates, you can ensure that the provisioning of new accounts adheres to the necessary standards and requirements.
With Account Factory, the process of creating new accounts is streamlined and efficient. It eliminates the need for manual intervention, allowing builders to automate the setup of landing zones and provisioning of accounts. This automation not only saves time but also reduces the chances of errors or inconsistencies.
The pre-configured templates provided by Account Factory cover various aspects such as networking information and region selection. This ensures that new accounts are provisioned with the necessary network configurations and are deployed in the desired regions. By incorporating these pre-approved configurations, you can ensure a standardized and secure account provisioning process.
In addition to the pre-configured templates, Account Factory seamlessly integrates with AWS Service Catalog. This integration enables internal customers to easily configure and build new accounts, empowering them with self-service capabilities. By utilizing AWS Service Catalog, users can customize their accounts based on their specific requirements, without relying on IT support or lengthy approval processes.
Account Factory also offers compatibility with third-party Infrastructure as Code tools like Terraform. This integration allows cloud teams to leverage familiar tools and workflows while still benefiting from the Account Factory’s capabilities. With the ability to use Terraform, teams can efficiently manage and deploy resources across multiple accounts, ensuring a seamless experience.
In conclusion, Account Factory automates the provisioning of new accounts by providing pre-configured templates that align with your organization’s policies. Its integration with AWS Service Catalog and compatibility with infrastructure automation tools like Terraform enhance the flexibility and efficiency of the account provisioning process. With Account Factory, you can streamline and standardize the creation of new accounts, ensuring that they meet your organization’s security and operational requirements.<
Controls
Mapping controls with AWS Control Tower isn’t as excessively complicated and will not take as much time to map, define, and manage which accounts have access or what data gets encrypted. AWS CloudFormation Hooks are now being used to identify and block resources that are not compliant with user-defined requirements regardless of the operation size and scale. Finally, configuration and technical documentation is kept updated so users remain informed.
Guardrails
As mentioned above in the segment about Landing Zones, guardrails are governance rules for either security or compliance that can be applied either across the enterprise or to specific accounts. Guardrails come in two different dimensions: preventive/detective and mandatory/optional.
-
- Preventive/detective: This format establishes intent and prevents the deployment of non-compliant resources. The detective part sifts through existing resources that currently exist for noncompliance. Afterward, these guardrails will update the status on the AWS Control Tower dashboard.
-
- Mandatory/optional: This format offers governance based on AWS best practices and common customer policies. Mandatory guardrails will disallow changes to IAM roles and bucket policies, detect read access, and prevent certain cross-region access. The optional guardrails can be enabled or disabled at any time and will detect access to Amazon S3 buckets, whether MFA for root users is enabled, and whether encryption is enabled for Amazon EBS volumes that are attached to EC2 instances.
Features
AWS Control Tower maximizes visibility through the dashboard. All the provisioned environments, the number of guardrails enabled, and the status of all resources present are completely visible from this single UI. Review tools ensure that everything is compliant and what actions should be taken in the case of a lack of compliance.
Landing Zone
A landing zone is a multi-account AWS environment that has passed well-architected standards and meets the necessary compliance and security requirements. Using blueprints, it is easy to automate new landing zone setup with various preset features, including identity access management in conjunction with AWS IAM (link), federated access, centralized logging in conjunction with AWS CloudTrail, and security audits.
Account Factory
Along with automating landing zones, procuring accounts for the organization can also be automated with various pre-configured pre-approved templates. Builders can modify these configurations to help meet the more specific business and security policies a company can have.
Controls
Mapping controls with AWS Control Tower isn’t as excessively complicated and will not take as much time to map, define, and manage which accounts have access or what data gets encrypted. AWS CloudFormation Hooks are now being used to identify and block resources that are not compliant with user-defined requirements regardless of the operation size and scale. Finally, configuration and technical documentation is kept updated so users remain informed.
Guardrails
As mentioned above in the segment about Landing Zones, guardrails are governance rules for either security or compliance that can be applied either across the enterprise or to specific accounts. Guardrails come in two different dimensions: preventive/detective and mandatory/optional.
- Preventive/detective: This format establishes intent and prevents the deployment of non-compliant resources. The detective part sifts through existing resources that currently exist for noncompliance. Afterward, these guardrails will update the status on the AWS Control Tower dashboard.
-
- Mandatory/optional: This format offers governance based on AWS best practices and common customer policies. Mandatory guardrails will disallow changes to IAM roles and bucket policies, detect read access, and prevent certain cross-region access. The optional guardrails can be enabled or disabled at any time and will detect access to Amazon S3 buckets, whether MFA for root users is enabled, and whether encryption is enabled for Amazon EBS volumes that are attached to EC2 instances.

How to Start With AWS Control Tower
Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:
- Preparation:
-
- Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
- Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
-
- Setting up AWS Control Tower:
-
- Create a new AWS account if you do not already have one.
- Set up AWS Control Tower in the new account.
- Follow the setup process and make decisions on the security and compliance settings you want to implement.
-
- Integrating existing resources:
-
- Use AWS Organizations to create an organization that includes both the new Control Tower account and the existing account.
- Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
- Use AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
-
- Testing:
-
- Validate that the resources are accessible in the new Control Tower account.
- Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
- Ensure that all business processes are working as expected in the new Control Tower account.
-
- Finalizing:
-
- Document the process, including any changes made to the resources during the integration process.
- Train any necessary staff on the new processes and policies set up in the new Control Tower account.
-
To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).
- Using AWS Organizations:
-
- Create an AWS Organization that includes both accounts.
- Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
- You can delegate access to the other account by granting permissions in IAM policies.
-
- Using AWS Resource Access Manager (RAM):
-
- Create a resource share in the account that owns the resources.
- Authorize other accounts to access the shared resources.
- Use IAM policies to control access to the shared resources.
-
Works With Existing or New
This service is perfectly capable of managing governance across both existing and new platforms built on AWS. It will only charge users depending on how much it is used on whichever AWS resources. If these steps in any way sound intimidating, Amazon also has a lab to learn and demonstrate Control Tower’s functionality.
Works With Existing or New
This service is perfectly capable of managing governance across both existing and new platforms built on AWS. It will only charge users depending on how much it is used on whichever AWS resources. If these steps in any way sound intimidating, Amazon also has a lab to learn and demonstrate Control Tower’s functionality.
How to Start With AWS Control Tower
Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:
- Preparation:
-
- Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
- Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
-
- Setting up AWS Control Tower:
-
- Create a new AWS account if you do not already have one.
- Set up AWS Control Tower in the new account.
- Follow the setup process and make decisions on the security and compliance settings you want to implement.
-
- Integrating existing resources:
-
- Use AWS Organizations to create an organization that includes both the new Control Tower account and the existing account.
- Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
- Use AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
-
- Testing:
-
- Validate that the resources are accessible in the new Control Tower account.
- Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
- Ensure that all business processes are working as expected in the new Control Tower account.
-
- Finalizing:
-
- Document the process, including any changes made to the resources during the integration process.
- Train any necessary staff on the new processes and policies set up in the new Control Tower account.
-
To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).
- Using AWS Organizations:
-
- Create an AWS Organization that includes both accounts.
- Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
- You can delegate access to the other account by granting permissions in IAM policies.
-
- Using AWS Resource Access Manager (RAM):
-
- Create a resource share in the account that owns the resources.
- Authorize other accounts to access the shared resources.
- Use IAM policies to control access to the shared resources.
-