Features
AWS Control Tower maximizes visibility through the dashboard. All the provisioned environments, the number of guardrails enabled, and the status of all resources present are completely visible from this single UI. Review tools ensure that everything is compliant and what actions should be taken in the case of a lack of compliance.
Landing Zone
A landing zone is a multi-account AWS environment that has passed well-architected standards and meets the necessary compliance and security requirements. Using blueprints, it is easy to automate new landing zone setup with various preset features, including identity access management in conjunction with AWS IAM (link), federated access, centralized logging in conjunction with AWS CloudTrail, and security audits.
Account Factory
Along with automating landing zones, procuring accounts for the organization can also be automated with various pre-configured pre-approved templates. Builders can modify these configurations to help meet the more specific business and security policies a company can have.
Controls
Mapping controls with AWS Control Tower isn’t as excessively complicated and will not take as much time to map, define, and manage which accounts have access or what data gets encrypted. AWS CloudFormation Hooks are now being used to identify and block resources that are not compliant with user-defined requirements regardless of the operation size and scale. Finally, configuration and technical documentation is kept updated so users remain informed.
Guardrails
As mentioned above in the segment about Landing Zones, guardrails are governance rules for either security or compliance that can be applied either across the enterprise or to specific accounts. Guardrails come in two different dimensions: preventive/detective and mandatory/optional.
- Preventive/detective: This format establishes intent and prevents the deployment of non-compliant resources. The detective part sifts through existing resources that currently exist for noncompliance. Afterward, these guardrails will update the status on the AWS Control Tower dashboard.
-
- Mandatory/optional: This format offers governance based on AWS best practices and common customer policies. Mandatory guardrails will disallow changes to IAM roles and bucket policies, detect read access, and prevent certain cross-region access. The optional guardrails can be enabled or disabled at any time and will detect access to Amazon S3 buckets, whether MFA for root users is enabled, and whether encryption is enabled for Amazon EBS volumes that are attached to EC2 instances.
Features
AWS Control Tower maximizes visibility through the dashboard. All the provisioned environments, the number of guardrails enabled, and the status of all resources present are completely visible from this single UI. Review tools ensure that everything is compliant and what actions should be taken in the case of a lack of compliance.
Landing Zone
A landing zone is a multi-account AWS environment that has passed well-architected standards and meets the necessary compliance and security requirements. Using blueprints, it is easy to automate new landing zone setup with various preset features, including identity access management in conjunction with AWS IAM (link), federated access, centralized logging in conjunction with AWS CloudTrail, and security audits.
Account Factory
Along with automating landing zones, procuring accounts for the organization can also be automated with various pre-configured pre-approved templates. Builders can modify these configurations to help meet the more specific business and security policies a company can have.
Controls
Mapping controls with AWS Control Tower isn’t as excessively complicated and will not take as much time to map, define, and manage which accounts have access or what data gets encrypted. AWS CloudFormation Hooks are now being used to identify and block resources that are not compliant with user-defined requirements regardless of the operation size and scale. Finally, configuration and technical documentation is kept updated so users remain informed.
Guardrails
As mentioned above in the segment about Landing Zones, guardrails are governance rules for either security or compliance that can be applied either across the enterprise or to specific accounts. Guardrails come in two different dimensions: preventive/detective and mandatory/optional.
- Preventive/detective: This format establishes intent and prevents the deployment of non-compliant resources. The detective part sifts through existing resources that currently exist for noncompliance. Afterward, these guardrails will update the status on the AWS Control Tower dashboard.
-
- Mandatory/optional: This format offers governance based on AWS best practices and common customer policies. Mandatory guardrails will disallow changes to IAM roles and bucket policies, detect read access, and prevent certain cross-region access. The optional guardrails can be enabled or disabled at any time and will detect access to Amazon S3 buckets, whether MFA for root users is enabled, and whether encryption is enabled for Amazon EBS volumes that are attached to EC2 instances.

How to Start With AWS Control Tower
Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:
- Preparation:
-
- Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
- Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
-
- Setting up AWS Control Tower:
-
- Create a new AWS account if you do not already have one.
- Set up AWS Control Tower in the new account.
- Follow the setup process and make decisions on the security and compliance settings you want to implement.
-
- Integrating existing resources:
-
- Use AWS Organizations to create an organization that includes both the new Control Tower account and the existing account.
- Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
- Use AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
-
- Testing:
-
- Validate that the resources are accessible in the new Control Tower account.
- Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
- Ensure that all business processes are working as expected in the new Control Tower account.
-
- Finalizing:
-
- Document the process, including any changes made to the resources during the integration process.
- Train any necessary staff on the new processes and policies set up in the new Control Tower account.
-
To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).
- Using AWS Organizations:
-
- Create an AWS Organization that includes both accounts.
- Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
- You can delegate access to the other account by granting permissions in IAM policies.
-
- Using AWS Resource Access Manager (RAM):
-
- Create a resource share in the account that owns the resources.
- Authorize other accounts to access the shared resources.
- Use IAM policies to control access to the shared resources.
-
Works With Existing or New
This service is perfectly capable of managing governance across both existing and new platforms built on AWS. It will only charge users depending on how much it is used on whichever AWS resources. If these steps in any way sound intimidating, Amazon also has a lab to learn and demonstrate Control Tower’s functionality.
Works With Existing or New
This service is perfectly capable of managing governance across both existing and new platforms built on AWS. It will only charge users depending on how much it is used on whichever AWS resources. If these steps in any way sound intimidating, Amazon also has a lab to learn and demonstrate Control Tower’s functionality.
How to Start With AWS Control Tower
Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:
- Preparation:
-
- Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
- Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
-
- Setting up AWS Control Tower:
-
- Create a new AWS account if you do not already have one.
- Set up AWS Control Tower in the new account.
- Follow the setup process and make decisions on the security and compliance settings you want to implement.
-
- Integrating existing resources:
-
- Use AWS Organizations to create an organization that includes both the new Control Tower account and the existing account.
- Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
- Use AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
-
- Testing:
-
- Validate that the resources are accessible in the new Control Tower account.
- Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
- Ensure that all business processes are working as expected in the new Control Tower account.
-
- Finalizing:
-
- Document the process, including any changes made to the resources during the integration process.
- Train any necessary staff on the new processes and policies set up in the new Control Tower account.
-
To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).
- Using AWS Organizations:
-
- Create an AWS Organization that includes both accounts.
- Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
- You can delegate access to the other account by granting permissions in IAM policies.
-
- Using AWS Resource Access Manager (RAM):
-
- Create a resource share in the account that owns the resources.
- Authorize other accounts to access the shared resources.
- Use IAM policies to control access to the shared resources.
-