a
Setup Aws Control tower

How to Setup AWS Control Tower in Your Environment

High control and governance is a large focal point of Amazon’s Cloud services. Another solid service for maintaining the wellbeing and compliance of any AWS service is Control Tower, helping to further simplify governance with enough room to integrate third-party software for scaling. AWS Control Tower main function is for the construction and monitoring of new AWS environments regardless of size and complexity.

What is the architecture of AWS Control Tower and how are accounts organized within it?

AWS Control Tower is an essential service designed to ensure a compliant and secure multi-account structure for organizations using AWS. The architecture of AWS Control Tower revolves around the concept of a Landing Zone, which serves as the foundation for building an environment with multiple AWS accounts.

It effectively manages monitoring through a specific log archive account that centralizes all logs. It utilizes AWS CloudTrail to capture the activities within AWS Control Tower. Moreover, by leveraging CloudWatch Logs and CloudWatch Logs Insights, users can easily visualize and query the lifecycle events of AWS Control Tower. Each lifecycle event is documented only after particular actions have been executed and provides details on the success or failure of the originating Control Tower action. These events are automatically recorded as non-API AWS service events by AWS CloudTrail and are transmitted to Amazon EventBridge for further processing.

A Landing Zone is a configured structure that offers a compliant and secure set of accounts to begin building upon. This Landing Zone can include additional features such as federated account access through Single Sign-On (SSO) and the utilization of centralized logging via Amazon CloudTrail and AWS Config.

To enforce security requirements and maintain compliance, Guardrails are established within the Landing Zone. These Guardrails are rules written in plain English and are implemented using AWS CloudFormation. They ensure that each account within the Landing Zone adheres to specific security settings and configurations that meet the organization’s standards.

The organization of accounts within the Landing Zone is achieved through the use of Organizational Units (OUs), which are provisioned with the help of AWS Organizations. Let’s explore the OUs commonly utilized in the architecture of AWS Control Tower:

1. Security OU: This OU contains key accounts, such as the Log Archive Account and the Audit Account. It serves as a centralized store for CloudTrail and AWS Config logs, ensuring security and traceability across the entire infrastructure.

2. Sandbox OU: The Sandbox OU provides a safe and isolated environment for testing purposes. It houses Sandbox Accounts, which are used to carry out experiments and trials without risking disruption to production workloads.

3. Production OU: All production accounts and their respective workloads are placed within the Production OU. It acts as the main hosting environment for critical applications and services.

4. Non-Production OU: The Non-Production OU is dedicated to pre-production activities, enabling comprehensive testing and development of applications before they are moved into the production environment.

5. Suspended OU: Accounts within the Suspended OU are securely isolated and have highly restricted permissions. This OU is specifically designed to handle deleted, reused, or breached accounts, ensuring that any potential security risks are contained in a controlled environment.

6. Shared Services OU: The Shared Services OU contains accounts dedicated to services shared across multiple other accounts. This includes accounts for Shared Services, Security Services, and Networking, providing centralized services that can be leveraged by various accounts within the Landing Zone.

The architectural setup of AWS Control Tower, with the Landing Zone and its associated OUs, establishes a secure and organized environment for effectively managing multiple accounts within the AWS ecosystem.

Who can benefit from using AWS Control Tower?

AWS Control Tower can benefit a wide range of organizations, regardless of their size or level of experience with AWS. Whether you are a large multinational corporation with extensive knowledge of AWS or a small startup that is just starting to explore the world of cloud computing, AWS Control Tower can provide immense value. It offers Landing Zone, which helps ensure that your architecture is provisioned in an efficient and secure manner. By using AWS Control Tower, organizations can gain the confidence they need to effectively manage and streamline their AWS environment, regardless of their previous experience in the cloud.

Features

AWS Control Tower maximizes visibility through the dashboard.  All the provisioned environments, the number of guardrails enabled, and the status of all resources present are completely visible from this single UI.  Review tools ensure that everything is compliant and what actions should be taken in the case of a lack of compliance.

Landing Zone

A landing zone is a multi-account AWS environment that has passed well-architected standards and meets the necessary compliance and security requirements.  Using blueprints, it is easy to automate new landing zone setup with various preset features, including identity access management in conjunction with AWS IAM (link), federated access, centralized logging in conjunction with AWS CloudTrail, and security audits.

Account Factory

Account Factory is an automated solution that simplifies the process of procuring new accounts for your organization. It offers pre-configured and pre-approved templates that can be easily modified to align with your specific business and security policies. By leveraging these templates, you can ensure that the provisioning of new accounts adheres to the necessary standards and requirements.

With Account Factory, the process of creating new accounts is streamlined and efficient. It eliminates the need for manual intervention, allowing builders to automate the setup of landing zones and provisioning of accounts. This automation not only saves time but also reduces the chances of errors or inconsistencies.

The pre-configured templates provided by Account Factory cover various aspects such as networking information and region selection. This ensures that new accounts are provisioned with the necessary network configurations and are deployed in the desired regions. By incorporating these pre-approved configurations, you can ensure a standardized and secure account provisioning process.

In addition to the pre-configured templates, Account Factory seamlessly integrates with AWS Service Catalog. This integration enables internal customers to easily configure and build new accounts, empowering them with self-service capabilities. By utilizing AWS Service Catalog, users can customize their accounts based on their specific requirements, without relying on IT support or lengthy approval processes.

Account Factory also offers compatibility with third-party Infrastructure as Code tools like Terraform. This integration allows cloud teams to leverage familiar tools and workflows while still benefiting from the Account Factory’s capabilities. With the ability to use Terraform, teams can efficiently manage and deploy resources across multiple accounts, ensuring a seamless experience.

In conclusion, Account Factory automates the provisioning of new accounts by providing pre-configured templates that align with your organization’s policies. Its integration with AWS Service Catalog and compatibility with infrastructure automation tools like Terraform enhance the flexibility and efficiency of the account provisioning process. With Account Factory, you can streamline and standardize the creation of new accounts, ensuring that they meet your organization’s security and operational requirements.<

Controls

Mapping controls with AWS Control Tower isn’t as excessively complicated and will not take as much time to map, define, and manage which accounts have access or what data gets encrypted.  AWS CloudFormation Hooks are now being used to identify and block resources that are not compliant with user-defined requirements regardless of the operation size and scale.  Finally, configuration and technical documentation is kept updated so users remain informed.

Guardrails

As mentioned above in the segment about Landing Zones, guardrails are governance rules for either security or compliance that can be applied either across the enterprise or to specific accounts.  Guardrails come in two different dimensions: preventive/detective and mandatory/optional.

    • Preventive/detective:  In the automated landing zone created by AWS Control Tower, guardrails play a crucial role in ensuring compliance and security. The guardrails are designed to establish intent and prevent the deployment of non-compliant resources while also detecting any existing noncompliant resources. By utilizing the preventive and detective aspects of guardrails, AWS Control Tower continuously monitors and updates the status on the dashboard to maintain a secure environment.
    • Mandatory/optional: The governance provided by the guardrails is based on AWS best practices and common customer policies. Mandatory guardrails enforce strict controls, disallowing changes to IAM roles and bucket policies, detecting unauthorized access, and preventing certain cross-region activities. On the other hand, optional guardrails offer flexibility by allowing users to enable or disable them as needed. These guardrails help in detecting access to Amazon S3 buckets, ensuring MFA for root users is enabled, and confirming encryption for Amazon EBS volumes attached to EC2 instances.

aws control tower diagram example

How to Start With AWS Control Tower

Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:

  1. Preparation:
      • Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
      • Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
  2. Setting up AWS Control Tower:
      • Create a new AWS account if you do not already have one.
      • Set up AWS Control Tower in the new account.
      • Follow the setup process and decide on the security and compliance settings you want to implement.
  3. Integrating existing resources:
      • Use AWS Organizations to create an organization that includes both the new Control Tower and existing accounts.
      • Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
      • Utilize AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
  4. Testing:
      • Validate that the resources are accessible in the new Control Tower account.
      • Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
      • Ensure that all business processes are working as expected in the new Control Tower account.
  5. Finalizing:
      • Document the process, including any changes made to the resources during the integration process.
      • Train any necessary staff on the new processes and policies set up in the new Control Tower account.

To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).

  1. Using AWS Organizations:
      • Create an AWS Organization that includes both accounts.
      • Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
      • You can delegate access to the other account by granting permissions in IAM policies.
  2. Using AWS Resource Access Manager (RAM):
      • Create a resource share in the account that owns the resources.
      • Authorize other accounts to access the shared resources.
      • Use IAM policies to control access to the shared resources.

Works With Existing or New

This service is perfectly capable of managing governance across both existing and new platforms built on AWS.  It will only charge users depending on how much it is used on whichever AWS resources.  If these steps in any way sound intimidating, Amazon also has a lab to learn and demonstrate Control Tower’s functionality.

How to Start With AWS Control Tower

Here is a high-level plan for setting up AWS Control Tower on a new account and integrating existing AWS account resources with it:

  1. Preparation:
      • Ensure you have the necessary permissions in both the new and existing AWS accounts to set up the Control Tower and integrate resources.
      • Make a list of the resources in the existing account that you want to integrate with the new Control Tower account.
  2. Setting up AWS Control Tower:
      • Create a new AWS account if you do not already have one.
      • Set up AWS Control Tower in the new account.
      • Follow the setup process and make decisions on the security and compliance settings you want to implement.
  3. Integrating existing resources:
      • Use AWS Organizations to create an organization that includes both the new Control Tower account and the existing account.
      • Ensure AWS resource access is set up correctly between the accounts using AWS Resource Access Manager (RAM).
      • Use AWS Resource Linking to link the desired resources in the existing account to the new Control Tower account.
  4. Testing:
      • Validate that the resources are accessible in the new Control Tower account.
      • Verify that the security and compliance policies set up in Control Tower are being applied to the integrated resources.
      • Ensure that all business processes are working as expected in the new Control Tower account.
  5. Finalizing:
      • Document the process, including any changes made to the resources during the integration process.
      • Train any necessary staff on the new processes and policies set up in the new Control Tower account.

To access AWS resources from one account to another, you can use AWS Organizations or AWS Resource Access Manager (RAM).

  1. Using AWS Organizations:
      • Create an AWS Organization that includes both accounts.
      • Use AWS Identity and Access Management (IAM) policies to control access to resources across accounts.
      • You can delegate access to the other account by granting permissions in IAM policies.
  2. Using AWS Resource Access Manager (RAM):
      • Create a resource share in the account that owns the resources.
      • Authorize other accounts to access the shared resources.
      • Use IAM policies to control access to the shared resources.

Dolan Cleary

Dolan Cleary

I am a recent graduate from the University of Wisconsin - Stout and am now working with AllCode as a web technician. Currently working within the marketing department.

Related Articles

What is Tiered Pricing for Software as a Service?

What is Tiered Pricing for Software as a Service?

Tiered Pricing is a method used by many companies with subscription models. SaaS companies typically offer tiered pricing plans with different services and benefits at each price point with typically increasing benefits the more a customer pays. Striking a balance between what good rates are and the price can be difficult at times.

The Most Popular Cloud Cost Optimization Tools

The Most Popular Cloud Cost Optimization Tools

Cloud environments and their pricing models can be difficult to control. Cloud computing does not offer the best visibility and it is easy to lose track of which price control factors are having an impact on your budget. Having the right tools can help put value to parts of an environment and provide guides on how to better bring budgetary issues back under control.

The Difference Between Amazon RDS and Aurora

The Difference Between Amazon RDS and Aurora

AWS does incorporate several database services that offer high performance and great functionality. However, customers do find the difference between Amazon Relational Database Service and Amazon Aurora. Both services do provide similar functions, but do cover their own use cases.

Download our 10-Step Cloud Migration ChecklistYou'll get direct access to our full-length guide on Google Docs. From here, you will be able to make a copy, download the content, and share it with your team.