AWS Control Tower

AWS Control Tower is one such service that helps us govern an expansive multi-account cloud infrastructure, following the prescriptive AWS best practices.

Introduction to AWS Control Tower

AWS Control Tower is an AWS tool we can use to set up and securely govern an expansive multi-account AWS cloud infrastructure based on the prescriptive AWS best practices.

It is designed for enterprises looking to build and manage AWS environments in a scalable and efficient manner. Here are some key features of the AWS Control Tower service:

Landing zone

The landing zone is one of the most important and primary features of the AWS Control Tower service. A landing zone is a pre-configured, secure, multi-account AWS environment that is set up based on AWS best practices. A landing zone acts as a baseline setup of AWS accounts and resources that form the foundation of our AWS environment. It provides a structured and standardized environment for our AWS workloads and resources.

A landing zone is set up like a multi-account structure with the help of the AWS Organization service. Furthermore, centralized logging is done with the AWS CloudTrail service, and identity management is done through AWS Single Sign-On.

GuardRails/Controls

GuardRails, also better known as Controls, are the features that help enforce governance and compliance policies across the AWS environment. These controls ensure that the AWS environment adheres to the organization’s security, compliance, and operational policies. GuardRails are of two types:

• Preventive GuardRails: These help prevent policy violations in the AWS environment managed by Control Tower. Preventive GuardRails utilizes service control policies (SCPs) that disallow actions we want to restrict. For example, we may want to restrict the AWS environment to only restrict all IAM users/roles to launch EC2 instances of t2.micro type, even if their respective IAM policy has permission to launch an t3.medium instance type.

• Detective GuardRails: These are used to detect and alert on non-compliance or deviations from policies. For example, we may want to identify any untagged AWS resources in our environment.

Account Factory

The Account Factory feature within AWS Control Tower simplifies the process of creating and managing AWS accounts. It automates the provisioning of new accounts in our organization. Each new account is pre-configured with the baseline environment and policies, defined in our landing zone. This ensures that all new accounts adhere to our organization’s compliance and security standards from the moment they are created.

Control Tower Dashboard

The AWS Control Tower Dashboard provides a centralized view of our AWS environment. It offers insights into the operational status and compliance of our AWS accounts. The dashboard displays information such as the number of accounts in our organization, the status of implemented GuardRails, and any policy violations. It’s a key tool for administrators to monitor and manage the health and compliance of the AWS environment.

How AWS Control Tower works

We use AWS Control Tower by first setting up a Landing Zone that enforces compliance regulations on our AWS accounts. Here’s the structure of the Control Tower Landing Zone:

Here’s the explanation of the Control Tower Landing Zone structure above:

• Root OU: This is the parent organizational unit (OU) containing all the other units in our Landing Zone. It contains an AWS account for management. It’s one of the organizational units automatically created by Control Tower in the Landing Zone.

• Security OU: This is the organizational unit responsible for the security of the Landing Zone. Control Tower automatically creates this OU as well as the shared Audit and Log Archive AWS accounts. The Audit account is responsible for collecting the auditing data that Control Tower provides, while the Log Archive is responsible for collecting and storing all activity logs from all OUs and accounts.

• Sandbox OU: This is the organizational unit where we create and manage any AWS/Test accounts responsible for development and testing purposes. This OU is empty by default. It’s also one of the OUs automatically created by Control Tower in the Landing Zone.

• Production OU: This is the organizational unit we need to set up ourselves for creating and managing any AWS accounts responsible for production purposes. This OU unit is empty by default.

• Preventive GuardRails: Each OU has its own Preventive GuardRail and corresponding SCPs for restricting any actions.

• Detective GuardRails: The compliance of the entire Landing Zone is monitored and managed by a Detective GuardRail in conjunction with AWS Config and AWS Lambda.

Use cases

Here are some use cases of the AWS Control Tower service:

• AWS Control Tower can set up and govern a well-architectured AWS multi-account environment for deploying applications.

• AWS Control Tower can automate the process of provisioning AWS accounts with the proper compliance and regulatory requirements.

• AWS Control Tower can govern both new and existing AWS accounts and have complete compliance visibility.

• Control Tower helps us integrate third-party software in our AWS environment at scale.

Understanding costs

There are no additional charges for using AWS Control Tower.

The AWS Control Tower itself is a solution from AWS that allows us to manage our multi-account infrastructure. Hence, it’s important to note that we’ll still incur costs for the AWS services we’re managing the AWS infrastructure with Control Tower. These services range from AWS Organizations, AWS Single Sign-On (SSO), AWS Config rules, Amazon S3, AWS CloudTrail, etc.

This lesson taught us about AWS Control Tower, its potential benefits, and how it helps us govern a multi-account AWS environment and maintain compliance with GuardRails.