AWS Control Tower
An overview of AWS Control Tower
Last updated
Was this helpful?
An overview of AWS Control Tower
Last updated
Was this helpful?
AWS Control Tower offers a robust solution for swiftly setting up and managing a secure, multi-account AWS environment. By following AWS best practices, it simplifies security, governance, and compliance across your organization.
Deployment takes about an hour and during that time Control Tower acts on your behalf to orchestrate and configure AWS services such as Organizations, Service Control Policies, CloudTrail, AWS Config, Account Factory, Identity Center, and more.
A Landing Zone is an environment based on AWS's well-architected, multi-account best practices. The following features are components of this:
AWS Organizations:
Unless you already have an Organization, this will be set up for you
It enables grouping AWS accounts into different Organizational Units and applying policy options (SCPs, RCPs, Declarative, Tagging, and more)
Check out the AWS Organizations module to learn more
AWS CloudTrail:
Enables an Organization trail to log all events in AWS member accounts
You're able to use an existing CloudTrail if you have one rather than let Control Tower set one up but if you do, Control Tower's SCPs won't protect it (it protects the one it creates)
Check out the AWS CloudTrail module to learn more
AWS Identity Center:
Optionally enables AWS Identity Center allowing for centralized management of AWS Groups and Permission sets across all of your AWS accounts
Enables the ability to use AWS Single Sign-On (SSO) or to integrate with a different Identity Provider (IdP) such as Okta or Active Directory
Identities created here are federated users and are not the same as traditional IAM Users and Roles that are managed in IAM
Check out the AWS Identity Center module to learn more
AWS "Audit" and "Log Archive" Accounts:
Unless you specified existing accounts to use, Control Tower creates two new AWS accounts
The Audit account is used for managing AWS Config and remediation actions while also receiving Simple Notification Service (SNS) notifications related to CloudTrail, AWS Config, CloudWatch, GuardDuty, and event or Control Tower drift changes
The Log Archive account stores AWS CloudTrail and AWS Config logs
You don't have to use the accounts this way but they are enabled for you to do so
Enables deploying new AWS accounts which you can customize to your needs e.g., provisioning the accounts without default VPCs or enabling account-wide controls like blocking S3 buckets
Check out the AWS Account Factory module to learn more
Controls are high-level rules that provide ongoing governance for your AWS environment. The following types of controls are supported:
Mandatory Controls:
These controls are owned by AWS Control Tower and protect related resources
They cannot be disabled and are enforced via Service Control Policies and AWS Config rules
Detective Controls:
These controls check for noncompliant resources
They can be enabled/disabled
Examples include checking for encryption at rest or in transit or ensuring EC2 auto-scaling groups associated with an Elastic Load Balancer are using health checks
Proactive Controls:
These controls ensure resources created through CloudFormation meet policies and can block non-compliant resources
They can be enabled/disabled
Examples include validating whether GuardDuty's S3 protection is enabled or that an Elastic Kubernetes Service cluster's API endpoint is not publicly exposed
Preventative Controls:
These controls block actions related to policy violations
They must be created in the form of Service Control Policies, Resource Control Policies, or Declarative Policies, and AWS Backup or Digital sovereignty controls
Examples include preventing EBS snapshots or AMIs from being shared publicly, requiring all objects uploaded to S3 to be encrypted, and much more