AWS Control Tower

‍📖 Introduction to AWS Control Tower

AWS Control Tower offers a robust solution for swiftly setting up and managing a secure, multi-account AWS environment. By following AWS best practices, it simplifies security, governance, and compliance across your organization.

Deployment takes about an hour and during that time Control Tower acts on your behalf to orchestrate and configure AWS services such as Organizations, Service Control Policies, CloudTrail, AWS Config, Account Factory, Identity Center, and more.

🗒️ Understanding Control Tower's Features

1. Landing Zone

A Landing Zone is an environment based on AWS's well-architected, multi-account best practices. The following features are components of this:

• AWS Organizations:

  • Unless you already have an Organization, this will be set up for you

  • It enables grouping AWS accounts into different Organizational Units and applying policy options (SCPs, RCPs, Declarative, Tagging, and more)

• AWS CloudTrail:

  • Enables an Organization trail to log all events in AWS member accounts

  • You're able to use an existing CloudTrail if you have one rather than let Control Tower set one up but if you do, Control Tower's SCPs won't protect it (it protects the one it creates)

• AWS Identity Center:

  • Optionally enables AWS Identity Center allowing for centralized management of AWS Groups and Permission sets across all of your AWS accounts

  • Enables the ability to use AWS Single Sign-On (SSO) or to integrate with a different Identity Provider (IdP) such as Okta or Active Directory

  • Identities created here are federated users and are not the same as traditional IAM Users and Roles that are managed in IAM

• AWS "Audit" and "Log Archive" Accounts:

  • Unless you specified existing accounts to use, Control Tower creates two new AWS accounts

    • The Audit account is used for managing AWS Config and remediation actions while also receiving Simple Notification Service (SNS) notifications related to CloudTrail, AWS Config, CloudWatch, GuardDuty, and event or Control Tower drift changes

    • The Log Archive account stores AWS CloudTrail and AWS Config logs

  • You don't have to use the accounts this way but they are enabled for you to do so

2. AWS Account Factory

• Enables deploying new AWS accounts which you can customize to your needs e.g., provisioning the accounts without default VPCs or enabling account-wide controls like blocking S3 buckets

3. Comprehensive Controls Management

Controls are high-level rules that provide ongoing governance for your AWS environment. The following types of controls are supported:

• Mandatory Controls:

  • These controls are owned by AWS Control Tower and protect related resources

  • They cannot be disabled and are enforced via Service Control Policies and AWS Config rules

• Detective Controls:

  • These controls check for noncompliant resources

  • They can be enabled/disabled

  • Examples include checking for encryption at rest or in transit or ensuring EC2 auto-scaling groups associated with an Elastic Load Balancer are using health checks

• Proactive Controls:

  • These controls ensure resources created through CloudFormation meet policies and can block non-compliant resources

  • They can be enabled/disabled

  • Examples include validating whether GuardDuty's S3 protection is enabled or that an Elastic Kubernetes Service cluster's API endpoint is not publicly exposed

• Preventative Controls:

  • These controls block actions related to policy violations

  • They must be created in the form of Service Control Policies, Resource Control Policies, or Declarative Policies, and AWS Backup or Digital sovereignty controls

  • Examples include preventing EBS snapshots or AMIs from being shared publicly, requiring all objects uploaded to S3 to be encrypted, and much more

📚 Additional Resources

🏗️ Hands-on Exercises