AWS Control Tower

AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower is the simplest way to set up and manage a secure, multi-account AWS environment known as a landing zone.?

AWS Control Tower enables end users on your distributed teams to provision new AWS accounts quickly, by means of configurable account templates in Account Factory. Meanwhile, your central cloud administrators can monitor that all accounts are aligned with established, company-wide compliance policies.

AWS Control Tower gives a single space to streamline AWS account setup, infrastructure setup, governance, standardization, policies, permissions, and account access especially when a single AWS does not cut it for the organization and its team to function and innovate at speed the world demands.

AWS Organization, Guardrail, AWS Config, AWS SSO, and all their complementary services come together under AWS Control Tower.

Organizational Units

Organizational units (OUs) provide an optional mechanism for grouping accounts into logical collections. AWS Service Control Policies can be attached to the organizational units which control which actions are allowed within the AWS accounts assigned to that unit. For example, it may be desirable to prevent users within application accounts from deploying resources anywhere other than the ap-south-1 region.

Core: This OU houses all security accounts, such as the core landing zone accounts i.e., Auditing and Logging. No application accounts should be launched into this OU.

Management: This OU houses all administrative accounts, such as the core landing zone accounts i.e., shared services and Network. No application accounts should be launched into this OU.

Pre-Prod: This OU will be used to host pre-prod applications.

Prod: Application accounts that are running production workloads can be tagged to this OU.

Non-Prod: Application accounts that are running nonproduction workloads can be tagged to this OU.

Staging: This OU will be used to host applications for testing and staging.

POC: This OU will be used to host applications for POC purposes only.

How does it work?

AWS Control tower uses the same policy and permission system used by IAM, AWS config, etc. but extends it to the child accounts. This ensures that any rules defined by the parent account cannot be overridden by the child account.

Thus any user who is a part of the SSO of the parent account can be given just the required precise permissions to the child account(s). This kind of a centralized management makes governance over multiple accounts which might belong to the internal teams or external customers very easy.

How to get started?

1. Enable STS - Enabled STS in all the Regions. If this is not done, the landing zone creation will fail.

2. Go to AWS Control Tower console - Search AWS Control Tower and open the console

3. Start landing zone setup - Click the button to start the landing zone setup

4. Fill in the required details

To start the setup, AWS required two core accounts for logging and auditing. Some resources are created in these accounts and the future custom accounts which allow the parent account to manage the child accounts.

For logging and audit, two emails are required to be used as the root IAM account of these AWS accounts. The email IDs should not be used as a root accounts in any of the AWS accounts.

5. Wait for the setup to complete

The landing zone setup takes around 1 hour to finish. Once that is done, further configurations can be done to set up the policies and rules.

That’s it, AWS Control Tower setup is complete.

AWS Control Tower is a powerful tool for a modern organization that is growing at a very fast pace. It streamlines all the processes, setup, deployments, account creations, permission management, etc. This reduces the management overhead and ensures that the organization can spend more time pushing forward instead of spiraling down the management rabbit hole.

Some of the Exampled Diagram for your reference..

Thank You..

Please check the next