Getting to know AWS Control Tower

I first attended training on Landing Zones back in August 2018 when it was introduced to APN partners. My immediate thought was that it is a great concept. It had all the features that you can think of for creating AWS accounts that were compliant with company polices, had centralised logging, auditing and SSO for providing access.

But, yes there was a but, at that time it was very rough around the edges. For example, we could not actually finish our training because AWS had restrictions on launching resources in newly created accounts. Creating Landing Zones required you to have full-blown Microsoft AD servers provisioned with RDS Gateway and RDS Host. AD management console was installed on RDS Host and was used for creating/managing users and groups. Basically it was not a turn key solution and had limitations. However, you could tweak the provided CloudFormation scripts and lambda functions to make it work the way you wanted it to, given you had intimate knowledge of AWS services and were willing to break things few times before getting it right.

Fast forward a year and AWS have released Control Tower. This service wraps initial Landing Zones concept in a nicely presented service that hides away all the inner workings and presents you with a central console as below for managing your AWS environments.

AWS Control Tower concept is very simple, create a central location for individuals who are responsible for managing your AWS environments and give them all the tools required for

• Creating new OUs
• Changing new Account settings e.g. default VPC subnet
• Applying global policies to all accounts
• Creating users/groups for various accounts

It did take me couple of tries to get it setup though. Mostly because it is new service and like any other new service, AWS is still working on smoothing out the process. First of all, you cannot create a Landing Zone on any of your existing AWS accounts. It has to be setup on a new account with none of the AWS services that would be auto configured via Landing Zone creation. For example, you cannot have any organisations created, audit trail enabled or SSO configured. Second thing I noticed was that as soon as you start the process, your main account will get an email to be authorised for consolidated billing. This should be accepted as soon as it arrives otherwise the whole process has trouble creating child accounts and setting up billing for them. In my first attempt, I missed that email and by the time I got to accept it the whole process had failed.

 Once it is configured and setup, it works really well. You can easily create new accounts and give various groups/users access to them. You get a self-service portal to create new AWS accounts which comply with company policies and have features like central logging and auditing enabled as well as mandatory guardrails e.g. AWS config rules. This means as a business, risk of rouge AWS account without mandatory company polices goes away.

 Out of the box, AWS Control Tower uses a newly created AWS SSO Directory for managing users and groups. This however can easily be changed via SSO console to a Managed AD Directory. Which allows large organisations to use their existing central identity store for managing access to various AWS accounts.

 Overall, AWS Control Tower is what I call a second-level service i.e. service which is built on top of existing services. It provides a simple way to setup your AWS environments which are easy to manage and are complaint. There are however some improvements still be made.

You need a brand new or almost new AWS account to setup Control Tower. I am sure this will change in due time and AWS will at least allow you to connect existing AWS accounts into your Control Tower managed organisations.

 AWS Control Tower is only available in four regions, N. Virginia, Ohio, Oregon and Ireland. This doesn’t mean any AWS accounts created via Control Tower cannot have workloads created in other regions but all the shared account resources e.g. SSO directory, s3 logging bucket can only be created in your AWS Control Tower region. This is not a big deal if you have spread out workloads but can be a hindrance for organisations that only have workloads in a single region.