Skip to content

Control Tower

🌐 What is AWS Control Tower?

AWS Control Tower is a service that helps you set up and govern a secure, multi-account AWS environment based on best practices. It's ideal for large organizations or teams needing multi-account management, security, and compliance enforcement.

πŸ”§ Core Components of Control Tower

  1. Landing Zone: A well-architected, multi-account AWS environment.

  2. Organizations: AWS Control Tower uses AWS Organizations to manage accounts.

  3. Organizational Units (OUs): Group AWS accounts logically (e.g., Dev, Prod).

  4. Guardrails: Preconfigured policies to enforce security, compliance, and operations.

  5. Account Factory: Automates the creation of new AWS accounts within Control Tower.

  6. Service Catalog: Uses Service Catalog for provisioning new accounts.

πŸ” Types of AWS Control Tower Guardrails

βœ… By Purpose

  • Preventive: Blocks actions using SCPs (e.g., disallow public S3 access).

  • Detective: Monitors actions using AWS Config (e.g., detect unencrypted buckets).

πŸ”§ By Enforcement

  • Mandatory: Always ON (e.g., can’t disable AWS Config).

  • Strongly Recommended: Optional but advised (e.g., block public S3).

  • Optional: Use based on needs (e.g., detect instance types).

🧩 Examples

Type Example
Preventive Disallow public access to S3
Detective Detect root user without MFA
Mandatory Disallow disabling CloudTrail

πŸš€ Step-by-Step AWS Control Tower Tutorial

πŸ“Œ Prerequisites

  • A management AWS account with admin privileges.

  • AWS Organizations enabled.

  • No existing conflicting AWS Config rules or SCPs.

πŸ—οΈ 1. Landing Zone Setup

  1. Sign in to the AWS Management Console (Root/Org Admin account).

  2. Go to AWS Control Tower console.

  3. Click Set up Landing Zone.

  4. Select your region (Control Tower is regional).

  5. Configure the following:

    • Audit account: For centralized logging.

    • Log archive account: For storing logs (CloudTrail, Config, etc.).

  6. Select guardrails to enforce (can be mandatory or elective).

  7. Click Set up Landing Zone. It takes ~1 hour.

🧱 2. Account Factory: Create New Accounts

  1. Go to Service Catalog > Account Factory.

  2. Choose Enroll account or Provision new account.

  3. Fill in:

    • Account email

    • Display name

    • Organizational Unit

    • SSO user details

  4. Account will be provisioned and automatically set up with VPC, logging, and guardrails.

🧯 3. Guardrails: Enforce Policies

Control Tower provides:

  • Mandatory guardrails (non-removable)

  • Elective guardrails (you choose)

Examples:

  • Disallow public S3 buckets

  • Enable logging for all accounts

  • Prevent changes to IAM policies

You can enable guardrails per OU via the Control Tower dashboard.

πŸ§‘β€πŸ’» 4. Manage Organizational Units (OUs)

  1. From Control Tower, go to Organizational Units.

  2. Create OUs like:

    • Dev

    • Staging

    • Prod

  3. Apply appropriate guardrails per OU.

πŸ”’ 5. Monitoring and Security

Control Tower integrates with:

  • CloudTrail for auditing

  • AWS Config for compliance

  • AWS Security Hub, GuardDuty, and SNS for security alerts

Audit logs are automatically centralized in the log archive account.

πŸ“€ 6. Extend with Customizations (Optional)

Use Customizations for AWS Control Tower (CfCT) to:

  • Deploy custom CloudFormation stacks to accounts automatically

  • Enforce extra configurations like tags, permissions, or resources

GitHub repo: https://github.com/aws-samples/aws-control-tower-customizations

🧠 Best Practices

  • Create separate accounts for Dev, Test, Prod.

  • Never use the root account for daily operations.

  • Use OUs to manage different environments.

  • Enable all mandatory and necessary elective guardrails.

  • Use the Account Factory to provision accounts β€” not manually.

  • Monitor your environments via CloudTrail and Config.

πŸ“š Helpful Resources

Would you like a visual diagram of the architecture or a bash script to automate some of these steps?