AWS Control Tower – Manage your Multi-account environment!

Tanya Garg

22 March 2022

In our previous blog, we have discussed how we can manage single account configurations using AWS Config.

But here in this blog, we will discuss how we can manage our multiple AWS accounts using AWS Control Tower.

AWS Control Tower

AWS Control Tower is the simplest method to set up and manage a secure AWS environment with multiple accounts.

It creates a landing zone based on best-practice blueprints and therefore, allows for governance through the use of guardrails from a pre-packaged list.

If you’re setting up a new AWS environment, starting your AWS journey, launching a new cloud project, or if you already have a multi-account AWS environment but want a solution with built-in blueprints and guardrails, you’ll benefit.

Terminologies –

Landing Zone

The landing zone is a multi-account, well-architect baseline that complies with AWS best practices.

Blueprint

To create a Landing Zone, use well-architected design patterns called Blueprints.

Guardrails

It is an Automated policy control implementation with a focus on security, compliance, and cost management.

AWS Control Features

Some benefits of using AWS Control Tower are –

With just a few clicks, it will automate the configuration of your multi-account AWS environment.
In order to govern your environment, you’ll use blueprints that encapsulate AWS best practices for setting AWS security and management services.
It includes guardrails, which are obligatory and strongly recommended high-level rules that assist enforce your policies with service control policies(SCPs) or identifying policy violations with AWS Config rules.
AWS Control Tower includes an integrated dashboard that shows a high-level overview of policies that have been applied to your AWS environment.
Then, It gives you prescriptive advice on how to manage your AWS infrastructure at scale.
However, It allows you to have more control over your surroundings without sacrificing the speed and agility that AWS offers to developers.
Distributed teams may easily create new AWS accounts, while cloud IT can breathe peacefully knowing that all accounts are compliant with centrally defined, company-wide regulations.

AWS Control Tower Limitations

You can alter the email addresses of shared accounts in the Security OU, but you’ll need to update your landing zone in the AWS Control Tower dashboard to view the changes.
OUs in your AWS Control Tower landing zone limites upto 5 SCPs per OU.
In AWS Control Tower, existing OUs with more than 300 accounts cannot be registered or re-registered.

How it is Different from AWS Organizations

Using AWS Organizations for a multi-account structure may be something you’re already familiar with.

Control Tower is built on the backbone of AWS Organizations, allowing you to automatically control child account access and permissions.

You can establish Service Control Policies in AWS Organizations to limit the services available to different accounts inside the Organization.

To ensure your company has the guardrails in place to maintain a secure environment, you can impose policies on account users and set cross-account rights.

AWS Control Tower automates many of the tasks required to establish and regulate your environment at scale, while AWS Organizations allows you to manage your environment across numerous accounts from a single location.

It provides a cloud-ready governance paradigm that streamlines many of the provisioning steps for other AWS services, saving time and effort.

How AWS Control Tower Works?

AWS Control Tower uses AWS Organizations to construct an organized landing zone. With a single click in the AWS Management Console, administrators may create a new multi-account environment.

Organization Units(OUs) will group accounts for governance. AWS Control Tower may use OUs to establish preventive or investigative controls to restrict resources and monitor compliance across groups of AWS accounts since they contain guardrails.

A single rule is enforced by each guardrail.

AWS Control Tower creates three accounts when you configure it:

Master account – This allows you to create and manage member accounts on a financial level. Account Factory provisioning and accounts, Organizational Unit management, and guardrails are also supportive.

Log Archive Account – It includes a central Amazon S3 bucket for storing API activity logs and resource configurations from all of the solution’s accounts.

Audit Account – A restrictive account that provides read/write access to all accounts in the landing zone to security and compliance teams. You have programmatic access to review accounts from the audited account.

AWS Control Tower Pricing

AWS Control Tower is available free of cost.

When you set up AWS Control Tower, though, you’ll start paying for AWS services that you are using to set up your landing zone and mandatory guardrails.

While some AWS services, such as AWS Organizations and AWS Single Sign-On (SSO), are free, you will pay for others, such as AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, Amazon Simple Notification Service (SNS), Amazon Simple Storage Service (S3), and Amazon Virtual Private Cloud (VPC).

You only pay for what you use, and you only pay for it when you use it.

For further details about pricing, please refer to Pricing Link.

Conclusion

With prepared security baseline templates, AWS Control Tower makes it easier to set up new multi-account setups.

Self-service for new account provisioning is also possible with AWS Control Tower, thanks to the automated implementation of baselines and account standards.

Need Support?

Thank You for reading this Blog!

For further more interesting blogs, keep in touch with us. If you need any kind of support, simply raise a ticket at https://webkul.uvdesk.com/en/.