AWS Control Tower: Govern a Secure Multi-Account AWS Environment

For organizations that manage a large number of applications and distributed teams, cloud setup and governance can be time-consuming and complex. In some organizations, creating a new AWS account itself can take weeks if not months, stifling the very innovation the organization is trying to take advantage of. Thankfully, AWS Control Tower (AWS CT) provides a simple way to set up new, secure, and compliant multi-account AWS environments that can be set up all using native out-of-box AWS CT service in 30-90 minutes.

Let’s take a closer look at AWS Control Tower features, how CT service works, why it could be incredibly useful for your organization, and how Mission can help.

Key AWS Control Tower Features & Benefits

Below are the key features that make up AWS Control Tower.

Landing Zone: AWS Control Tower creates a foundation of core AWS accounts using AWS recommended multi-account set up and security best practices. A landing zone is a well-architected, multi-account AWS environment that follows AWS security and billing best practices by default . AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure freeing you up from the undifferentiated heavy lifting and increasing the speed-to-value. The core AWS accounts are created as part of Core Organization Unit that is part of the new AWS Organization AWS CT set up during launch. The centralized log archive and audit account are two core accounts that are set up by default by AWS CT.

Account Factory: A configurable account baseline using Infrastructure-as-code (IaC) principle is set up as self-service AWS Service Catalog product that can be used to create new AWS accounts. The account factory helps standardize the provisioning of new accounts with pre-approved account configurations and standards to help the organizations jumpstart their AWS journey with an account that is created out box to meet Organization’s security best practices.

Guardrails: These are prepackaged governance rules for security, operations, and compliance. Guardrails are either for prevention or detection, and some are mandatory, while others are optional. Guardrails are simple English statements that are easy to understand and implemented under hood using standard AWS services such as Service Control Policies, AWS Config or AWS Lambda etc.

With AWS Control Tower set up, your AWS Service Catalog portfolio is bootstrapped with AWS Service Catalog product called account factory. You can extend the same self-service governance model at scale and stock the service catalog portfolio with common AWS services as self-service products by simply uploading the pre-approved, battle tested AWS CloudFormation template. The self-service helps you further enable your development and application teams go faster in AWS by having commonly needed infrastructure available to be consumed when needed either through API, CLI or console. E.g. Allowing EC2 as self-service product with only select instance types to save the costs and enforce tagging or enable encryption by default when data scientists are spinning up SageMaker notebooks. Additionally, as an example, you can grab products from the AWS Marketplace and put them in a service catalog to govern the use of marketplace products.

Getting Started

Step One: One Click Set Up

Create a new AWS account that is not tied to any AWS Organization and launch AWS CT by clicking on ‘Set Up Landing Zone’ from any of the supported AWS regions.

Step Two: Apply Optional Guardrails as Needed

Apply security and compliance policies using established guardrails, and detect and remediate non-compliant accounts and resources as your team provisions them.

Step Three: Monitor Compliance

Get visual summaries of your AWS environment with a dashboard that allows you to see your accounts, guardrails, and compliance status — all in one place.

While AWS Control Tower is truly a time-saving and compliant reliant tool, it currently has a couple of limitations, as it does not currently have a programmable Application Programming Interface (API) and it can’t import existing accounts. However, the good news is AWS CT used AWS SC under the hood for account factory and you can leverage AWS SC APIs to leverage most of the benefit out of AWS CT today. Designed to streamline the process of managing and monitoring multiple large number of AWS accounts, AWS Control Tower is a good fit for companies managing a few accounts or hundreds of them in AWS.

How Mission Can Help

With AWS Control Tower, you can quickly set up and configure new AWS environments and automate ongoing policy and compliance management, ultimately saving time and money while supercharging productivity and minimizing manual errors.

To get started with AWS Control Tower, click here: https://console.aws.amazon.com/controltower/home.