Mission is officially an AWS Premier Consulting Partner! Read More

For organizations that manage a large number of applications and distributed teams, cloud setup and governance can be time-consuming and complex. In some organizations, creating a new AWS account itself can take weeks if not months, stifling the very innovation the organization is trying to take advantage of. Thankfully, AWS Control Tower (AWS CT) provides a simple way to set up new, secure, and compliant multi-account AWS environments that can be set up all using native out-of-box AWS CT service in 30-90 minutes.

Let’s take a closer look at AWS Control Tower features, how CT service works, why it could be incredibly useful for your organization, and how Mission can help.

Key AWS Control Tower Features & Benefits

Below are the key features that make up AWS Control Tower.

Landing Zone: AWS Control Tower creates a foundation of core AWS accounts using AWS recommended multi-account set up and security best practices. A landing zone is a well-architected, multi-account AWS environment that follows AWS security and billing best practices by default . AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure freeing you up from the undifferentiated heavy lifting and increasing the speed-to-value. The core AWS accounts are created as part of Core Organization Unit that is part of the new AWS Organization AWS CT set up during launch. The centralized log archive and audit account are two core accounts that are set up by default by AWS CT.

Account Factory: A configurable account baseline using Infrastructure-as-code (IaC) principle is set up as self-service AWS Service Catalog product that can be used to create new AWS accounts. The account factory helps standardize the provisioning of new accounts with pre-approved account configurations and standards to help the organizations jumpstart their AWS journey with an account that is created out box to meet Organization’s security best practices.

Guardrails: These are prepackaged governance rules for security, operations, and compliance. Guardrails are either for prevention or detection, and some are mandatory, while others are optional. Guardrails are simple English statements that are easy to understand and implemented under hood using standard AWS services such as Service Control Policies, AWS Config or AWS Lambda etc.

With AWS Control Tower set up, your AWS Service Catalog portfolio is bootstrapped with AWS Service Catalog product called account factory. You can extend the same self-service governance model at scale and stock the service catalog portfolio with common AWS services as self-service products by simply uploading the pre-approved, battle tested AWS CloudFormation template. The self-service helps you further enable your development and application teams go faster in AWS by having commonly needed infrastructure available to be consumed when needed either through API, CLI or console. E.g. Allowing EC2 as self-service product with only select instance types to save the costs and enforce tagging or enable encryption by default when data scientists are spinning up SageMaker notebooks. Additionally, as an example, you can grab products from the AWS Marketplace and put them in a service catalog to govern the use of marketplace products.

Getting Started

Step One: One Click Set Up

Create a new AWS account that is not tied to any AWS Organization and launch AWS CT by clicking on ‘Set Up Landing Zone’ from any of the supported AWS regions.

Step Two: Apply Optional Guardrails as Needed

Apply security and compliance policies using established guardrails, and detect and remediate non-compliant accounts and resources as your team provisions them.

Step Three: Monitor Compliance

Get visual summaries of your AWS environment with a dashboard that allows you to see your accounts, guardrails, and compliance status — all in one place.

While AWS Control Tower is truly a time-saving and compliant reliant tool, it currently has a couple of limitations, as it does not currently have a programmable Application Programming Interface (API) and it can’t import existing accounts. However, the good news is AWS CT used AWS SC under the hood for account factory and you can leverage AWS SC APIs to leverage most of the benefit out of AWS CT today. Designed to streamline the process of managing and monitoring multiple large number of AWS accounts, AWS Control Tower is a good fit for companies managing a few accounts or hundreds of them in AWS.

How Mission Can Help

With AWS Control Tower, you can quickly set up and configure new AWS environments and automate ongoing policy and compliance management, ultimately saving time and money while supercharging productivity and minimizing manual errors.

To get started with AWS Control Tower, click here: https://console.aws.amazon.com/controltower/home.

AWS Cloud Power Icon

Mission, an AWS Premier Consulting Partner and managed services provider, can help you leverage AWS Control Tower and AWS Service Catalog as part of larger Managed DevOps initiative to help your team achieve governance at scale using a self-service. To learn more, contact Mission here.

About the authors:
author
Sanjay Garje



Sanjay Garje leads Global & Strategic technical business development for AWS Service Catalog and AWS Control Tower. Sanjay is a passionate technology leader who takes pride in helping customers on their AWS Cloud journeys by showing them how to transform their business and technology outcomes. In his free time, Sanjay enjoys running, learning new things, teaching Cloud & Big Data technologies at SJSU and traveling to new destinations with his family.


author
Jonathan LaCour

CTO



A cloud industry veteran, Jonathan has held several technical and product leadership positions – most recently at DreamHost, one of the largest web hosting and cloud computing providers. As Chief Technology Officer at Mission, Jonathan guides the development of Mission’s product and platform. He also leads business development initiatives, and shares his expertise on current cloud trends and best practices at industry conferences and Mission events. Jonathan has a BS degree in Computer Science from the Georgia Institute of Technology.

Talk with a
cloud specialist

1-855-MISSION