AWS Control Tower
A service that helps set up and govern a multi-account AWS environment.
Uses AWS best practices to create a secure, scalable setup.
Automates the setup of a landing zone in less than an hour.
π§ What AWS Control Tower Does
Orchestrates other AWS services:
AWS Organizations
AWS Service Catalog
AWS IAM Identity Center (formerly AWS SSO)
Creates and manages AWS accounts, OUs, and required resources for you.
π‘οΈ Governance with Guardrails
Guardrails = Predefined policies and rules to enforce best practices.
Two types:
Preventive (stop actions from happening).
Detective (identify and alert on violations).
Example: Ensure security logs are in place and cross-account access is properly configured.
β οΈ Protection Against "Drift"
Drift = Deviation from AWS best practices.
AWS Control Tower applies controls to detect and prevent drift in your accounts and configurations.
π§ Quick Summary
Main Purpose
Setup & governance for multi-account AWS environments
Core Function
Builds a secure landing zone using AWS best practices
Key Tools Used
AWS Organizations, Service Catalog, IAM Identity Center
Governance Mechanism
Guardrails (preventive + detective) to enforce compliance
Drift Protection
Ensures resources stay aligned with best practices
Landing Zone
Guard Rails
Account Factory
Last updated
