AWS Certified Solutions Architect - Professional
  • AWS Certified Solutions Architect - Professional
  • Analytics
    • Amazon Athena
    • AWS Data Exchange
    • Amazon Data Firehose
    • Amazon EMR
    • AWS Glue
    • Amazon Kinesis Data Streams
    • AWS Lake Formation
    • Amazon Managed Service for Apache Flink
    • Amazon Managed Streaming for Apache Kafka (Amazon MSK)
    • Amazon OpenSearch Service
    • Amazon QuickSight
  • Application Integration
    • Amazon AppFlow
  • AWS AppSync
  • Amazon EventBridge
  • Amazon MQ
  • Amazon Simple Notification Service
  • Amazon Simple Queue Service
  • AWS Step Functions
  • Blockchain
    • Amazon Managed Blockchain
  • Business Applications
    • Amazon Simple Email Service
  • Cloud Financial Management
    • AWS Budgets
    • AWS Cost and Usage Report
  • AWS Cost Explorer
  • Savings Plans
  • COMPUTE
    • AWS App Runner
  • AWS Auto Scaling
  • AWS Batch
  • AWS Elastic Beanstalk
  • Amazon Elastic Compute Cloud
  • Amazon EC2 Auto Scaling
  • AWS Fargate
  • AWS Lambda
  • Amazon Lightsail
  • AWS Outposts
  • AWS Wavelength
  • CONTAINERS
    • Amazon Elastic Container Registry
    • Amazon Elastic Container Service
    • Amazon ECS Anywhere
    • Amazon Elastic Kubernetes Service
    • Amazon EKS Anywhere
    • Amazon EKS Distro
  • DATABASES
    • Amazon Aurora
  • Amazon Aurora Serverless
  • Amazon DocumentDB
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon Keyspaces
  • Amazon Neptune
  • Amazon Relational Database Service
  • Amazon Redshift
  • Amazon Timestream
  • Developer Tools
    • AWS CodeArtifact
    • AWS CodeBuild
    • AWS CodeDeploy
    • Amazon CodeGuru
    • AWS CodePipeline
    • AWS X-Ray
  • End User Computing
    • Amazon AppStream 2.0
  • Amazon Workspaces
  • Frontend Web and Mobile
    • AWS Amplify
    • Amazon API Gateway
    • AWS Device Farm
    • Amazon Pinpoint
  • Internet of Things
    • AWS IoT Core
    • AWS IoT Device Defender
    • AWS IoT Device Management
    • AWS IoT Events
    • AWS IoT Greengrass
    • AWS IoT SiteWise
    • AWS IoT Things Graph
  • AWS IoT 1-Click
  • Machine Learning
    • Amazon Comprehend
    • Amazon Fraud Detector
    • Amazon Kendra
    • Amazon Lex
    • Amazon Personalize
    • Amazon Polly
    • Amazon Rekognition
  • Amazon SageMaker AI
  • Amazon Textract
  • Amazon Transcribe
  • Amazon Translate
  • Management and Governance
    • AWS CloudFormation
    • AWS CloudTrail
    • Amazon CloudWatch
    • Amazon CloudWatch Logs
    • AWS Command Line Interface
    • AWS Compute Optimizer
    • AWS Config
    • AWS Control Tower
    • AWS Health Dashboard
    • AWS License Manager
    • Amazon Managed Grafana
    • Amazon Managed Service for Prometheus
    • AWS Management Console
    • AWS Organizations
    • AWS Proton
    • AWS Service Catalog
    • Service Quotas
    • AWS Systems Manager
    • AWS Trusted Advisor
    • AWS Well-Architected Tool
    • SAML2.0 Identity Federation
    • IAM Identity Center
    • Directory Service
  • Service Control Policies
  • Permissions Boundaries
  • Permissions Evaluation
  • Media Services
    • Amazon Elastic Transcoder
    • Amazon Kinesis Video Streams
  • Migration and Transfer
    • AWS Application Discovery Service
    • AWS Application Migration Service
    • AWS Database Migration Service
    • AWS DataSync
    • AWS Migration Hub
    • AWS Schema Conversion Tool
    • AWS Snow Family
    • AWS Transfer Family
  • Networking and Content Delivery
    • Private and Public AWS Services
    • DHCP In a VPC
    • VPC Router
    • Stateful vs Stateless Firewalls
    • Network Access Control Lists
    • Security Groups
    • AWS Local Zones
    • Border Gateway Protocol
    • AWS Global Accelerator
    • IPSec VPN
    • Site2Site VPN
    • Transit Gateway
    • VPC Routing
    • Accelerated Site-to-Site VPN
    • AWS Client VPN
    • AWS Direct Connect (DX)
    • Route53
    • AWS Private Link
    • VPC
    • Amazon CloudFront
    • Elastic Load Balancing
    • AWS PrivateLink
  • Security, Identity, and Compliance
    • AWS Artifact
    • AWS Audit Manager
    • AWS Certificate Manager
    • AWS CloudHSM
    • Amazon Cognito
    • Amazon Detective
    • AWS Directory Service
    • AWS Firewall Manager
    • Amazon GuardDuty
    • AWS IAM Identity Center
    • AWS Identity and Access Management
    • Amazon Inspector
    • AWS Key Management Service
    • Amazon Macie
    • AWS Network Firewall
    • AWS Resource Access Manager
    • AWS Secrets Manager
    • AWS Security Hub
    • Security Token Service
    • AWS Shield
    • AWS WAF
  • Storage
    • AWS Backup
    • Amazon Elastic Block Store
    • AWS Elastic Disaster Recovery
    • Amazon Elastic File System
    • Amazon FSx
    • Amazon Simple Storage Service
    • Amazon S3 Glacier
    • AWS Storage Gateway
Powered by GitBook
On this page
  • Landing Zone
  • Guard Rails
  • Account Factory
  1. Management and Governance

AWS Control Tower

Last updated 6 days ago

  • Purpose: Simplifies and speeds up the setup of multi-account AWS environments.

  • Orchestration: Works by orchestrating AWS Organizations, IAM Identity Center, CloudFormation, AWS Config, and more.

  • Landing Zone: The core multi-account environment built by Control Tower.

  • Centralized Logging: Uses CloudWatch, CloudTrail, AWS Config, and SNS for logging and auditing.

  • Structure: Everything in Control Tower revolves around the Landing Zone.

  • GuardRails: Provides rules and standards across accounts, either to detect or enforce compliance.

  • Account Factory: Automates and standardizes new AWS account creation.

  • Dashboard: Offers a single-page view to monitor the entire organization.

Landing Zone

  • Purpose: Helps create a well-architected, multi-account AWS environment.

  • Home Region: Deployed into one region (e.g., us-east-1); always available even if other regions are restricted.

  • Built With: Uses AWS Organizations, AWS Config, CloudFormation, and more.

  • Organizational Units (OUs): Supports multiple and nested OUs to match your organization's structure.

  • IAM Identity Center: Enables Single Sign-On (SSO) and ID Federation across all accounts.

  • Monitoring & Notifications: Uses CloudWatch and SNS for centralized monitoring and alerts.

  • Account Provisioning: Allows end users to create new AWS accounts via the Landing Zone Service Catalog.

Guard Rails

  • Purpose: Set governance rules for multi-account environments.

  • Types:

    • Mandatory: Always applied.

    • Strongly Recommended: Highly advised by AWS.

    • Elective: Optional, for specific needs.

  • Functionality:

    • Preventative Guardrails:

      • Stop actions from happening.

      • Use Service Control Policies (SCPs).

      • Either enforced or not enabled.

      • Example: Block changes to bucket policies or restrict AWS region usage.

    • Detective Guardrails:

      • Monitor for compliance issues.

      • Use AWS Config rules.

      • Status: Clear, In Violation, or Not Enabled.

      • Example: Check if CloudTrail is enabled or if EC2 instances have public IPs.

  • Key Difference:

    • Preventative: Block unwanted actions.

    • Detective: Identify issues without blocking actions.

Account Factory

  • Purpose: Automates AWS account provisioning for admins and authorized end users.

  • Guardrails: Automatically applies any defined GuardRails during account creation.

  • Self-Service: Allows organization members to provision accounts within controlled parameters, with admin access if permitted.

  • Standardization:

    • Accounts come pre-configured with organizational network and account settings.

    • Helps avoid issues like VPC IP address overlap.

  • Flexibility: Supports both long-term and short-term accounts.

  • Lifecycle Integration:

    • Can close, repurpose, and manage accounts.

    • Integrates with your organization's SDLC processes via APIs.

  • Use Cases: Ideal for application development, client demos, software testing, and more.