Control Tower

  • Purpose: Simplifies and speeds up the setup of multi-account AWS environments.

  • Orchestration: Works by orchestrating AWS Organizations, IAM Identity Center, CloudFormation, AWS Config, and more.

  • Landing Zone: The core multi-account environment built by Control Tower.

  • Centralized Logging: Uses CloudWatch, CloudTrail, AWS Config, and SNS for logging and auditing.

  • Structure: Everything in Control Tower revolves around the Landing Zone.

  • GuardRails: Provides rules and standards across accounts, either to detect or enforce compliance.

  • Account Factory: Automates and standardizes new AWS account creation.

  • Dashboard: Offers a single-page view to monitor the entire organization.

Landing Zone

  • Purpose: Helps create a well-architected, multi-account AWS environment.

  • Home Region: Deployed into one region (e.g., us-east-1); always available even if other regions are restricted.

  • Built With: Uses AWS Organizations, AWS Config, CloudFormation, and more.

  • Organizational Units (OUs): Supports multiple and nested OUs to match your organization's structure.

  • IAM Identity Center: Enables Single Sign-On (SSO) and ID Federation across all accounts.

  • Monitoring & Notifications: Uses CloudWatch and SNS for centralized monitoring and alerts.

  • Account Provisioning: Allows end users to create new AWS accounts via the Landing Zone Service Catalog.

Guard Rails

  • Purpose: Set governance rules for multi-account environments.

  • Types:

    • Mandatory: Always applied.

    • Strongly Recommended: Highly advised by AWS.

    • Elective: Optional, for specific needs.

  • Functionality:

    • Preventative Guardrails:

      • Stop actions from happening.

      • Use Service Control Policies (SCPs).

      • Either enforced or not enabled.

      • Example: Block changes to bucket policies or restrict AWS region usage.

    • Detective Guardrails:

      • Monitor for compliance issues.

      • Use AWS Config rules.

      • Status: Clear, In Violation, or Not Enabled.

      • Example: Check if CloudTrail is enabled or if EC2 instances have public IPs.

  • Key Difference:

    • Preventative: Block unwanted actions.

    • Detective: Identify issues without blocking actions.

Account Factory

  • Purpose: Automates AWS account provisioning for admins and authorized end users.

  • Guardrails: Automatically applies any defined GuardRails during account creation.

  • Self-Service: Allows organization members to provision accounts within controlled parameters, with admin access if permitted.

  • Standardization:

    • Accounts come pre-configured with organizational network and account settings.

    • Helps avoid issues like VPC IP address overlap.

  • Flexibility: Supports both long-term and short-term accounts.

  • Lifecycle Integration:

    • Can close, repurpose, and manage accounts.

    • Integrates with your organization's SDLC processes via APIs.

  • Use Cases: Ideal for application development, client demos, software testing, and more.

Last updated