Monday, October 13, 2025

AWS Control Tower | Overview.

AWS Control Tower - Overview.

 Scope:

  • Intro,
  • Core Features,
  • Control Types,
  • Customization and Extensions,
  • The concept of AWS Control Tower (deep dive),
  • Core Components and description,
  • AWS Control Tower Architecture (layout & Control Setup),
  • Organizational-Structure-Sample,
  • Governance Model for Control Tower (implementing multi-layer governance),
  • Integration with Other AWS Services & Purpose,
  • Guardrail Samples and Descriiption,
  • Control Tower Dashboard Provides a unified console view,
  • Benefits,
  • Limitations & Considerations.

Intro:

    • AWS Control Tower is a service that automates the setup of a secure, multi-account AWS environment based on AWS Well-Architected best practices
    • AWS Control Tower establishes a "landing zone".
    • A Lnding zone is a pre-configured environment with centralized governance and security.
Core Features
    • Landing Zone Setup: Automatically creates a multi-account structure including a management account, a log archive account, and an audit account.
    • Account Factory: Standardizes the provisioning of new accounts with pre-approved configurations and network settings.
    • Guardrails (Controls): Implements high-level rules for security, operations, and compliance.  
      • These are categorized as:Mandatory: Always enabled to protect the landing zone.
    • Strongly Recommended: Based on common best practices.
    • Elective: Optional controls based on specific organizational needs.
    • Centralized Governance: Integrates with AWS Organizations to manage policies and AWS IAM Identity Center (formerly SSO) for centralized access management.
    • Drift Detection: Continuously monitors the environment to identify and alert when resources or configurations deviate from established controls.
Control Types
    • Preventive: Use Service Control Policies (SCPs) to block actions that violate policies.
    • Detective: Use AWS Config to identify non-compliant resources after they are created.
    • Proactive: Use AWS CloudFormation hooks to scan resources for compliance before they are deployed.
Customization and Extensions
    • Customizations for AWS Control Tower (CfCT): Allows twtech to add custom SCPs and CloudFormation templates to its landing zone using a pipeline-based approach.
    • Account Factory for Terraform (AFT): An AWS-managed solution to automate account provisioning and customization using Terraform.

NB:
    • There is no additional charge to use AWS Control Tower.
    •  However, twtech will is billed for the underlying AWS services it orchestrates, such as AWS Config and AWS CloudTrail.

The concept of AWS Control Tower (deep dive)

    • AWS Control Tower is a managed service that helps twtech set up, govern, and secure a multi-account AWS environment following AWS best practices.
    • AWS Control Tower is known as the AWS Landing Zone model.
    • AWS Control Tower automates the creation of a secure, compliant, and scalable multi-account environment by using:
      • AWS Organizations, 
      • Service Control Policies (SCPs), 
      • AWS Identity Center (formerly SSO), 
      • CloudTrail, 
      • AWS Config under the hood.

 Core Components and description

Component

Description

Landing Zone

The foundational, governed multi-account AWS environment that Control Tower builds for twtech.

AWS Organizations

Provides account management and hierarchical structure (OUs) for policy enforcement.

Guardrails

Preconfigured policies (using SCPs and AWS Config Rules) that enforce or detect compliance with best practices.

Account Factory

Automated account provisioning service (built on AWS Service Catalog) to create new, standardized accounts.

Blueprints

Templates defining baseline configurations (e.g., logging, security, networking, IAM).

Audit Account

Centralized account for security auditing and compliance monitoring.

Log Archive Account

Stores all logs (CloudTrail, Config, etc.) securely in a separate account.

Shared Accounts

Centralized services like IAM Identity Center or networking.

 AWS Control Tower Architecture (layout & Control Setup):

  1. Root Organization
    • AWS Control Tower creates an AWS Organization if not already present.
    • Sets up organizational units (OUs) — typically Core and Custom OUs.
  2. Core Accounts
    • Management Account: Where Control Tower runs.
    • Audit Account: Dedicated for compliance checks.
    • Log Archive Account: Central log repository.
  3. AWS Services Integrated
    • AWS CloudTrail: Captures all account activities.
    • AWS Config: Tracks resource configuration and compliance.
    • AWS IAM Identity Center (SSO): Central identity management.
    • AWS Service Catalog: Provides self-service account provisioning.
    • AWS CloudWatch + SNS: For alerting on policy violations.
  4. Guardrails
    • Preventive (SCP-based): e.g., restrict public access to S3.
    • Detective (Config-based): e.g., detect if CloudTrail logging is turned off.

 # Organizational-Structure-Sample

Governance Model for Control Tower (implementing multi-layer governance):
    1. Preventive Guardrails (SCPs): Block prohibited actions.
    2. Detective Guardrails (Config Rules): Continuously monitor compliance.
    3. Centralized Logging: All CloudTrail and Config logs stored in Log Archive.
    4. Centralized Security Auditing: The Audit account continuously inspects compliance and security posture.

 Account Factory Workflow (Provisioning Process)

    1. Admin requests a new account via the Account Factory (Service Catalog).
    2. Control Tower:
      • Creates the account in AWS Organizations.
      • Applies baseline OUs and guardrails.
      • Configures IAM Identity Center access.
      • Sets up logging, Config, CloudTrail, etc.
    1. Account is ready for use with all governance baselines applied.

 Integration with Other AWS Services & Purpose

Service

Integration Purpose

AWS IAM Identity Center

Single sign-on and identity governance across accounts.

AWS Organizations

Multi-account management and OU-based structure.

AWS Config / CloudTrail

Compliance and audit tracking.

AWS Security Hub / GuardDuty

Centralized threat detection and compliance dashboards.

AWS Service Catalog

Self-service account provisioning via Account Factory.

 Guardrail Samples and Descriiption

Type

Guardrail

Description

Preventive

Disallow public S3 buckets

Blocks S3 public access configuration.

Detective

Ensure CloudTrail enabled

Monitors if CloudTrail is disabled.

Detective

Disallow root user access

Detects root account usage.

Preventive

Restrict region usage

Blocks resource creation in non-approved regions.

 Control Tower Dashboard Provides a unified console view to:

    • Monitor OU-level compliance.
    • View guardrail violations.
    • Manage account provisioning.
    • Track drift (resources or settings that diverge from baseline).

Benefits

    •  Automated multi-account setup,
    •  Enforced security and compliance at scale,
    •  Integrated identity and access management,
    •  Continuous visibility and governance,
    •  Scalable and extensible architecture,

 Limitations & Considerations

    • Limited to supported AWS Regions.
    • Customization outside baseline may cause drift.
    • Complex advanced networking setups (e.g., Transit Gateway) need manual integration.
    • SCPs and guardrails might conflict with custom policies if not managed carefully.



at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, What EventBridge  Really  Is (Deep...