AWS Control Tower for Easy Governance at Scale

Introduction

An organization must adjust its business need to remain agile whereas giving administration at scale. Setting up the foundational benchmarks gives you the capacity to set up arrangements and work your environment for both business agility and governance at scale. Successful cloud adoption starts with a secure cloud-based environment, including an AWS environment with a multi-account architecture. When your organization has multiple AWS accounts and teams, cloud setup, security, and permission management can be complex and time-consuming, slowing the innovation you’re trying to accelerate.

AWS Control Tower offers a direct way to set up and administer an AWS multi-account environment, taking after prescriptive best practices. AWS Control Tower organizes the capabilities of a few other AWS services, counting AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center (successor to AWS Single Sign-On), to construct a landing zone in less than an hour. Few services are set up and overseen on your behalf. With AWS Control Tower, you can provision new AWS accounts with just a few clicks and have the peace of mind that your accounts comply with company-wide policies.

AWS Control Tower Features

AWS Control tower has the following features.

Landing Zone:- A landing zone is a well-designed, multi-account environment built on best practices for security and compliance. All your organizational units (OUs), accounts, users, and other resources you want to be subject to compliance control are kept in this enterprise-wide container. Any size business can use a landing zone to meet its goals.

Controls: – A control is a high-level rule offering ongoing governance for your AWS environment. It is often referred to as a guardrail. It is in plain English language. There are three types of control: preventive, detective, and proactive.

Account Factory: – It helps you provision a new AWS account with pre-approved account configuration. An account factory is a console base product connected to the AWS service catalog.

Dashboard: – Thanks to the dashboard, your group of central cloud administrators can continuously monitor your landing zone. You may use the dashboard to view provisioned accounts across your company, controls activated for policy enforcement, controls enabled for continuous policy non-conformance detection, and non-compliant resources created by accounts and OUs.

Structure of an AWS Control Tower Landing Zone

Once you set up the AWS control tower landing zone, you will get the following things to get set up for you.

AWS Organization: – Landing zone will enable the AWS organization for you on your behalf and also create two OU for you. If you have AWS Organization, enable already then the landing zone will create two new OU in your organization

Security OU: – The Log Archive and Audit accounts are available in this OU. Shared accounts are a common name for these accounts. These shared accounts can have personalized names when your landing zone is launched, and you can import already-existing AWS accounts into AWS Control Tower for security and logging. After the first launch, existing accounts cannot be added or renamed for security and logging.

The log account collects the AWS accounts log in a centralized S3 bucket. Audit account use for auditing purposes of other AWS accounts.

Sandbox OU: – This OU we can use as a container for your future AWS account. This OU has a few pre-applied controls for governance and compliance purposes.

IAM Identity Center: – Landing zone will enable the IAM identity center for you on your behalf. It will create one identity directory in your account with one SSO user created in that directory. With this SSO user, only you can create a new AWS account using the account factory product in the service catalog.

Setup a Landing Zone

1. In the AWS management console, search for Control Tower and select it.
   
2. Click on Set up a landing zone.
   
3. In the Review pricing and select Regions step, select the home region which you want to be the home region for the control tower. This region helps to create the landing zone. Resources such as the IAM Identity Center and logging S3 buckets will get deployed in this region. You CANNOT change after setting your landing zone. For the rest of other options, keep the default ones and click next.
   
   
   
4. In Configure Organization units (OUs) step, select the default options and click Next.
   
   
5. In Configured shared accounts, select Use existing account and give the 12-digit AWS account ID for the log archive account and one more 12-digit AWS account ID for the audited account. If you do not have an existing account, you can select Create a new account and give a mail address not associated with any AWS account. Click Next
   
   
6. Select the default setting in the Configure CloudTrail and encryption page and click Next.
   
   
7. In the Review and Setup landing zone page, scroll to the end of the page, and under the Service Permission section, enable the I knowledge box and then click Setup landing zone.
   
   
   
   
8. Setting up the landing zone will take around 45 to 60 min, and once it is set up successfully, it will show that Your Landing zone is available.
   

About CloudThat

CloudThat, incepted in 2012, is the first Indian organization to offer Cloud training and consultancy for mid-market and enterprise clients. Our business aims to provide global services on Cloud Engineering, Training, and Expert Line. Our expertise in all major cloud platforms, including Microsoft Azure, Amazon Web Services (AWS), VMware, and Google Cloud Platform (GCP), positions us as pioneers.

We have a strong AWS Consulting team and are AWS Advanced Tier Services Partner, DevOps Services Competency Partner, Well-Architected Partner, and Public Sector Partner. You can learn more about our AWS Consulting Services here…