Simplified Way to Setup and Govern Multiple Accounts in AWS Using AWS Control Tower

Overview

In Today’s business, if you are looking for the easiest way to set up and also govern multiple accounts and secure an AWS environment if you want larger scale AWS deployment so you are in right place. The AWS Control tower will solve this problem. It simplifies AWS experiences by orchestrating multiple AWS services.

Before going in detail, let’s see what AWS control tower is.

AWS Control Tower

Amazon Control tower is a service that shows an easy way to set up and govern a new, security based multiple AWS account environment.

The AWS Control Tower simplifies the AWS experience by organizing multiple AWS services on your behalf while maintaining your organization’s security and compliance requirements.

Source: AWS

Why AWS Control Tower used?

AWS Control tower is useful because it is helpful to set up and config the new environment of AWS quickly. It automates ongoing policy management. The summary of view policy level of the AWS environment

Use Cases

If you’re engaged with various AWS records and groups, cloud arrangements and administration can be mind-boggling and exhausting, hampering the progress you’re attempting to accelerate. The AWS Control Tower gives the simplest way to establish and oversee another, protected, multi-account AWS status, relying on best practices built through the experience of the AWS. With the AWS Control Tower, developers can arrange new AWS accounts in a few snaps, while you have a significant calm that your records accommodate your far-reaching strategies. If you’re building another AWS position, starting your excursion to AWS, starting another cloud activity, or are completely new to AWS, the Control Tower will assist you rapidly with the administration of the cloud and best practices.

The AWS control tower helps to move the AWS environment into a well-designed framework in a seamless manner.

• Pre-merge AWS environment
• Post-merge AWS environment

How to Use AWS Control Tower

Well, it is quite simpler to use like many other AWS services.

The AWS control tower requires two email addresses to set up an AWS account, one for log collection and the other for automatically auditing for you.

Organization has three accounts –

Master Account – Provided the ability to create and manage a financially managed member account. All are used for account factory provision and accounts, management of organizational units, and guards.

Log Archive Account – A repository of immutable logs of API activities and resource configurations from all your accounts.

Audit account – Restricted account for your security and compliance teams to read and write all accounts for auditing purposes.

After completing the setup of your landing zone, you can see the named accounts and registered organization units on your AWS Control Tower dashboard.

Landing Zone

A landing zone is a well-designed, multi-account AWS environment based on safety and compliance best practices. AWS Control automates the setup of a new landing zone using best practice blueprints for tower identification, federal access, and account structure. Examples of blueprints implemented automatically in your landing zone include:

• Create a multi-account environment by using AWS organizations.
• Provide identity management by using the default directory found within the AWS IAM Identification Centre.
• Grant federal access to accounts using the AWS IAM Identification Centre
• Centralize logging from AWS CloudTrail and AWS configurations stored in the Amazon Simple Storage Service (Amazon S3).
• Enable cross-account security audits by using the AWS IAM Identity Centre
• The landing zone established by the AWS Control Tower is managed using a set of mandatory and strongly recommended guardrails that you choose through it.

Dashboard of Control Tower

The UI design of the Control tower is quite simple and easy to use. Only components managed and deployed by the control tower are seen in the dashboard.

Conclusion

There are some great things around the control tower and some are not so great and it all depends on the maturity of the AWS infrastructure team within an organization. The provision of the control tower is through ‘clickopsing’ – performing authentication in the console, navigating to the control tower, and clicking create. It is not possible to do this through code or CloudFormation. You can start taking advantage of well-crafted frameworks and improve technical readiness for acquisition. Well-architected tool in Aus Management Console Allauj to review your workload for migration. I had recommended using control towers for small to medium businesses without a complicated workload and simply wanted ‘best practice’. This is not the solution to retrofitting the currently unexplained account topology. This leaves an unclear area for organizations that want to get started with custom workloads, and whenever it’s a matter of forecasting a significant amount on a short-term scale.

About CloudThat