AWS Control Tower: Helping you with your 5+ account strategy

AWS Control Tower

You have started your cloud journey with AWS and are now moving beyond the proof of concept to begin testing the waters. It’s now time to go full-scale and rollout AWS to multiple teams across your organisation. You know you will need several accounts per team as everyone is using a dev, test, production setup as part of the organisations multi-account strategy.

But, how can you setup all these accounts without being overwhelmed? How do you get them to conform to your organisations best practises and security controls? In steps… AWS Control Tower to make your life easier, now I’m not talking about an airport control tower but the idea is somewhat similar, AWS Control Tower allows company cloud administrators to easily and securely setup and govern a multi-account environment. Let’s explore what it can do.

What does Control Tower do?

Control Tower workings
Source: AWS Control Tower overview

At the highest level Control Tower is designed to be the easiest way for organisations to set up and administer their AWS account environments at scale and speed. It allows organisations to reduce administration and governance overhead by deploying landing zones (or accounts as they are also known) by having best practise, security guardrails and visibility in your organisations account structure. You’ve had the highest of overviews but now let’s get into some more details.

AWS Landing Zone

A landing zone is a secure pre-configured environment (account) in which you would deploy resources, these landing zones allow you to experiment, iterate and migrate your resource without the concerns of what happens as you scale your cloud footprint.

The next logical step is the AWS Landing Zone (this used to be just AWS landing zone but that is EOL) via Control Tower which is basically the same as a normal landing zone but with some extra bolt-ons built in. For instance, these landing zones have been built in best-practises for multi-account strategy as a blueprint, adding security guardrails to the account and added monitoring. Acting as an account factory – orchestrating the creation and provisioning of accounts simplifying AWS administrator tasks – all this is part of AWS organisations and can easily be synced in.

Centralised Identity and Access

Control Towers also adds AWS SSO (single sign on), while this service is also a stand alone offering, it should be used whenever possible – becoming part of Control Towers multi-account authentication by integrating with your choice of federated access management (MS active directory, google etc). The added benefits it brings are in the preconfigured groups you can make use of, such as Control Tower Administrators, Auditors and Service Catalog end users. It even comes with preconfigured permission sets you can bind to your custom groups as well. SSO means lower overhead for Access Administrators but also for users only having to remember that one login for multiple accounts.

Organisation Guardrails

Firstly, what is a guardrail? Guardrails are a set of preconfigured governance rules for security, compliance and operations, which at a base level every administrator should be doing for their AWS accounts, which is why Control Tower simplifies governance by adding service control polices and AWS Config rules. These break down into various areas;

  • Preventive Guardrails – these are to help stop the use of certain actions, API calls and even services, and is all about preventing policy violations.
  • Detective Guardrails – following preventative guardrails these are put in place to detect any policy violations that you might have missed and can’t easily enforce via other means.

Control Tower comes with both mandatory guardrails and recommended guardrails – by using it you achieve a secure baseline for your organisational units and AWS accounts.

Wrapping up

As you can see the services that Control Tower offers are there to make your life easier and more secure, helping you to get started on making the most of your cloud assets and focusing more on the development of your systems and product. The best part? It’s completely free, no need to worry about the extra charges this might bring, set it up today and get started.

If you want to know more about AWS Control Tower, or even need help with setting it up then please contact us here.

Or, alternatively Mobilise will be running a AWS Immersion day for Control Tower on the 30th March 2022 which will be delivered by certified solution architects giving talks and hands on labs. Sign up if you are interested in getting to know more or hands on with it.

Enterprise and public sector trust Mobilise to securely transform their tech, teams and how they do business.

Say hello to your independence with our project enablement approach.