Anyone who has worked in the cloud knows how quickly this environment can increase in complexity as more and more workloads get migrated. Companies usually start with small non-critical systems but quickly want to migrate other business systems once they see the cost-benefits and power of the cloud. This can become a challenge for security teams who have to put in controls to secure and govern multiple AWS accounts. Thankfully AWS being the market leader for many years, regularly release new security services for its customers with AWS control tower being one of the recent ones.

As someone who is a big fanboy of AWS control tower and how it can really simplify cloud governance, it thought it would be a good idea to go into the detail of this offering.

How multi-account environments are born

AWS accounts act like a boundary or container for a customer’s resources allowing them to segregate their workloads in the cloud and simplify billing. By default, resources in an AWS account do not have access to resources outside the boundary creating a segregation which is not possible on-prem.

A standard AWS account

Customers usually start their cloud journey with one AWS account but quickly create more accounts as additional systems get migrated. Following standard best practises, a company might create the below accounts for centralized governance :

  • A management account which is used to govern all the other accounts and consolidate billing and other services
  • A Production account for holding all their main production systems
  • A sandbox account where developers can play around and experiment with AWS services
  • A security account used for the cyber-security team with read only access to logs and other security services.
  • A shared services account which follows a hub-spoke model for services which are used across accounts e.g. storage of logs, networking etc.

As you can imagine the complexity of managing and securing this multi-account setup quickly becomes a chore for teams to manage. Security teams want to make sure governance controls or GuardRails are present and managed centrally such as allowing Developers admin access in sandbox account but read-only access in another.

Previously AWS organisations was a great way to accomplished this and customers could create Organizational Units (OUs) to group AWS Accounts by their specific function and apply rules to them ( similar to how Active Directory works). While AWS organisations was ( and is ) amazing, it still requires a lot of manual work to accomplish which is where AWS control tower comes in.

AWS Control Tower to the rescue !

What is Control Tower ? Simply put :

AWS Control Tower is a security offering which simplifies and automates many of the previously discussed activities and provisions a ready-made multi-account AWS environment configured as per security best practises.

As the above states, AWS control tower is the quickest and easiest way to setup and secure a multi account AWS environment ( referred to as a Landing Zone ). . It uses AWS organizations under the hood but automates a lot of the processes and hides away the complexity. It was built by AWS based on their experience of securing thousands of customers in the cloud and can be provisioned with just a few clicks from the console !

If you are new to securing multiple AWS accounts, then Control Tower is definitely a great starting point as you will a peace of mind, knowing the environment is already complying with best practises from day 1

Features and Benefits of AWS Control Tower

When you choose to enable AWS control tower; you get the below:

Landing Zone: A pre-configured, multi-account environment that Control Tower will create that is compliant with best practises.

Guardrails: Automated policy controls focusing on security and compliance . Preventive guardrails will stop deployment of resources that dont meet policies (for example, ‘Enable AWS CloudTrail in all accounts’). Detective guardrails (for example, ‘Detect whether public read access to Amazon S3 buckets is allowed’) will alert for nonconformance

Organization Unit (OU): Used to group accounts for governance. Guardrails are enforced on OUs ( similar to Active Directory policies )

Account Factory: Used to create new accounts or enroll your existing AWS accounts

Single Sign On (SSO) Directory: An SSO directory is setup so you can use one identity for signing into your multiple AWS Accounts instead of using multiple AWS users

and lastly you get a management dashboard to see how well your account are complying with the guardrails that were put in place. All of this with a click of a button !

How AWS Control Tower works
Control Tower features from AWS website

Launching Control Tower :

When you deploy AWS Control Tower, it creates three accounts: a management account, audit account, and log archive account.

  • Management account — Like the name states this is a shared account that’s used for billing, provisioning of accounts via Account factory, and managing OUs and guardrails.
  • Security OU with two shared accounts
    • Audit account — As per AWS “The audit account is a restricted account that’s designed to give your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts
    • Log archive account — As per AWS “This account works as a repository for logs of API activities and resource configurations from all accounts in the landing zone”
  • Sandbox OU — This will be used for launching your workloads and playing around with AWS Services

So roughly your AWS Account structure will look like the below :


        This image shows an example of default destination for accounts created within AWS Control Tower.
Source : AWS website

Once it is launched and the above are provisioned , most organizations will create further AWS accounts for better governance and it becomes very easy to do with AWS account factory. You could end up with a structure that looks like the below :


        This image shows shows the OUs initially deployed by AWS Control Tower.
Source : AWS website

How to launch Control Tower

Deploying it is quite simple , just type if Control Tower in the console search which will take you to the service page and click on Set up landing zone:

You can usually make do with the default sections and click next :

Same with the next page.

You can change the name of the Security and Sandbox OUs if you want but I would not recommend

Choose the emails for your Log Archive and Audit Accounts in Step 4

( usually this would be the email of the security teams and has to be unique )

Click the checkbox on the last screen that you understand what AWS control Tower will do :

Once you click OK , AWS will start deploying AWS control Tower . It usually takes around 30 minutes for everything to get up and be on the lookout for emails on the management, log archive and audit accounts. You will also get emails for enrolling to AWS Single Sign On.

One point to keep in mind is that AWS Control Tower is free, but the services it deploys are not such as AWS config, CloudTrail, S3, Simple Notification Service (SNS) etc. You will be charged based on what you use which you can check here.

AWS control Tower is the way to go

By now I hope you understand why I like AWS Control Tower so much and the actual benefits it offers. If you are a large enterprise who is going to be working on AWS at scale then Control Tower is a great way to make sure your environment has a secure foundation from day 1.

It also gives business teams an easy way to provision new AWS accounts quickly from Account Factory while security teams can have a peace of mind knowing that accounts will be pre-configured with security best practises.

As I have mentioned many times, security automation is one of the key benefits of the cloud and AWS control tower is one of the best services to implement this.

Good luck in your AWS Control Tower journey !