Leveraging Control Tower – Designing a Multi-Account AWS Environment for Complex Organizations – SAP-C02 Study Guide

Leveraging Control Tower

Control Tower is an AWS service that addresses all the aspects covered earlier in this chapter in a prescriptive way. It is an opinionated service that allows you to automate the setup of your baseline environment—in other words, your landing zone. Control Tower does this by following a set of best practices coming from the collective experience of AWS. This experience was built over the years by working with thousands of customers who needed to set up a secure AWS environment to govern their AWS workloads more easily with central rules for security, operations, and compliance.

On top of these best practices, Control Tower relies on multiple other AWS services such as, but not limited to, AWS Organizations, AWS Config, AWS Service Catalog, AWS SSO, and AWS CloudTrail.

You can either set up Control Tower in a brand-new organization (as defined in AWS Organizations) when starting afresh or use it in an existing organization that you already have in place. In the latter case, there are some considerations to ensure that your existing organization will not be impacted before you actually set up the Control Tower. The bottom line is that it’s always easier to start with a new organization, but there may be situations where you’d prefer not to start from scratch.

Note that existing accounts are not automatically enrolled in Control Tower when you set it up in an existing organization. These existing accounts need to be explicitly enrolled to be governed by Control Tower, which will, upon enrollment, baseline each account according to best practices and apply any security guardrails that you have enabled. There are a number of prerequisites to follow for enrollment. When onboarding existing accounts, it is best to always refer to the Control Tower documentation to check those prerequisites. Depending on the number of accounts that you need to enroll, you may want to automate the enrollment process as much as possible (repeating the various steps manually is also error-prone). For more details on how to do this, refer to the Enroll Existing AWS Accounts into AWS Control Tower blog in the Further reading section at the end of this chapter.

What does Control Tower Deliver Exactly?

Control Tower delivers a number of things:

  • First and foremost, it will create what we call your landing zone—that is, your multi-account AWS environment set up according to AWS best practices. It follows the recommendations from the AWS Well-Architected Framework (see https://packt.link/yhehg for more details). This environment will contain some essential elements to start with and provide room for extension so that you can later add additional OUs and accounts where you can deploy your resources.
  • Second, Control Tower will provide and enforce guardrails across your entire organization (with the exception of your management account). These guardrails are rules of two types—preventive or detective. Each rule type is further declined into Mandatory, Strongly recommended, and Elective kinds.
  • Thirdly, Control Tower will create an account factory that you can configure and leverage to automatically provision new accounts with pre-approved configurations. The idea is to facilitate account provisioning to do the heavy lifting for you.
  • Finally, Control Tower comes with a dashboard that lets your AWS system administrators oversee the landing zone operations and control their status.