Publish date December 19, 2019
With businesses finding it difficult to manage multiple AWS accounts, the AWS control tower acts as a centralized process/system to facilitate and oversee cloud operations, through built-in features, blueprints, and best practices.
Why Use AWS Control Tower
A few reasons to use and migrate infrastructure to the AWS Control Tower are listed below.
The AWS Control Tower has features (mentioned below) that help organizations with multi-AWS accounts, to operate in the cloud environment with great ease.
A landing zone is a multi-account AWS environment that is well-architected with built-in compliance and security best practices. It is automated by the AWS Control Tower using best-practices blueprints for federated access, identity, and account structure. Some of the blueprints that are implemented in a landing zone are:
The account factory helps standardize the provisioning of new accounts, as it is a configurable account template with pre-approved configurations and region selections. This will enable self-service for builders to configure and provision new accounts using the AWS Service Catalog.
As part of the landing zone setup, businesses can automatically leverage mandatory guardrails. Furthermore, through AWS best practices and common customer policies for governance, a curated set of guardrails are offered by the AWS Control Tower.
Guardrails on organizational units or OUs can also be enabled at any time, and accounts provisioned under such enabled OUs will automatically have the guardrails. Here are a few guardrails that are strongly recommended:
Preventive and Detective Guardrails:
With the help of preventive guardrails, businesses will not only be able to determine intent, but also prevent deployment of resources that do not conform to the set policies. An example would be – enabling AWS CloudTrail in all accounts.
Potential nonconformance by deployed resources is monitored for, using detective guardrails. Preventing public read access for Amazon Simple Storage Service or S3 buckets is one such example. Guardrails are translated into granular AWS policies automatically with the help of Control Tower by:
Constant visibility into the AWS environment is possible using the Control Tower dashboard. Businesses will be able to view:
To build a new multi-account AWS environment quickly and easily.
With just a few clicks, a multi-account set up in the AWS environment can be automated. For configuring AWS management and security services to govern the AWS environment, it employs blueprints, which capture AWS best practices. Blueprints are available for centralized logging, to provide identity management, establish cross-account security audits, federate access to accounts, define workflows for provisioning accounts, and implement account baselines with network configurations.
Automation and application of set service/operating policies
One of the best features of the Control Tower is guardrails. These are mandatory and strongly recommended high-level rules that will enforce your policies using SCPs OR service control policies. They also help detect/identify policy violations using AWS configuration rules, which remain in effect even when creating new accounts or making changes to existing accounts. One other advantage is that the AWS Control Tower provides a summary or report of how each account conforms to your enabled policies.
One of the benefits that the Control Tower offers is an integrated dashboard view. This will provide a top-level summary of policies applied to the AWS environment. Details on the guardrails enabled across your accounts, accounts provisioned, and compliance at the account level is provided.
With thousands of organizations opting for and using AWS cloud services, their centralized management service – AWS Control Tower offers the easiest and simplest way to set up and govern multiple AWS accounts securely through beneficial features and established best practices. Provisioning new AWS accounts is as simple as clicking a few buttons, whilst still conforming to the organization’s requirements and policies.
Type in a topic service or offering and then hit enter to search