AWS Control Tower: Migrate Current Infra to Control TowerLast updated on December 19, 2019
With businesses finding it difficult to manage multiple AWS accounts, the AWS control tower acts as a centralized process/system to facilitate and oversee cloud operations, through built-in features, blueprints, and best practices.
Why Use AWS Control Tower
A few reasons to use and migrate infrastructure to the AWS Control Tower are listed below.
- When businesses/organizations are new to AWS
- To begin a new cloud environment
- To be familiar and gain knowledge of working with AWS’ cloud technology
The AWS Control Tower has features (mentioned below) that help organizations with multi-AWS accounts, to operate in the cloud environment with great ease.
A landing zone is a multi-account AWS environment that is well-architected with built-in compliance and security best practices. It is automated by the AWS Control Tower using best-practices blueprints for federated access, identity, and account structure. Some of the blueprints that are implemented in a landing zone are:
- Identity management and federated access via AWS SSO (Single Sign-On) default directory
- Centralized logging from AWS cloudtrail
- AWS configuration stored in Amazon Simple Storage Service or S3
- Through AWS IAM and AWS SSO, enabling cross-account security audits
The account factory helps standardize the provisioning of new accounts, as it is a configurable account template with pre-approved configurations and region selections. This will enable self-service for builders to configure and provision new accounts using the AWS Service Catalog.
As part of the landing zone setup, businesses can automatically leverage mandatory guardrails. Furthermore, through AWS best practices and common customer policies for governance, a curated set of guardrails are offered by the AWS Control Tower.
- Mandatory Guardrails: Listed below are a few examples of mandatory guardrails. These disallow/prevent:
- Public read access to log archive
- Changes to IAM roles set up for AWS Control Tower
- Policy changes to log archive
- Optional Guardrails:
Guardrails on organizational units or OUs can also be enabled at any time, and accounts provisioned under such enabled OUs will automatically have the guardrails. Here are a few guardrails that are strongly recommended:
- Prevent public write access to Amazon S3 or Amazon Simple Storage Service buckets
- Enable encryption for Amazon EBS or Elastic Block Store volumes that are attached to Amazon EC2 or Elastic Compute Cloud instances
- Without multi-factor authentication, disallow access as a root user
Preventive and Detective Guardrails:
With the help of preventive guardrails, businesses will not only be able to determine intent, but also prevent deployment of resources that do not conform to the set policies. An example would be – enabling AWS CloudTrail in all accounts.
Potential nonconformance by deployed resources is monitored for, using detective guardrails. Preventing public read access for Amazon Simple Storage Service or S3 buckets is one such example. Guardrails are translated into granular AWS policies automatically with the help of Control Tower by:
- Through AWS CloudFormation, a configuration baseline is established
- Control Tower dashboard is updated with guardrail status
- Preventive guardrails: Using service control policies, it is possible to prevent configuration changes of the underlying implementation
- Detective guardrails: Detecting configuration changes through AWS configuration rules is done consistently
Constant visibility into the AWS environment is possible using the Control Tower dashboard. Businesses will be able to view:
- Provisioned number of organizational units or OUs and accounts
- Number of enabled guardrails,
- Status check on OUs and accounts against the guardrails.
- A list of noncompliant resources in the enabled guardrails.
To build a new multi-account AWS environment quickly and easily.
With just a few clicks, a multi-account set up in the AWS environment can be automated. For configuring AWS management and security services to govern the AWS environment, it employs blueprints, which capture AWS best practices. Blueprints are available for centralized logging, to provide identity management, establish cross-account security audits, federate access to accounts, define workflows for provisioning accounts, and implement account baselines with network configurations.
Automation and application of set service/operating policies
One of the best features of the Control Tower is guardrails. These are mandatory and strongly recommended high-level rules that will enforce your policies using SCPs OR service control policies. They also help detect/identify policy violations using AWS configuration rules, which remain in effect even when creating new accounts or making changes to existing accounts. One other advantage is that the AWS Control Tower provides a summary or report of how each account conforms to your enabled policies.
One of the benefits that the Control Tower offers is an integrated dashboard view. This will provide a top-level summary of policies applied to the AWS environment. Details on the guardrails enabled across your accounts, accounts provisioned, and compliance at the account level is provided.
With thousands of organizations opting for and using AWS cloud services, their centralized management service – AWS Control Tower offers the easiest and simplest way to set up and govern multiple AWS accounts securely through beneficial features and established best practices. Provisioning new AWS accounts is as simple as clicking a few buttons, whilst still conforming to the organization’s requirements and policies.