Posted On: Jun 6, 2023

Today, AWS Control Tower announced additional landing zone flexibility. Customers can now select whether AWS Control Tower sets up AWS account access with AWS IAM Identity Center (successor to AWS Single Sign-On), or they can self-manage AWS account access with AWS IAM Identity Center or use another method. AWS Control Tower continues to deliver an opinionated configuration following AWS best practices, while recognizing that some customers have existing configurations or bespoke business needs that require deviation from AWS Control Tower’s standard configuration. Customers can opt into Control Tower governed IAM Identity Center directory groups and permissions sets at any time. 

Customers can now adopt core capabilities of AWS Control Tower at their own pace, benefiting from control orchestration, account provisioning, and AWS best practices, while maintaining their existing access structures. Having more flexibility within AWS Control Tower allows customers to set up access so it aligns with their unique needs and workflows, and choose when to integrate AWS IAM Identity Center capabilities with AWS Control Tower. Providing more flexibility within AWS Control Tower’s Identity Center setup empowers customers to align AWS Control Tower with their existing processes, specific requirements, or preferred timelines, enabling them to adopt Control Tower’s governance capabilities gradually and customize them easily. 

For a full list of Regions where AWS Control Tower is available, see the AWS Region Table. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide.