AWS Architecture Blog
Field Notes: AWS Control Tower Governance on Selected Regions and Improved Account Provisioning
Co-written by Kalyan Ghatak, Senior Technical Product Manager and Kishore Vinjam, Partner Solutions Architect at AWS
AWS Control Tower is available in 13 AWS Regions today. As we continue to expand to additional Regions, customers have asked to provide the ability to choose the Regions that AWS Control Tower manages. By only selecting the actively used Regions, customers can address compliance and regulatory concerns while balancing the costs associated with AWS Control Tower’s resources.
In this blog post, we show you how to use AWS Control Tower Region Selection to limit its governance to specific Regions to help meet your compliance and regulatory requirements. As AWS Control Tower expands into additional Regions, we have increased the speed of deploying its features: depending on your AWS Control Tower settings, it can take up to 35% less time to create a new AWS account using AWS Control Tower Account Factory.
We reference the following AWS services in this blog post:
Architecture Overview
While launching your AWS Control Tower landing zone, you can choose the Regions that you want to limit its governance to. In the following architecture diagram, we selected only two Regions from supported 13 Regions – specifically us-east-1 and us-east-2. Alternatively, you can also select from supported Regions when you can also update your landing zone.
When you create an AWS account using Account Factory, the blueprints and guardrails are now deployed simultaneously in all selected Regions. Due to simultaneous deployments, the time required to create new AWS accounts is shortened. Refer to Improved account provisioning using AWS Control Tower Account Factory section in this blog for additional details.
Walkthrough
Selecting a Region
We show you how to select supported Regions when you first launch AWS Control Tower and during the AWS Control Tower update. When you use Account Factory to create a new account or to enroll an existing account, AWS Control Tower deploys AWS CloudFormation stacks in your chosen Regions. This enables the governance capabilities of centralized logging, monitoring, and detective guardrails in the account.
Workflow 1 – Select specific Regions for governance when creating a new landing zone
- In your management account, navigate to Services, Control Tower.
- Choose Set up landing zone to launch AWS Control Tower.
- On the Set up landing zone page, under Additional AWS Regions for governance – optional from the dropdown, choose the Regions that you want to govern in addition to the home Region.
- Typically, you’ll select the Regions where you plan to run your workloads.
- Your Region Settings will apply to all AWS Control Tower features and to all accounts governed by AWS Control Tower.
You can modify your AWS Control Tower Region settings anytime to govern additional supported Regions in your accounts. Note that you cannot withdraw AWS Control Tower’s governance from a Region after you have enabled it.
If you choose not to extend AWS Control Tower’s governance to a Region, it does not inhibit your users’ ability to deploy AWS resources or workloads into those Regions. However, you cannot use AWS Control Tower to monitor or govern such resources or workloads.
Workflow 2 – Extend governance to additional Regions during landing zone update
- In your management account, navigate to Services, Control Tower.
- From the left side bar, choose Landing zone settings.
- Under Versions, select the landing zone version and choose Update.
- On the Update your landing zone and govern into new Regions page, expand Additional AWS Regions for governance – optional and select desired additional Regions.
- Select check box under Agree to terms.
- Choose Update landing zone.
AWS CloudFormation StackSets recently announced that it now deploys CloudFormation Stacks in parallel to multiple AWS Regions, instead of deploying them serially across Regions. This has helped reduce the time taken by Account Factory to create and provision a new AWS account when AWS Control Tower governs multiple Regions.
For example, in our lab tests, we configured AWS Control Tower to govern in 10 Regions. We created an organizational unit (OU), enabled 10 detective guardrails on the OU. We noted that the time taken by Account Factory to create and provision new accounts in the OU decreased by up to tens of minutes, resulting in improvements of up to 35%.
Your performance improvements may vary depending on your use case, including the number of Regions under AWS Control Tower governance. The number of AWS Control Tower detective guardrails enabled on the parent OU where the account is placed may also impact overall performance.
Conclusion
You can now configure AWS Control Tower to govern selected AWS Regions to help meet your compliance and regulatory requirements. When governing multiple Regions, AWS Control Tower Account Factory can take up to 35% less time to create a new account, thereby reducing the time to onboard your business users or workloads.
Field Notes provides hands-on technical guidance from AWS Solutions Architects, consultants, and technical account managers, based on their experiences in the field solving real-world business problems for customers.