Solutions integrated with AWS Control Tower are now available in AWS Marketplace
AWS Marketplace now offers a new category of solutions to help you integrate third-party software with AWS Control Tower. AWS Control Tower provides a way to set up and govern a new, secure, multi-account AWS environment. It is based on best practices established through the experience working with thousands of enterprises as they move to the cloud. These solutions help solve common infrastructure and operational use cases. Those use cases include identity management, security for a multi-account environment, centralized networking, operational intelligence, and Security Information and Event Management (SIEM). These solutions work together with AWS Control Tower to provide a way to set up and govern a new, secure, multi-account AWS environment. In this blog post, Kishore, Steph, and I provide an overview of AWS Control Tower and talk about different use cases that can be built with third-party software solutions on AWS Marketplace.
My customers have said that they are looking for advice on how to integrate native and third-party solutions before deploying workloads in their accounts. While not every environment is the same, for many common use cases, the most needed services and third-party offerings are fairly static. So AWS worked with software vendors to build software solutions that integrate with AWS Control Tower. These solutions use native functionality such as Lifecycle Events and centralized Amazon Simple Storage Service (Amazon S3) logs to store AWS Config and AWS CloudTrail logs. Other common needs include a centralized network hub, centralized identity, observability, workload protection, and infrastructure monitoring of AWS and on-premises environments using third-party tools.
Each software solution includes a step-by-step setup guide with architectural guidance for a multi-account scenario and reference code. This streamlines the operation and management of applications in your AWS Cloud at scale.
AWS Marketplace Solutions for AWS Control Tower are now available from the following sellers: AlertLogic, Aviatrix, CrowdStrike, Dome9, Logz.io, New Relic, OneLogin, Splunk, Sumo Logic, Tenable, and Trend Micro. Refer to the following image.
Standardized services framework provided by AWS Control Tower
AWS recommends its customers build a multi-account environment using the AWS Multi Account Strategy. Best practices in a well-architected AWS environment include isolating or segregating workloads in different AWS accounts. AWS Control Tower provides a framework to set up and extend a well-architected, multi-account AWS environment based on security and compliance best practices.
When you deploy AWS Control Tower on your AWS account, here is what happens:
- AWS Organizations is created, unless already established.
- Two organizational units (OUs) are created. One (Core OU) is for shared accounts and the other (Custom OU) is for accounts that can be provisioned.
- A cloud native directory is established with preconfigured groups and AWS Single Sign-On (AWS SSO) access.
- Baseline and guardrails are enabled across all accounts using AWS CloudFormation StackSets.
- Account Factory, an AWS Service Catalog product to provision new accounts is provided.
Refer to the following diagram.
When you provision new AWS accounts using Account Factory, it creates new AWS accounts with a baseline security posture enabled by preventive and detective guardrails. As part of the account baseline, AWS Control Tower automatically:
- Creates the log archive account in the Core OU. This contains an Amazon S3 bucket. The bucket stores AWS CloudTrail and AWS Config logs for all AWS accounts created using Account Factory.
- Create the audit account in the core OU, which contains the following:
- Amazon Simple Notification Service (Amazon SNS) topics that other services could subscribe to.
- AWS Config Aggregator that monitors detective guardrails applied to the AWS Accounts enrolled into AWS Control Tower.
- For Custom OUs and provisioned accounts:
- Provides federated access to accounts using AWS SSO.
- Enables guardrails to protect the resources deployed by AWS Control Tower and detects non-compliance across multiple accounts.
- Generates lifecycle events, which enable you to configure any additional custom automations as part of new account creation.
- Optionally creates network resources depending on your selections in Account Factory Network configuration.
Refer to the following diagram.
Solutions to address operational readiness and excellence
These software solutions integrated with AWS Control Tower simplify multi-account management to help you streamline the operation and management of applications in AWS at scale. To help you identify which services to use for each unique project or use case, visit the Solutions for AWS Control Tower in AWS Marketplace landing page. There you find key use cases for implementation that help address both your operational readiness and operational excellence.
As you begin your journey to AWS, establish a framework that automates identity, networking, and security requirements at scale. Key use cases include:
- Security in a multi-account environment
- Identity management in a multi-account environment
- Network orchestration
Once you establish a framework, you can enhance your security posture by integrating software solutions for AWS Control Tower. These solutions provide deeper insights into new environments and workloads as they are provisioned. Key use cases include:
If you want to get started on AWS or are in the process of building your Landing Zone, visit Getting Started with AWS Control Tower. This page offers guidance on building a well-architected AWS environment. You can integrate Solutions for AWS Control Tower in AWS Marketplace by using the implementation guides that accompany each solution. These solutions help make your AWS environment ready for your applications. To browse available use cases and solutions, visit Solutions for AWS Control Tower in AWS Marketplace. If you have software solutions you would like to offer to AWS Control Solutions customers, contact the Sales Specialist team at firstname.lastname@example.org.
About the authors
Kishore Vinjam is a Partner Solutions Architect focusing on AWS Service Catalog, AWS Control Tower, and AWS Marketplace. He is passionate about working in cloud technologies, and working with customers and building solutions for them. When not working, he likes to spend time with his family, hike, and play volleyball and ping-pong.
Sandeep Kashyap is a Sr Business Development Manager at AWS working with AWS Control Tower and AWS Service Catalog. In his role, Sandeep works with customers to help them adopt cloud management best practices such as multi-account frameworks using AWS Control Tower and Infrastructure as code with AWS Service Catalog. Sandeep also works with partners to integrate Independent Software Vendor Solutions with AWS Services in the management and tools category.
Steph Barthel is a Senior Digital Content Strategist on the AWS Marketplace team. In her role, she works to develop educational content and resources for customers to help them make informed purchasing decisions. With a background in both education and marketing, Steph is passionate about bringing her experience together to help customers navigate cloud software purchasing.