AWS Cloud Operations & Migrations Blog

Use AWS Control Tower to Simplify Governance in AWS GovCloud (US) Regions

Customers often tell us about the challenges they face managing multi-account environments in AWS GovCloud regions. Many of these customers are using AWS Control Tower to simplify their account governance and they’ve asked us to extend the same benefits to AWS GovCloud regions.

On October 19, 2022, we announced the general availability of AWS Control Tower in AWS GovCloud regions. Customers can now use AWS Control Tower to set up landing zones and establish a baseline multi-account environment on their GovCloud organizations. In this post, we’ll show you how to provision a landing zone and start adding your GovCloud account to AWS Control Tower.

Features being released

AWS Control Tower in GovCloud includes the following features:

  • Landing zone – A landing zone is a well-architected environment and the enterprise-wide container that holds all of your organizational units (OUs), accounts, users, and other resources that you want to be subject to compliance regulation.
  • Controls – A control (sometimes called a guardrail) is a high-level rule that provides ongoing governance for your overall AWS environment. Controls can be preventive, blocking unauthorized actions, or detective, alarming administrators of a violation. For more information about controls, see How Controls Work.
  • Dashboard – The dashboard offers continuous oversight of your landing zone to your team of central cloud administrators. Use the dashboard to see provisioned accounts across your enterprise, controls enabled, and noncompliant resources organized by accounts and OUs.

You can learn more about AWS Control Tower features in the AWS Control Tower User Guide.

Customers familiar with AWS Control Tower in the standard partition may notice that the Account Factory feature is not included in this release. Instead, customers can extend governance to existing GovCloud accounts by added them to Organizational Units (OUs) that have been registered with AWS Control Tower. You can learn more about AWS Control Tower differences for GovCloud in the AWS GovCloud User Guide.

Setting up AWS Control Tower in GovCloud

In this post, we demonstrate how you can start using AWS Control Tower in your AWS GovCloud environment to govern your multi-account environment by first establishing a new landing zone. We then show you how to enroll your GovCloud account on AWS Control Tower.

Prerequisites

AWS Control Tower is built on AWS Organizations and you will need to have a multi-account organization established in GovCloud before creating your landing zone. Your organization must include the following GovCloud accounts:

  • Management Account – This is the account used to create the organization and will be used to manage your landing zone.
  • Log Archive Account – This account will serve as a log repository for API activities and resource configurations performed on accounts governed by AWS Control Tower.
  • Audit Account – The audit account is a restricted account that provides your security and compliance teams read and write access to all accounts in your landing zone. From the audit account, you have programmatic access to review accounts.

You can learn more about the how these accounts are used in the Account section of the AWS Control Tower User Guide. For information on creating GovCloud account an multi-account environments in the AWS GovCloud User Guide and the AWS Organizations User Guide.

Setting up the landing zone

The landing zone is an overall multi-account environment that AWS Control Tower sets up for you and it’s where you’ll come to manage your controls.

  1. Log into your GovCloud account that is serving as your organization’s management account. Access the AWS Control Tower service and click on Set up landing zone.
AWS Control service landing page with a clickable button in the upper right section with the text “Set up landing zone

Figure 1. AWS Control service landing page

  1. Review the pricing information and select your home GovCloud region. Please note that you will not be able to change your home region after setting up your landing zone. You can find guidance on selecting a home region in the AWS Control Tower User Guide.
  2. Select the Regions to govern in addition to the home region. Typically you’ll select Regions in which you plan to run workloads. Click Next.
Digital form section with a dropdown list containing check-box selectable options for US-Gov-East and US-Gov-West

Figure 2. Additional AWS regions selection box

  1. In the next section, you’ll define the OUs that AWS Control Tower creates. AWS Control Tower will create a Foundational OU that contains the GovCloud accounts created for Logging and Audit. Unlike AWS Control Tower in the standard partition, AWS Control Tower in GovCloud will not create the Logging and Audit accounts for you. You will need to create the prerequisite accounts and add them to your Organization.

You also have the option create additional OU(s). You may also create additional OUs after your landing zone is setup. Click Next.

  1. Enter the AWS GovCloud account IDs for your Logging and Audit accounts. The account email and name will populate automatically. Click Next.
Digital form section with Account ID, Account email, and Account name details for the a Log archive account and an Audit account.]

Figure 3. Log archive and Audit account setup

  1. Review your CloudTrail configuration and hit next.
  2. Review the information and click Set up landing zone. The process will take up to an hour to complete.
Green notification stating that the landing zone is now available with additional details stating that 2 organizational units, 3 shared accounts, and 20 preventative controls were established.

Figure 4. Landing zone is now available notification

After your landing zone is created, you’re ready to enroll additional accounts to AWS Control Tower.

Enrolling accounts

You can extend your landing zone’s governance to existing GovCloud accounts within your organization by enrolling them through AWS Control Tower. There are two approaches we suggest.

  • Enroll individual accounts – This approach requires that a prerequisite IAM role be added to the account being enrolled. This method is preferred when you have a relatively small number of accounts to enroll compared to the number of already enrolled accounts within the OU.
  • Bulk account enrollment – In this approach, we are re-registering the OU containing the un-enrolled accounts. This approach has fewer steps, however, re-registration can take a considerable amount of time to complete if you have many accounts within the OU. This method is ideal for initial enrollment or when there are relatively few accounts within the OU.

Enrolling individual accounts

Prerequisite

You will need to manually add the AWSControlTowerExecution role to the account being enrolled. Please see the Prerequisites for enrollment section of the AWS Control Tower user guide for instruction on how to do this.

Steps

  1. Access the Control Tower Organization dashboarding from your management account.
  2. Select the desired account and click Enroll.
  3. You will be prompted to select a registered OU for the account to reside in. Select Enroll.

Once enrolled, the account is subject to the controls defined by the AWS Control Tower landing zone.

Bulk account enrollment

  1. Access the Control Tower Organization dashboarding from your management account.
  2. Select the OU containing the accounts and click Actions. Select Re-register organizational unit.
  3. Review the risks and expectations page and agree to the progress expectations terms. Click Re-Register OU. Please note that you will not be able to perform any actions in AWS Control Tower while the OU is being registered.

Once the re-registration process completes, all accounts within the OU are subject to the controls defined by the AWS Control Tower landing zone.

Summary

In this post, we introduced AWS Control for GovCloud regions and showed how you can set up a landing zone. We also covered two method for enroll accounts in your AWS Control Tower environment. There is no charge for the AWS Control Tower service; you pay only for the AWS resources that it creates on your behalf.

Use AWS Control Tower to simplify your multi-account governance in AWS GovCloud regions today.

About the author:

Leno Piperi

Leno Piperi is a Solutions Architect who specializes in supporting public sector customers on AWS Marketplace. His professional interests include cloud governance and serverless computing on AWS. When he’s not in the office delighting customers, you’ll find him skiing or camping in the Cascades.

Tuan Vo

Tuan Vo is a Marketplace Specialist Solutions Architect who focuses on supporting sellers to list their products on AWS Marketplace. He supports large enterprises and public sector customers. Outside of work, Tuan enjoys traveling, trying out new food, and going on walks.