AWS Cloud Operations Blog
Category: Enterprise governance and control
Automate enrollment of accounts with existing AWS Config resources into AWS Control Tower
Customers who deployed AWS Control Tower in their existing organization will begin enrolling existing member accounts located under Organization Units (OU) to bring those accounts under the governance of Control Tower. In most cases, the customer has already enabled AWS Config to record, and evaluate AWS resource configurations in existing accounts. Previously, customers who would want […]
Organizing your AWS Control Tower landing zone with nested OUs
AWS Control Tower provides the easiest way for you to set up and govern your AWS environment, or landing zone, following prescriptive AWS best practices managed on your behalf. AWS Control Tower orchestrates multiple AWS services (AWS Organizations, AWS CloudFormation StackSets, Amazon S3, AWS Single Sign-On, AWS Config, AWS CloudTrail) to build a landing zone […]
Manage AWS account alternate contacts with Terraform
Managing AWS billing, support and service team notifications, and potential security events are critical for customers to ensure security, cost optimization and operational monitoring for their AWS deployments. Alternate contacts allow us to contact another person about issues with your account at the right time, even if you’re unavailable. AWS will send you operational notifications such […]
Root and Nested Organizational Unit Support for Customizations for AWS Control Tower
Customers often use AWS accounts as a boundary to segregate their workloads, environments, business units, compliance requirements, or any type of logical isolation that suits their business. An AWS account serves as a hard boundary by design – each account is its own logical entity with controls, limits, and guardrails. Large customers typically have many […]
Identity Guide – Preventive controls with AWS Identity – SCPs
AWS Identity offers a set of features that let customers apply preventive controls to their AWS environment. This includes AWS Organizations service control policies (SCPs). For you to achieve common preventive controls, SCPs provide preventative enforcement by offering central control over the maximum available permissions for all accounts in your organization. SCPs affect all users and roles […]
Migrate AWS Landing Zone solution to AWS Control Tower
Customers who wanted to quickly set up a secure, compliant, multi-account AWS environment had adopted AWS Landing Zone solution (ALZ). To reduce the burden of managing this ALZ, AWS has announced a managed service – AWS Control Tower (Control Tower). AWS Control Tower creates your landing zone using AWS Organizations, thereby bringing together ongoing account […]
Extending your Control Tower Network security with Amazon Route 53 DNS Firewall
In our previous post, “Securely scale multi-account architecture with AWS Network Firewall and AWS Control Tower”, we described how AWS Network Firewall can be implemented in an AWS Control Tower environment. AWS Network Firewall provides a stateful, managed firewall with rules to filter and block network and application layer traffic coming to your applications. Centralized […]
Migrating accounts between AWS Organizations with consolidated billing to all features
Customers start their cloud journey with one AWS account, and over time they deploy many resources within it before utilizing more accounts. Prior to the launch of AWS Organizations in 2017, customers received a consolidated bill for all of these accounts. The launch of AWS Organizations meant these customers were provided with an organization that […]
Programmatically managing alternate contacts on member accounts with AWS Organizations
Today, we are making it easier for you to manage the alternate contacts (billing, operations, and security) on your member accounts in AWS Organizations. You can now programmatically manage your account alternate contact information in addition to the existing experience in the AWS console. This launch ensures that the right individuals receive important AWS notifications […]
Using AWS CloudTrail to propagate tags across related AWS resources – Part 1
AWS allows customers to assign metadata to their AWS resources in the form of tags. Each tag consists of a customer-defined key and an optional value. Tags can make it easier to manage, search for, and filter resources by purpose, owner, environment, or other criteria. AWS tags can be used for many purposes like organizing […]