AWS Cloud Operations & Migrations Blog

Category: AWS Control Tower

Automate enrollment of accounts with existing AWS Config resources into AWS Control Tower

Customers who deployed AWS Control Tower in their existing organization will begin enrolling existing member accounts located under Organization Units (OU) to bring those accounts under the governance of Control Tower. In most cases, the customer has already enabled AWS Config to record, and evaluate AWS resource configurations in existing accounts. Previously, customers who would want […]

Organizing your AWS Control Tower landing zone with nested OUs

AWS Control Tower provides the easiest way for you to set up and govern your AWS environment, or landing zone, following prescriptive AWS best practices managed on your behalf. AWS Control Tower orchestrates multiple AWS services (AWS Organizations, AWS CloudFormation StackSets, Amazon S3, AWS Single Sign-On, AWS Config, AWS CloudTrail) to build a landing zone […]

Root and Nested Organizational Unit Support for Customizations for AWS Control Tower

Customers often use AWS accounts as a boundary to segregate their workloads, environments, business units, compliance requirements, or any type of logical isolation that suits their business. An AWS account serves as a hard boundary by design – each account is its own logical entity with controls, limits, and guardrails. Large customers typically have many […]

Migrate AWS Landing Zone solution to AWS Control Tower

Customers who wanted to quickly set up a secure, compliant, multi-account AWS environment had adopted AWS Landing Zone solution (ALZ). To reduce the burden of managing this ALZ, AWS has announced a managed service – AWS Control Tower (Control Tower). AWS Control Tower creates your landing zone using AWS Organizations, thereby bringing together ongoing account […]

Extending your Control Tower Network security with Amazon Route 53 DNS Firewall

In our previous post, “Securely scale multi-account architecture with AWS Network Firewall and AWS Control Tower”, we described how AWS Network Firewall can be implemented in an AWS Control Tower environment. AWS Network Firewall provides a stateful, managed firewall with rules to filter and block network and application layer traffic coming to your applications. Centralized […]

Illustration of the flow of actions between accounts for the Security Hub account association handshake.

Automating AWS Security Hub Alerts with AWS Control Tower lifecycle events

Important Update: As of 23 Nov 2020 the Security Hub service was updated to support direct integration with AWS Organizations. Lifecycle events are no longer the recommended way to enable Security Hub. Please utilize Security Hub’s native integration with AWS Organizations. You can also refer to this blog, which walks through how to enable GuardDuty […]

Migrating custom Landing Zone with RAM to AWS Control Tower

Migrating custom Landing Zone with RAM to AWS Control Tower

The AWS Landing Zone is a solution that helps customers accelerate the setting up of a secure, multi-account AWS environment based on AWS best practices. In June 2019, AWS launched AWS Control Tower. AWS Control Tower is a managed AWS service that automates the creation of a multi-account AWS environment based upon the AWS Well-Architected […]

Infosys implements AWS Control Tower to enforce multi-account governance

Infosys implements AWS Control Tower to enforce multi-account governance

Today, most enterprises adopt a multi-account strategy on AWS as their workloads scale and become more complex. Because the number of AWS accounts can grow quickly when you use a multi-account strategy, you need mechanisms to govern these accounts and standard guardrails to enforce controls across them. In this blog post, we are going to […]

Developing, versioning, testing, and deploying landing zone changes using CfCT across multiple landing zones

Developing, versioning, testing, and deploying landing zone changes using CfCT across multiple landing zones

Enterprise customers often ask how they can minimize risk when they’re developing and testing a landing zone configuration. They also want to know how they can promote code between multiple landing zones. ­AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. Customers who […]

Using AWS Control Tower and AWS Service Catalog to automate Control Tower lifecycle events

Many enterprise customers who use AWS Control Tower to create accounts want a way to extend the account creation process. They want this process to cover common business use cases including the creation of networks, security profiles, governance, and compliance. A manual process manually is cumbersome and makes it difficult for the organization to respond […]