AWS Management & Governance Blog

Category: AWS Control Tower

Customizing account configuration with AWS Control Tower lifecycle events

Customizing account configuration with AWS Control Tower lifecycle events

In this blog post, we show how to customize the networking configuration in an AWS account. For example by deleting the default VPCs in all AWS Regions, using AWS Resource Access Manager to share the appropriate VPC subnets and using AWS Firewall Manager to apply security groups to VPCs in the account.

Read More

Manage Control Tower life cycle actions intelligently using AWS Service Catalog, AWS Config, Amazon DynamoDB and AWS CloudFormation

As customers create and manage multi-account AWS environments, cloud administrators need to process where each account can apply configuration autonomously from a centralize configuration repository. Some of the customers I work with use AWS Control Tower to manage a multi account environment. Administrators use AWS Control Tower to create organization units for account grouping and […]

Read More

AWS CloudFormation StackSet Orchestration: Automated deployment using AWS Step Functions

We often use AWS CloudFormation StackSets to automatically deploy infrastructure into many different accounts. Whether they are managed by AWS Control Tower or AWS Organizations, StackSets provide a simple and automated way to handle the creation of resources and infrastructure right after provisioning a new account. You can automatically deploy StackSets to accounts that belong […]

Read More

Enabling Amazon GuardDuty in AWS Control Tower using Delegated Administrator

My customers have asked how to monitor their AWS environments for potential malicious activity. Many have standardized on using AWS Control Tower to implement a multi-account framework that is governed and based on known AWS best practices. They are also interested in enabling Amazon GuardDuty to supplement this with effective monitoring capabilities. This post shows […]

Read More

Extend AWS Control Tower governance using AWS Config Conformance Packs

As many customers adopt AWS Control Tower, they have asked Raphael and me how to add additional governance policies such as the NIST Cybersecurity Framework (CSF) to their environments on top of the guardrails that AWS Control Tower provides. Customers want to enable these additional policies on the AWS Regions where AWS Control Tower is […]

Read More

Automating Service Limit Increases and Enterprise Support with AWS Control Tower

In this post, we show how you can use Account Factory in AWS Control Tower to provision new accounts that are ready for your teams to use. We demonstrate how you can use AWS Control Tower lifecycle events to automatically request regional service quota limit increases and enrollment in AWS Enterprise Support using the respective […]

Read More
Solution architecture for Batch account creation using AWS Control Tower

How to automate the creation of multiple accounts in AWS Control Tower

Many customers that we work with are creating and provisioning new accounts using AWS Control Tower. AWS Control Tower is an AWS managed service that automates the creation of a well-architected multi-account AWS environment. AWS Control Tower’s Account Factory is currently a single-threaded process, and customers must allow for the current account creation process to […]

Read More
AWS IAM Access Analyzer and AWS Control Tower Featured Image

Enabling AWS IAM Access Analyzer on AWS Control Tower accounts

Many of the customers we work with look for ways to manage compliance and gain additional insights across their AWS multi-account organization from a central location. We often begin the discussion with AWS Control Tower, as it offers the easiest way to set up and govern a multi-account AWS environment. AWS Control Tower is an […]

Read More

Implementing Serverless Transit Network Orchestrator (STNO) in AWS Control Tower

Introduction Many of the customers that we have worked with are using advanced network architectures in AWS for multi-VPC and multi-account architectures. Placing workloads into separate Amazon Virtual Private Clouds (VPCs) has several advantages, chief among them isolating sensitive workloads and allowing teams to innovate without fear of impacting other systems. Many companies are taking […]

Read More