General

Q: What is AWS Control Tower?
AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.

Q: Who should use AWS Control Tower?
If you want to create or manage your multi-account AWS environment with best practices, use AWS Control Tower. It offers prescriptive guidance to govern your AWS environment at scale. It gives you control over your environment without sacrificing the speed and agility AWS provides for builders. You will benefit if you are building a new AWS environment, starting out on your journey on AWS, starting a new cloud initiative, are completely new to AWS, or if you have an existing multi-account AWS environment but prefer a solution with built-in blueprints and guardrails.

Q: What are the benefits of AWS Control Tower?
Distributed teams can provision new AWS accounts quickly, while cloud IT has the peace of mind of knowing that all accounts are aligned with centrally established, company-wide policies. AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply pre-packaged policies organization-wide or to specific groups of accounts.

Q: What features does AWS Control Tower provide?
AWS Control Tower automates the creation of a landing zone with best-practices blueprints that configure AWS Organizations for a multi-account structure, provide identity management using AWS IAM Identity Center (successor to AWS SSO), provide federated access using IAM Identity Center console, create a central log archive using AWS CloudTrail and AWS Config, enable security audits across accounts using IAM Identity Center, implement network configurations using Amazon Virtual Private Cloud (Amazon VPC), and define workflows for provisioning accounts using AWS Service Catalog and associated Control Tower solutions.

AWS Control Tower offers “guardrails” for ongoing governance of your AWS environment. Guardrails provide governance controls by preventing deployment of resources that don’t conform to selected policies or detecting non-conformance of provisioned resources. AWS Control Tower automatically implements guardrails using multiple building blocks such as AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config rules to continuously detect non-conformance.

AWS Control Tower offers a dashboard for continuous oversight of your multi-account environment. You get visibility into provisioned accounts across your organization. Dashboards provide reports on detective and preventive guardrails you have enabled on your accounts, and they give you the status of resources that don’t comply with policies you have enabled through guardrails.

Q: Can I use AWS Control Tower to meet industry compliance standards (such as HIPAA, PCI, SOC-1, SOC-2)?
Out-of-the-box guardrails offered by AWS Control Tower are not intended to meet regulatory compliance standards (such as HIPAA, PCI, SOC-1, or SOC-2). Control Tower guardrails represent a set of AWS best-practices policies for governing your AWS environment through rules such as disallowing configuration changes to log archive, and requiring account activity to be logged using AWS CloudTrail. Over time, Control Tower will continue to offer additional functionality such as custom guardrails to help you implement policies that support your regulatory compliance, based on the AWS shared security model.

Q: Can I use AWS Control Tower to meet my data residency requirements?
AWS Control Tower offers a set of preventive and detective guardrails to help with data residency. Data residency gives you control over where you host your customer content. It allows you to choose whether it’s hosted in multiple regions or held in place in a defined region.

If you work in a regulated industry like finance, government, or healthcare, data residency may be a necessity for operating in a cloud environment. More generally, it can also help you meet company data management requirements.

Availability

Q: In which AWS Regions is AWS Control Tower available?
To see a current list of regions where AWS Control Tower is available, please visit the AWS Regional Table.
 
Q: How much does AWS Control Tower cost?
There is no additional charge to use AWS Control Tower. You only pay for AWS services enabled by AWS Control Tower, e.g., AWS Service Catalog and AWS CloudTrail. You also pay for AWS Config rules that are set up by AWS Control Tower to implement guardrails.

Q: Can I use my existing directory with AWS Control Tower?
AWS Control Tower sets up IAM Identity Center with a native default directory. After the landing zone setup, you can configure  IAM Identity Center with a supported directory such as AWS Managed Microsoft AD.

Q: Is there an API available for AWS Control Tower?
No. You can use AWS Control Tower through the AWS Management Console to perform all necessary operations.

AWS solution and service comparisons

Q: How is AWS Control Tower different from the AWS Landing Zone solution?
AWS Control Tower is an AWS native service providing a pre-defined set of blueprints and guardrails to help you implement a landing zone for AWS accounts. AWS Landing Zone is an AWS solution offered through AWS Solution Architect, Professional Services, or AWS Partner Network (APN) Partners that provides a fully configurable, customer-managed landing zone implementation. You can use either AWS Control Tower or the Landing Zone solution to create a foundational AWS environment based on best-practices blueprints implemented through AWS Service Catalog. AWS Control Tower is designed to provide an easy, self-service setup experience and an interactive user interface for ongoing governance with guardrails. While AWS Control Tower automates creation of a new landing zone with predefined blueprints (e.g., IAM Identity Center for directory and access), the AWS Landing Zone solution provides a configurable setup of a landing zone with rich customization options through custom add-ons (such as Active Directory- or Okta Directory) and ongoing modifications through a code deployment and configuration pipeline.

Q: Can AWS Control Tower help me operate my infrastructure?
AWS Control Tower helps you deploy a multi-account AWS environment based on best practices, but you are still responsible for day-to-day operations and checking compliance status. If you need help operating regulated infrastructure in the cloud, consider a certified MSP partner or AWS Managed Services (AMS). AMS is best-suited for enterprises that want to move regulated workloads to the cloud quickly and do not have the required AWS skillsets for compliant operations, or those that want to keep AWS talent focused on application migration and modernization instead of the undifferentiated heavy lifting of infrastructure operations.

Q: How does AWS Control Tower interoperate with AWS Organizations?
AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implement preventive guardrails using service control policies (SCPs). Using AWS Organizations, you can further create and attach custom SCPs that centrally control the use of AWS services and resources across multiple AWS accounts. 
 
You can also use your existing AWS Organizations management account with AWS Control Tower and set up a landing zone with new or existing organizational units (OUs) and accounts. New OUs and accounts created using AWS Control Tower become part of your existing Organizations structure and billing. For existing accounts currently managed in Organizations, you can enroll them in new OUs created using AWS Control Tower individually or via script.
 
Q: How is AWS Control Tower different from AWS Security Hub?
AWS Control Tower and AWS Security Hub are complementary services. AWS Security Hub is used by security teams, compliance professionals, and DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. Besides aggregating security findings and enabling automated remediation, AWS Security Hub also performs security best practice checks against the AWS Foundational Security Best Practices standard and other industry and regulatory standards. AWS Control Tower is used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS best practices . AWS Control Tower applies mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), and detect policy violations using AWS Config rules. AWS Control Tower also helps ensure that your default account configurations are in alignment with AWS Security Hub’s AWS Foundational Security Best Practices. You should use AWS Control Tower’s preventive guardrails in combination with AWS Security Hub’s security best practice controls, as they are mutually reinforcing and help ensure that your accounts and resources are in a secure state.

Q: How does AWS Control Tower interoperate with AWS Service Catalog?
AWS Control Tower automatically sets up AWS Service Catalog as the underlying AWS service to enable provisioning of new accounts through an account factory. While AWS Control Tower provides central governance at an account level, AWS Service Catalog can further provide granular governance at a resource level. AWS Service Catalog also lets you provision infrastructure and application stacks that have been pre-approved by IT for use inside your accounts.

Q: How does AWS Control Tower interoperate with AWS Systems Manager?
You can use AWS Control Tower to set up and govern your AWS environment, and then use AWS Systems Manager to handle its ongoing day to day operations. AWS Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. With Systems Manager, you can group resources (such as Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances) by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.

Q: What AWS Control Tower solutions can help me customize my accounts?
AWS Control Tower provides additional solutions like Customizations for AWS Control Tower and Account Factory for Terraform to help you easily add customizations to your AWS Control Tower accounts using an AWS CloudFormation template and SCPs or Terraform. Accounts are created with all the standard AWS Control Tower governance benefits but allow you to add customizations to meet any additional standard procedures or guidelines that you require.

AWS Control Tower Overview
Get an overview of AWS Control Tower
See overview 
Getting started
Check out AWS Control Tower Pricing
Learn more 
AWS Marketplace
Discover solutions for AWS Control Tower on AWS Marketplace
Learn more