AWS Control Tower

The easiest way to set up and govern a secure multi-account AWS environment

If you have multiple AWS accounts and teams, cloud setup and governance can be complex and time consuming, slowing down the very innovation you’re trying to speed up. AWS Control Tower provides the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. It creates your landing zone using AWS Organizations, bringing ongoing account management and governance as well as implementation best practices based on AWS’s experience working with thousands of customers as they move to the cloud. Builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing that your accounts conform to company policies. Extend governance into new or existing accounts, and gain visibility into their compliance status quickly. If you are building a new AWS environment, starting out on your journey to AWS, or starting a new cloud initiative, AWS Control Tower will help you get started quickly with built-in governance and best practices.

Always free

with the AWS Free Tier


Quickly set up and configure a new AWS environment

Automate the setup of your multi-account AWS environment with just a few clicks. The setup employs blueprints that capture AWS best practices for configuring AWS security and management services to govern your environment. Blueprints are available to provide identity management, federate access to accounts, centralize logging, establish cross-account security audits, define workflows for provisioning accounts, and implement account baselines with network configurations.

Automate ongoing policy management

AWS Control Tower provides mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), or detect policy violations using AWS Config rules. These rules remain in effect as you create new accounts or make changes to existing accounts, and AWS Control Tower provides a summary report of how each account conforms to your enabled policies. For example, you can enable data residency guardrails so that customer data, the personal data you upload to the AWS services under your AWS account, is not stored or processed outside a specific AWS Region or Regions.

View policy-level summaries of your AWS environment

AWS Control Tower provides an integrated dashboard so you can see a top-level summary of policies applied to your AWS environment. You can view details on the accounts provisioned, the guardrails enabled across your accounts, and account level status for compliance with your guardrails.

How it works

Control Tower how it works diagram

Blogs & articles

  • Date
AWS Control Tower features
Discover AWS Control Tower features
Learn more 
Getting started
Check out AWS Control Tower Pricing
See pricing 
AWS Marketplace
Discover solutions for AWS Control Tower on AWS Marketplace
Learn more