AWS Control Tower
The easiest way to set up and govern a secure, compliant multi-account AWS environment
AWS Control Tower automates the set-up of a baseline environment, or landing zone, that is a secure, well-architected multi-account AWS environment. The configuration of the landing zone is based on best practices that have been established by working with thousands of enterprise customers to create a secure environment that makes it easier to govern AWS workloads with rules for security, operations, and compliance.
As enterprises migrate to AWS, they typically have a large number of applications and distributed teams. They often want to create multiple accounts to allow their teams to work independently, while still maintaining a consistent level of security and compliance. In addition, they use AWS’s management and security services, like AWS Organizations, AWS Service Catalog and AWS Config, that provide very granular controls over their workloads. They want to maintain this control, but they also want a way to centrally govern and enforce the best use of AWS services across all the accounts in their environment.
Control Tower automates the set-up of their landing zone and configures AWS management and security services based on established best practices in a secure, compliant, multi-account environment. Distributed teams are able to provision new AWS accounts quickly, while central teams have the peace of mind knowing that new accounts are aligned with centrally established, company-wide compliance policies. This gives you control over your environment, without sacrificing the speed and agility AWS provides your development teams.
Quickly set-up and configure your AWS environment
Automate the set-up of your multi-account AWS environment with just a few clicks. You have access to blueprints, which are AWS best practices for configuring AWS security and management services to govern your environment. Blueprints are available to provide identity management and federate access, centralize logging, establish cross-account security audits, implement network design, and define workflows for provisioning accounts.
Get on-going policy enforcement
Control Tower provides mandatory and optional high-level rules to either enforce your policies using service controls or detect policy violations using Config Rules. These rules will always be in effect as you create new accounts or make changes to your existing accounts, and Control Tower provides a summary report of how each account is compliant with your policies.
Get visual summaries of your AWS environment
Control Tower provides you with an integrated dashboard so you can see a top-level summary of your AWS environment, giving you all the information about your accounts in one place. You can also view details on the number of accounts provisioned, the number of policies enabled across your accounts, and the compliance status of those accounts.