AWS Control Tower FAQs

AWS Control Tower offers the easiest way to manage and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on AWS best-practices and it enables governance using managed controls you can choose from a pre-packaged catalog for different use cases and requirements. The landing zone is a well-architected, multi-account environment that follows AWS best practices. Controls implement governance rules for security, compliance, and operations.

AWS Control Tower is designed for organizations managing multiple AWS accounts who need centralized governance and automated policy enforcement. Whether you're a growing business or established enterprise, AWS Control Tower helps establish and maintain a well-architected, compliant AWS environment with minimal effort. Customers can choose from a guided route through the full enablement of a well-architected environment, or directly enabling AWS managed controls in their existing Organization. 

Distributed teams can provision new AWS accounts quickly, while cloud IT has the peace of mind of knowing that all accounts are aligned with centrally established, company-wide policies. AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply prepackaged policies organization-wide or to specific groups of accounts.

AWS Control Tower offers a set of AWS- managed controls and enhanced Region deny capabilities to help you meet digital sovereignty requirements faster and with greater confidence. You can select from a group of digital sovereignty controls in the AWS Control Tower control library to implement controls that prevent actions, enforce configurations, detect resource changes for data residency, granular access restriction, encryption, and resiliency capabilities. You can also customize AWS Control Tower’s Region deny control to apply regional restrictions that best fit your unique business needs. These capabilities are designed to make it easier for you to address requirements at scale. 

To see a current list of regions where AWS Control Tower is available, please visit the AWS Regional Table.

There is no additional charge to use AWS Control Tower. You only pay for AWS services enabled by AWS Control Tower, such as AWS Service Catalog and AWS CloudTrail. You also pay for the underlying services that deploy controls, such as AWS Config rules that are set up by AWS Control Tower to implement detective controls. See AWS Control Tower Pricing for more information. 

AWS Control Tower sets up IAM Identity Center with a native default directory. After the landing zone setup, you can configure IAM Identity Center with a supported directory, such as AWS Managed Microsoft AD, or self-manage your access control.

Yes, to see a list of available APIs, refer to AWS Control Tower API Reference documentation . For all other operations, use the AWS Control Tower console. 

AWS Control Tower builds upon AWS Organizations, using it as the foundation for multi-account management while adding automated governance capabilities. AWS Control Tower creates a Landing Zone that sets up your Organizations structure with recommended organizational units (OUs), configures core security services like AWS Config and CloudTrail, and implements guardrails to enforce policies across accounts. Think of Organizations as the framework and AWS Control Tower as the automation and governance layer that makes it easier to implement and maintain AWS best practices at scale.

AWS Control Tower and AWS Security Hub CSPM are complementary services. AWS Security Hub CSPM is used by security teams, compliance professionals, and DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. AWS Security Hub CSPM performs security best practice checks against the AWS Foundational Security Best Practices standard and other industry and regulatory standards, and it allows you to aggregate security findings from more than 80 partner products. AWS Control Tower is used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS best practices. AWS Control Tower applies mandatory and optional high-level rules, called controls, that help enforce your policies. AWS Control Tower also helps ensure that your default account configurations are in alignment with the AWS Foundational Security Best Practices using the AWS Security Hub controls. You should use the AWS Control Tower preventive controls in combination with the AWS Security Hub security best practice detective controls, as they are mutually reinforcing and help ensure that your accounts and resources are in a secure state.

AWS Control Tower allows you to customize new and existing AWS accounts when you provision their resources from the AWS Control Tower console. After you set up account factory customization, AWS Control Tower automates this process for future provisioning. Your customized accounts are provisioned in account factory. Predefined blueprints, built and managed by AWS Partners, are also available. AWS Control Tower provides additional solutions, such as Customizations for AWS Control Tower (CfCT) and Account Factory for Terraform (AFT), to help you easily add customizations to your AWS Control Tower accounts using an AWS CloudFormation template, service control policies (SCPs), or Terraform. Accounts are created with all the standard AWS Control Tower governance benefits but allow you to add customizations to meet any additional standard procedures or guidelines that you require.

The Cloud Governance Decision Guide can help determine which AWS cloud governance services are the best fit for your organization.