AWS Control Tower FAQs

AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using controls you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Controls implement governance rules for security, compliance, and operations.

If you want to create or manage your existing multi-account AWS environment with best practices, use AWS Control Tower. It offers prescriptive guidance to govern your AWS environment at scale. It gives you control over your environment without sacrificing the speed and agility AWS provides for builders. You will benefit if you are building a new AWS environment, starting out on your journey on AWS, starting a new cloud initiative, are completely new to AWS, or if you have an existing multi-account AWS environment but prefer a solution with built-in blueprints and controls.

Distributed teams can provision new AWS accounts quickly, while cloud IT has the peace of mind of knowing that all accounts are aligned with centrally established, company-wide policies. AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply prepackaged policies organization-wide or to specific groups of accounts.

AWS Control Tower automates the creation of a landing zone with best-practices blueprints that configure AWS Organizations for a multi-account structure, provide identity management using AWS IAM Identity Center, provide federated access using the IAM Identity Center console, create a central log archive using AWS CloudTrail and AWS Config, enable security audits across accounts using IAM Identity Center, implement network configurations using Amazon Virtual Private Cloud (Amazon VPC), and define workflows for provisioning accounts and associated AWS Control Tower solutions.

You can use AWS Control Tower’s Account Factory to automate the provisioning of AWS accounts that are preconfigured to meet your business, security, and compliance requirements. You can also extend AWS Control Tower governance to an individual, existing AWS account when you enroll it into an organization unit (OU) that is already governed by AWS Control Tower.  

AWS Control Tower offers controls for ongoing governance of your AWS environment. AWS Control Tower offers preventive, detective, and proactive controls that help you govern your resources and monitor compliance across groups of AWS accounts. Controls are prepackaged governance rules for security, operations, and compliance that you can select and apply enterprise-wide or to specific groups of AWS accounts. AWS Control Tower automatically implements controls using multiple building blocks such as AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, AWS Config rules to continuously detect nonconformance, and AWS CloudFormation Hooks to scan your resources before they are provisioned and make sure that the resources are compliant with that control.

AWS Control Tower offers a dashboard for continuous oversight of your multi-account environment. You get visibility into provisioned accounts across your organization. Dashboards provide reports on controls you have enabled on your accounts, and they give you the status of resources that don’t comply with policies you have enabled through controls.

AWS Control Tower offers a set of AWS- managed controls and enhanced Region deny capabilities to help you meet  digital sovereignty requirements faster and with greater confidence. You can select from a group of digital sovereignty controls in the AWS Control Tower control library to implement controls that prevent actions, enforce configurations, detect resource changes for data residency, granular access restriction, encryption, and resiliency capabilities. You can also customize AWS Control Tower’s Region deny control to apply regional restrictions that best fit your unique business needs. These capabilities are designed to make it easier for you to address requirements at scale. 

To see a current list of regions where AWS Control Tower is available, please visit the AWS Regional Table .

There is no additional charge to use AWS Control Tower. You only pay for AWS services enabled by AWS Control Tower, such as AWS Service Catalog and AWS CloudTrail. You also pay for the underlying services that deploy controls, such as AWS Config rules that are set up by AWS Control Tower to implement detective controls. See AWS Control Tower Pricing for more information. 

AWS Control Tower sets up IAM Identity Center with a native default directory. After the landing zone setup, you can configure IAM Identity Center with a supported directory, such as AWS Managed Microsoft AD, or self-manage your access control.

Yes, to see a list of available APIs, refer to AWS Control Tower API Reference documentation . For all other operations, use the AWS Control Tower console. 

AWS Control Tower helps you deploy a multi-account AWS environment based on best practices, but you are still responsible for day-to-day operations and checking compliance status. If you need help operating regulated infrastructure in the cloud, consider a certified MSP partner or AWS Managed Services (AMS). AMS is best suited for enterprises that want to move regulated workloads to the cloud quickly and do not have the required AWS skillsets for compliant operations, or those that want to keep AWS talent focused on application migration and modernization instead of the undifferentiated heavy lifting of infrastructure operations.

AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implement preventive controls using service control policies (SCPs). Using AWS Organizations, you can further create and attach custom SCPs that centrally control the use of AWS services and resources across multiple AWS accounts. 

You can also use your existing AWS Organizations management account with AWS Control Tower and set up a landing zone with new or existing organizational units (OUs) and accounts. New OUs and accounts created using AWS Control Tower become part of your existing Organizations structure and billing. For existing accounts currently managed in Organizations, you can enroll them in new OUs created using AWS Control Tower individually or through script.

AWS Control Tower and AWS Security Hub are complementary services. AWS Security Hub is used by security teams, compliance professionals, and DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. AWS Security Hub performs security best practice checks against the AWS Foundational Security Best Practices standard and other industry and regulatory standards, and it allows you to aggregate security findings from more than 80 partner products. AWS Control Tower is used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS best practices . AWS Control Tower applies mandatory and optional high-level rules, called controls, that help enforce your policies. AWS Control Tower also helps ensure that your default account configurations are in alignment with the AWS Foundational Security Best Practices using the AWS Security Hub controls. You should use the AWS Control Tower preventive controls in combination with the AWS Security Hub security best practice detective controls, as they are mutually reinforcing and help ensure that your accounts and resources are in a secure state.

AWS Control Tower automatically sets up AWS Service Catalog as the underlying AWS service to enable provisioning of new accounts through an account factory . While AWS Control Tower provides central governance at an account level, AWS Service Catalog can further provide granular governance at a resource level. AWS Service Catalog also lets you provision infrastructure and application stacks that have been preapproved by IT for use inside your accounts.

You can use AWS Control Tower to set up and govern your AWS environment, and then use AWS Systems Manager to handle its ongoing day to day operations. AWS Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. With Systems Manager, you can group resources (such as Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances) by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.

AWS Control Tower allows you to customize new and existing AWS accounts when you provision their resources from the AWS Control Tower console. After you set up account factory customization, AWS Control Tower automates this process for future provisioning. Your customized accounts are provisioned in account factory . Predefined blueprints, built and managed by AWS Partners, are also available. AWS Control Tower provides additional solutions, such as Customizations for AWS Control Tower  (CfCT) and Account Factory for Terraform (AFT), to help you easily add customizations to your AWS Control Tower accounts using an AWS CloudFormation template, service control policies (SCPs), or Terraform. Accounts are created with all the standard AWS Control Tower governance benefits but allow you to add customizations to meet any additional standard procedures or guidelines that you require.