Automate the creation of an AWS Landing Zone with best practice blueprints
AWS Control Tower automates the set-up of a well-architected multi-account environment based on best practices, and guides you through a step-by-step process to customize Control Tower to your organization. Here are a few examples of the blueprints you can enable:
- Configure AWS Organizations to create a multi-account environment
- Provide for identity management using AWS SSO Users and Groups
- Federate access using AWS Single Sign-On
- Centralize logging using AWS CloudTrail and AWS Config
- Enable cross-account security audits using AWS IAM
- Implement network design using Amazon VPC
- Define workflows for provisioning accounts using AWS Service Catalog
Enable curated Guardrails
- A guardrail is a high-level rule that provides on-going governance for the overall AWS environment by preventing deployment of resources that don’t conform to policies.
- Mandatory guardrails are automatically enabled as part of your setup. Control Tower also has guardrails that are strongly recommended, and you can choose to enable them on groups of accounts or organizational units.
- Control Tower automatically translates Guardrails into granular policies and implements them using AWS CloudFormation. It prevents configuration changes of the underlying services, or detects changes through AWS Config Rules, and reports summary findings from security and compliance services to the Control Tower dashboard.
Dashboard for continuous visibility
The Control Tower dashboard gives you continuous visibility into your AWS environment. You can view the number of organizational units and accounts provisioned, the number of guardrails enabled, and the compliance status of your organizational units and accounts that have enabled guardrails.