A landing zone is a well-architected, multi-account AWS environment that's based on security and compliance best practices. AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure. Some examples of blueprints that are automatically implemented in your landing zone include:
- Create a multi-account environment using AWS Organizations
- Provide identity management using AWS Single Sign-On (SSO) default directory
- Provide federated access to accounts using AWS SSO
- Centralize logging from AWS CloudTrail, and AWS Config stored in Amazon S3
- Enable cross-account security audits using AWS IAM and AWS SSO
The landing zone set up by AWS Control Tower is managed using a set of mandatory and strongly recommended guardrails, which customers select through a self-service console experience to ensure accounts and configurations comply with your policies.
The account factory automates provisioning of new accounts in your organization. As a configurable account template, it helps you standardize the provisioning of new accounts with pre-approved account configurations. You can configure your account factory with pre-approved network configuration and region selections. And you can enable self-service for your builders to configure and provision new accounts using AWS Service Catalog.
Preventive & Detective Guardrails
Guardrails are pre-packaged governance rules for security, operations, and compliance that customers can select and apply enterprise-wide or to specific groups of accounts. A guardrail is expressed in plain English, and enforces a specific governance policy for your AWS environment that can be enabled within an AWS Organizations organizational unit (OU). Each guardrail contains two dimensions: it can be either preventive or detective, and it can be either mandatory or optional. Preventive guardrails establish intent and prevent deployment of resources that don’t conform to your policies (for example enable AWS CloudTrail in all accounts). Detective guardrails (disallow public read access for S3 buckets) continuously monitor deployed resources for nonconformance. Control Tower automatically translates guardrails into granular AWS policies by:
- Establishing a configuration baseline using AWS CloudFormation
- Preventing configuration changes of the underlying implementation using service control policies (for preventive guardrails)
- Continuously detecting configuration changes through AWS Config rules (for detective guardrails)
- Updating guardrail status on the Control Tower dashboard
Mandatory & Optional Guardrails
AWS Control Tower offers a curated set of guardrails based on AWS best practices and common customer policies for governance. You can automatically leverage mandatory guardrails as part of your landing zone setup. Some examples of mandatory guardrails include:
- Disallow changes to IAM roles set up for AWS Control Tower
- Disallow public read access to log archive
- Disallow policy changes to log archive
You can also choose to enable strongly recommended guardrails at any time on OUs. All accounts provisioned under enabled OUs will automatically inherit those guardrails. Some examples of strongly recommended guardrails include:
- Disallow public write access to Amazon Simple Storage Service (Amazon S3) buckets
- Disallow access as a root user without multi-factor authentication
- Enable encryption for Amazon Elastic Block Store (Amazon EBS) volumes attached to Amazon Elastic Compute Cloud (Amazon EC2) instances
The Control Tower dashboard gives you continuous visibility into your AWS environment. You can view the number of OUs and accounts provisioned, the number of guardrails enabled, and the check the status of your OUs and accounts against those guardrails. You can also see a list of noncompliant resources with respect to enabled guardrails.