What is AWS Control Tower?
AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.
Who should use AWS Control Tower?
AWS Control Tower is for customers who want to create a new, multi-account AWS environment with best practices. It offers prescriptive guidance to govern your AWS environment at scale. It gives you control over your environment without sacrificing the speed and agility AWS provides for builders. You will benefit from Control Tower if you are building a new AWS environment, starting out on your journey on AWS, starting a new cloud initiative, or are completely new to AWS.
What are the benefits of AWS Control Tower?
With AWS Control Tower, distributed teams are able to provision new AWS accounts quickly, while cloud IT has the peace of mind knowing that all accounts are aligned with centrally established, company-wide policies. AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply pre-packaged policies enterprise-wide or to specific groups of accounts.
What features does AWS Control Tower provide?
AWS Control Tower automates the creation of a landing zone with best-practices blueprints that configure AWS Organizations for a multi-account structure, provide identity management using AWS SSO Directory, provide federated access using AWS Single Sign-On (AWS SSO), create a central log archive using AWS CloudTrail and AWS Config, enable security audits across accounts using AWS SSO, implement network configurations using Amazon VPC, and define workflows for provisioning accounts using AWS Service Catalog.
Control Tower offers “guardrails” for ongoing governance of your AWS environment. Guardrails provide governance controls by preventing deployment of resources that don’t conform to selected policies or detecting non-conformance of provisioned resources. AWS Control Tower automatically implements guardrails using multiple building blocks such as AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config rules to continuously detect non-conformance.
AWS Control Tower offers a dashboard for continuous oversight of your multi-account environment. You get visibility into provisioned accounts across your enterprise. Control Tower dashboards provide reports on detective and preventive guardrails you have enabled on your accounts. And they give you status on any resources that don’t comply with policies you have enabled through guardrails.
Can I use Control Tower to meet industry compliance standards (such as HIPAA, PCI, SOC-1, SOC-2)?
Out-of-the-box guardrails offered by AWS Control Tower are not intended to meet regulatory compliance standards (such as HIPAA, PCI, SOC-1, SOC-2). Control Tower guardrails represent a set of AWS best-practices policies for governing your AWS environment through rules such as disallowing configuration changes to log archive, and requiring account activity to be logged using AWS CloudTrail. Over time, Control Tower will continue to offer additional functionality such as custom guardrails to enable AWS customers to implement policies that support their regulatory compliance, based on the AWS shared security model.
In which AWS Regions is AWS Control Tower available?
AWS Control Tower is available in four AWS Regions: US East (N Virginia), US East (Ohio), US West (Oregon), and EU (Ireland).
How much does AWS Control Tower cost?
There is no additional charge to use AWS Control Tower. You only pay for AWS services enabled by AWS Control Tower, e.g., AWS Service Catalog and AWS CloudTrail. You also pay for AWS Config rules that are set up by AWS Control Tower to implement guardrails.
Does AWS Control Tower create a new AWS Organizations account structure?
Yes, AWS Control Tower creates a new organization that starts with your existing AWS account as the master account. You cannot deploy AWS Control Tower on accounts with an existing AWS Organizations master account. As a result, AWS Control Tower is intended to automate a brand new landing zone with a separate master payer account.
Can I deploy AWS Control Tower on my existing AWS Organizations accounts?
You cannot yet deploy AWS Control Tower on an existing account that is a member of AWS Organizations. AWS Control Tower requires a standalone account that is not a member of AWS Organizations for setup. In the near future, you will be able to deploy Control Tower to an existing AWS Organizations account structure.
Can I use my existing directory with AWS Control Tower?
AWS Control Tower sets up AWS SSO with a native default directory. After the landing zone setup, you can configure AWS SSO with a supported directory such as AWS Managed Microsoft AD.
Is there an API available for AWS Control Tower?
No. You can use AWS Control Tower through the management console to perform all necessary operations.
AWS Solution and Service Comparisons
How is AWS Control Tower different than the AWS Landing Zone solution?
Control Tower is an AWS native service providing a pre-defined set of blueprints and guardrails to help customers implement a landing zone for new AWS accounts. AWS Landing Zone is an AWS solution offered through AWS Solution Architect, Professional Services, or AWS Partner Network (APN) Partners providing a fully configurable, customer-managed landing zone implementation. Customers can use either the Landing Zone solution or AWS Control Tower to create a foundational AWS environment based on best practice blueprints implemented through AWS Service Catalog. Control Tower is designed to provide an easy, self-service setup experience and an interactive user interface for ongoing governance with guardrails. While Control Tower automates creation of a new landing zone with pre-configured blueprints (e.g., AWS SSO for directory and access), the AWS Landing Zone solution provides a configurable setup of a landing zone with rich customization options through custom add-ons (e.g., Active Directory, Okta Directory) and ongoing modifications through a code deployment and configuration pipeline.
When should I use AWS Landing Zone and when should I use AWS Control Tower?
You should use Control Tower if you are looking for a self-service experience to set up a new AWS environment based on a landing zone with pre-configured blueprints and then interactively govern your accounts with pre-configured guardrails. You will benefit from Control Tower if you are building a new offering, have teams starting out on their journey to AWS, are starting a new cloud initiative, or are completely new to AWS. You should use the AWS Landing Zone solution if you are looking to set up a configurable landing zone with rich customization options through custom add-ons (e.g., Active Directory, Okta Directory) and change management through a code deployment and configuration pipeline.
Can AWS Control Tower help me operate my infrastructure?
Control Tower helps you deploy a multi-account AWS environment based on best practices, however, the customer is still responsible for day-to-day operations. Enterprises that need help operating regulated infrastructure in the cloud should consider a certified MSP partner or AWS Managed Services (AMS). AMS is best-suited for enterprises that want to move regulated workloads to the cloud quickly and do not yet have the required AWS skillsets needed for compliant operations, or want to keep AWS talent focused on application migration and modernization instead of the undifferentiated heavy lifting of infrastructure operations.
Is there a migration path from AWS Landing Zone to AWS Control Tower?
Yes, in the near future, you will be able to migrate your existing accounts created with the AWS Landing Zone solution to AWS Control Tower. The migration path will occur in several phases to ensure compatibility between Control Tower and your AWS Landing Zone solution starting with ability to deploy Control Tower to an existing Organizations, followed by enabling custom guardrails and custom blueprints for Control Tower.
How does AWS Control Tower interoperate with AWS Organizations?
AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implement preventive guardrails using Service Control Policies (SCPs). Using AWS Organizations, you can further create and attach granular SCPs that centrally control the use of AWS services and resources across multiple AWS accounts.
How is AWS Control Tower different from AWS Security Hub?
AWS Security Hub is the primary destination for security and compliance professionals. It provides a comprehensive and timely view of the overall security and compliance posture of their AWS environment and take necessary actions. AWS Control Tower is the primary destination for cloud administrators. While AWS Security Hub is primarily detective in nature - i.e., assesses and reports on the security and compliance posture of an existing environment, AWS Control Tower is primarily preventive - i.e., helps set up a new AWS landing zone and enforces controls to prevent provisioning of resources that do not conform to applied policies.
How does AWS Control Tower interoperate with AWS Service Catalog?
AWS Control Tower automatically sets up AWS Service Catalog as the underlying AWS service to enable provisioning of new accounts through an account factory. While AWS Control Tower provides central governance at an account level, AWS Service Catalog can further provide granular governance at a resource level. AWS Service Catalog also lets you provision infrastructure and application stacks that have been pre-approved by IT for use inside your accounts.
How does AWS Control Tower interoperate with AWS Systems Manager?
You can use AWS Control Tower to set up and govern your AWS environment, and then use AWS Systems Manager to handle the ongoing day to day operations of that environment. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.