Q: What is AWS Control Tower?
AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.
Q: Who should use AWS Control Tower?
If you want to create or manage your multi-account AWS environment with best practices, use AWS Control Tower. It offers prescriptive guidance to govern your AWS environment at scale. It gives you control over your environment without sacrificing the speed and agility AWS provides for builders. You will benefit if you are building a new AWS environment, starting out on your journey on AWS, starting a new cloud initiative, are completely new to AWS, or if you have an existing multi-account AWS environment but prefer a solution with built-in blueprints and guardrails.
Q: What are the benefits of AWS Control Tower?
Distributed teams can provision new AWS accounts quickly, while cloud IT has the peace of mind of knowing that all accounts are aligned with centrally established, company-wide policies. AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply pre-packaged policies organization-wide or to specific groups of accounts.
Q: What features does AWS Control Tower provide?
AWS Control Tower automates the creation of a landing zone with best-practices blueprints that configure AWS Organizations for a multi-account structure, provide identity management using AWS SSO Directory, provide federated access using AWS Single Sign-On (AWS SSO), create a central log archive using AWS CloudTrail and AWS Config, enable security audits across accounts using AWS SSO, implement network configurations using Amazon Virtual Private Cloud (Amazon VPC), and define workflows for provisioning accounts using AWS Service Catalog and associated Control Tower solutions.
AWS Control Tower offers “guardrails” for ongoing governance of your AWS environment. Guardrails provide governance controls by preventing deployment of resources that don’t conform to selected policies or detecting non-conformance of provisioned resources. AWS Control Tower automatically implements guardrails using multiple building blocks such as AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config rules to continuously detect non-conformance.
AWS Control Tower offers a dashboard for continuous oversight of your multi-account environment. You get visibility into provisioned accounts across your organization. Dashboards provide reports on detective and preventive guardrails you have enabled on your accounts, and they give you the status of resources that don’t comply with policies you have enabled through guardrails.
Q: Can I use AWS Control Tower to meet industry compliance standards (such as HIPAA, PCI, SOC-1, SOC-2)?
Out-of-the-box guardrails offered by AWS Control Tower are not intended to meet regulatory compliance standards (such as HIPAA, PCI, SOC-1, or SOC-2). Control Tower guardrails represent a set of AWS best-practices policies for governing your AWS environment through rules such as disallowing configuration changes to log archive, and requiring account activity to be logged using AWS CloudTrail. Over time, Control Tower will continue to offer additional functionality such as custom guardrails to help you implement policies that support your regulatory compliance, based on the AWS shared security model.
Q: Can I use AWS Control Tower to meet my data residency requirements?
AWS Control Tower offers a set of preventive and detective guardrails to help with data residency. Data residency gives you control over where you host your customer content. It allows you to choose whether it’s hosted in multiple regions or held in place in a defined region.
If you work in a regulated industry like finance, government, or healthcare, data residency may be a necessity for operating in a cloud environment. More generally, it can also help you meet company data management requirements.
Q: Can I use my existing directory with AWS Control Tower?
AWS Control Tower sets up AWS SSO with a native default directory. After the landing zone setup, you can configure AWS SSO with a supported directory such as AWS Managed Microsoft AD.
Q: Is there an API available for AWS Control Tower?
No. You can use AWS Control Tower through the AWS Management Console to perform all necessary operations.
AWS solution and service comparisons
Q: How is AWS Control Tower different from the AWS Landing Zone solution?
AWS Control Tower is an AWS native service providing a pre-defined set of blueprints and guardrails to help you implement a landing zone for AWS accounts. AWS Landing Zone is an AWS solution offered through AWS Solution Architect, Professional Services, or AWS Partner Network (APN) Partners that provides a fully configurable, customer-managed landing zone implementation. You can use either AWS Control Tower or the Landing Zone solution to create a foundational AWS environment based on best-practices blueprints implemented through AWS Service Catalog. AWS Control Tower is designed to provide an easy, self-service setup experience and an interactive user interface for ongoing governance with guardrails. While AWS Control Tower automates creation of a new landing zone with predefined blueprints (e.g., AWS SSO for directory and access), the AWS Landing Zone solution provides a configurable setup of a landing zone with rich customization options through custom add-ons (such as Active Directory- or Okta Directory) and ongoing modifications through a code deployment and configuration pipeline.
Q: Can AWS Control Tower help me operate my infrastructure?
AWS Control Tower helps you deploy a multi-account AWS environment based on best practices, but you are still responsible for day-to-day operations and checking compliance status. If you need help operating regulated infrastructure in the cloud, consider a certified MSP partner or AWS Managed Services (AMS). AMS is best-suited for enterprises that want to move regulated workloads to the cloud quickly and do not have the required AWS skillsets for compliant operations, or those that want to keep AWS talent focused on application migration and modernization instead of the undifferentiated heavy lifting of infrastructure operations.
Q: How does AWS Control Tower interoperate with AWS Service Catalog?
AWS Control Tower automatically sets up AWS Service Catalog as the underlying AWS service to enable provisioning of new accounts through an account factory. While AWS Control Tower provides central governance at an account level, AWS Service Catalog can further provide granular governance at a resource level. AWS Service Catalog also lets you provision infrastructure and application stacks that have been pre-approved by IT for use inside your accounts.
Q: How does AWS Control Tower interoperate with AWS Systems Manager?
You can use AWS Control Tower to set up and govern your AWS environment, and then use AWS Systems Manager to handle its ongoing day to day operations. AWS Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. With Systems Manager, you can group resources (such as Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances) by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.
Q: What AWS Control Tower solutions can help me customize my accounts?
AWS Control Tower provides additional solutions like Customizations for AWS Control Tower and Account Factory for Terraform to help you easily add customizations to your AWS Control Tower accounts using an AWS CloudFormation template and SCPs or Terraform. Accounts are created with all the standard AWS Control Tower governance benefits but allow you to add customizations to meet any additional standard procedures or guidelines that you require.