What is AWS Control Tower?
AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Guardrails implement governance rules for security, compliance, and operations.
Who should use AWS Control Tower?
AWS Control Tower is for customers who want to create or manage their multi-account AWS environment with best practices. It offers prescriptive guidance to govern your AWS environment at scale. It gives you control over your environment without sacrificing the speed and agility AWS provides for builders. You will benefit from AWS Control Tower if you are building a new AWS environment, starting out on your journey on AWS, starting a new cloud initiative, are completely new to AWS, or have an existing multi-account AWS environment.
What are the benefits of AWS Control Tower?
With AWS Control Tower, distributed teams are able to provision new AWS accounts quickly, while cloud IT has the peace of mind knowing that all accounts are aligned with centrally established, company-wide policies. AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply pre-packaged policies enterprise-wide or to specific groups of accounts.
What features does AWS Control Tower provide?
AWS Control Tower automates the creation of a landing zone with best-practices blueprints that configure AWS Organizations for a multi-account structure, provide identity management using AWS SSO Directory, provide federated access using AWS Single Sign-On (AWS SSO), create a central log archive using AWS CloudTrail and AWS Config, enable security audits across accounts using AWS SSO, implement network configurations using Amazon VPC, and define workflows for provisioning accounts using AWS Service Catalog.
Control Tower offers “guardrails” for ongoing governance of your AWS environment. Guardrails provide governance controls by preventing deployment of resources that don’t conform to selected policies or detecting non-conformance of provisioned resources. AWS Control Tower automatically implements guardrails using multiple building blocks such as AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, and AWS Config rules to continuously detect non-conformance.
AWS Control Tower offers a dashboard for continuous oversight of your multi-account environment. You get visibility into provisioned accounts across your enterprise. Control Tower dashboards provide reports on detective and preventive guardrails you have enabled on your accounts. And they give you status on any resources that don’t comply with policies you have enabled through guardrails.
Can I use Control Tower to meet industry compliance standards (such as HIPAA, PCI, SOC-1, SOC-2)?
Out-of-the-box guardrails offered by AWS Control Tower are not intended to meet regulatory compliance standards (such as HIPAA, PCI, SOC-1, SOC-2). Control Tower guardrails represent a set of AWS best-practices policies for governing your AWS environment through rules such as disallowing configuration changes to log archive, and requiring account activity to be logged using AWS CloudTrail. Over time, Control Tower will continue to offer additional functionality such as custom guardrails to enable AWS customers to implement policies that support their regulatory compliance, based on the AWS shared security model.
Can I use my existing directory with AWS Control Tower?
AWS Control Tower sets up AWS SSO with a native default directory. After the landing zone setup, you can configure AWS SSO with a supported directory such as AWS Managed Microsoft AD.
Is there an API available for AWS Control Tower?
No. You can use AWS Control Tower through the management console to perform all necessary operations.
AWS Solution and Service Comparisons
How is AWS Control Tower different than the AWS Landing Zone solution?
Control Tower is an AWS native service providing a pre-defined set of blueprints and guardrails to help customers implement a landing zone for new AWS accounts. AWS Landing Zone is an AWS solution offered through AWS Solution Architect, Professional Services, or AWS Partner Network (APN) Partners providing a fully configurable, customer-managed landing zone implementation. Customers can use either the Landing Zone solution or AWS Control Tower to create a foundational AWS environment based on best practice blueprints implemented through AWS Service Catalog. Control Tower is designed to provide an easy, self-service setup experience and an interactive user interface for ongoing governance with guardrails. While Control Tower automates creation of a new landing zone with pre-configured blueprints (e.g., AWS SSO for directory and access), the AWS Landing Zone solution provides a configurable setup of a landing zone with rich customization options through custom add-ons (e.g., Active Directory, Okta Directory) and ongoing modifications through a code deployment and configuration pipeline.
When should I use AWS Landing Zone and when should I use AWS Control Tower?
You should use AWS Control Tower if you are looking for a self-service experience to set up a new AWS environment based on a landing zone with pre-configured blueprints and then interactively govern your accounts with pre-configured guardrails. You will benefit from AWS Control Tower if you are building a new offering, have teams starting out on their journey to AWS, are starting a new cloud initiative, are completely new to AWS, or have an existing multi-account AWS environment. You should use the AWS Landing Zone solution if you are looking to set up a configurable landing zone with rich customization options through custom add-ons (e.g., Active Directory, Okta Directory) and change management through a code deployment and configuration pipeline.
Can AWS Control Tower help me operate my infrastructure?
Control Tower helps you deploy a multi-account AWS environment based on best practices, however, the customer is still responsible for day-to-day operations. Enterprises that need help operating regulated infrastructure in the cloud should consider a certified MSP partner or AWS Managed Services (AMS). AMS is best-suited for enterprises that want to move regulated workloads to the cloud quickly and do not yet have the required AWS skillsets needed for compliant operations, or want to keep AWS talent focused on application migration and modernization instead of the undifferentiated heavy lifting of infrastructure operations.
Can AWS Landing Zone and AWS Control Tower operate in the same multi-account environment?
Customers using AWS Control Tower can use AWS Landing Zone features by adding Customizations for AWS Control Tower and deploying new resources to existing and new accounts within their organization. They can also apply custom service control policies (SCPs) to those accounts on top of those already provided by AWS Control Tower.
You can also use your existing AWS Organizations Master account with AWS Control Tower and set up a landing zone with new OUs and new accounts. New OUs and accounts created using AWS Control Tower become part of your existing Organizations structure and billing. For existing accounts currently managed in Organizations, you can enroll them into new OUs created using AWS Control Tower individually or via script.
How does AWS Control Tower interoperate with AWS Service Catalog?
AWS Control Tower automatically sets up AWS Service Catalog as the underlying AWS service to enable provisioning of new accounts through an account factory. While AWS Control Tower provides central governance at an account level, AWS Service Catalog can further provide granular governance at a resource level. AWS Service Catalog also lets you provision infrastructure and application stacks that have been pre-approved by IT for use inside your accounts.
How does AWS Control Tower interoperate with AWS Systems Manager?
You can use AWS Control Tower to set up and govern your AWS environment, and then use AWS Systems Manager to handle the ongoing day to day operations of that environment. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. With Systems Manager, you can group resources, like Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances, by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.