A landing zone is a well-architected, multi-account AWS environment based on security and compliance best practices. AWS Control Tower automates the setup of a new landing zone using best-practices blueprints for identity, federated access, and account structure.
Examples of blueprints that are automatically implemented in your landing zone include the following:
Within your landing zone you can optionally configure log retention, AWS CloudTrail trails, AWS KMS Keys, and AWS account access. The landing zone set up by AWS Control Tower is managed using a set of mandatory and optional controls. Mandatory controls are always applied on your behalf by AWS Control Tower, while optional controls can be self-selected based on your unique needs to ensure accounts and configurations comply with your policies.
The account factory automates provisioning of new accounts in your organization. As a configurable account template, it helps you standardize provisioning of new accounts by using the AWS Control Tower predefined account blueprint with default resources, configurations, or VPC settings. You can also define and implement your own custom account resources and requirements in addition to the preapproved account configurations. By configuring your account factory with preapproved network configuration and AWS Region selections, you enable self-service for your builders to configure and provision new accounts. Additionally, you can take advantage of AWS Control Tower solutions, such as Account Factory for Terraform, to automate the provisioning and customization of an account managed by AWS Control Tower in Terraform that meets your business and security policies, before delivering it to end users.
Comprehensive controls management in AWS Control Tower helps you reduce the time it takes to define, map, and manage the controls required to meet your most common control objectives such as enforcing least privilege, restricting network access, and enforcing data encryption.
Controls are prepackaged governance rules for security, operations, and compliance that you can select and apply enterprise-wide or to specific groups of accounts. A control is expressed in plain English and enforces a specific governance policy for your AWS environment that can be enabled within an AWS Organizations organizational unit (OU). Controls can be detective, preventive, or proactive and can be either mandatory or optional.
Detective controls (for example, Detect whether public read access to Amazon S3 buckets is allowed) continuously monitor deployed resources for nonconformance. Preventive controls establish intent and prevent deployment of resources that don’t conform to your policies (for example, Enable AWS CloudTrail in all accounts). Proactive control capabilities use AWS CloudFormation Hooks to proactively identify and block the CloudFormation deployment of resources that are not compliant with the controls you have enabled. You can disallow actions that lead to policy violations and detect noncompliance of resources at scale. In addition, you get updated configurations and technical documentation so you can more quickly benefit from AWS services and features.
The AWS Control Tower dashboard gives you continuous visibility into your AWS environment. You can view the number of OUs and accounts provisioned and the number of controls enabled and check the status of your OUs and accounts against those controls. You can also see a list of noncompliant resources with respect to enabled controls.
AWS Marketplace now offers integrated third-party software solutions for AWS Control Tower. Built by independent software vendors, these solutions help solve infrastructure and operational use cases including security for a multi-account environment, centralized networking, operational intelligence, and Security and Information Event Management (SIEM).