Cloud Management & Governance with AWS Control Tower

Kubernetes Advocate
AVM Consulting Blog
3 min readJun 11, 2023

If you’re an organization with multiple AWS accounts and teams, cloud setup and governance can be complex and time-consuming, slowing down the very innovation you’re trying to speed up.

AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud.

With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing your accounts conform to your company-wide policies.

Benefits

Quickly setup and configure a new AWS environment

Automate the setup of your multi-account AWS environment with just a few clicks. The setup employs blueprints, which capture AWS best practices for configuring AWS security and management services to govern your environment.

Blueprints are available to provide identity management, federate access to accounts, centralize logging, establish cross-account security audits, define workflows for provisioning accounts, and implement account baselines with network configurations.

Automate ongoing policy management

Control Tower provides mandatory and strongly recommended high-level rules, called guardrails, that help enforce your policies using service control policies (SCPs), or detect policy violations using AWS Config rules.

These rules remain in effect as you create new accounts or make changes to your existing accounts, and Control Tower provides a summary report of how each account conforms to your enabled policies.

View policy-level summaries of your AWS environment

Control Tower provides you with an integrated dashboard so you can see a top-level summary of policies applied to your AWS environment.

You can view details on the accounts provisioned, the guardrails enabled across your accounts, and account level status for compliance with your guardrails.

How does it work?

AWS Control Tower uses AWS Organizations that enables the creation and management of multiple AWS accounts in an organization to construct an organized landing zone. Then with a single click in the AWS Management Console, administrators can create a new multi-account environment. These Organization Units (OUs) group accounts for governance while the AWS Control Tower uses OUs to establish preventive or investigative controls to restrict resources and monitor compliance across groups of AWS accounts since they contain guardrails. A single rule is enforced by each one of the guardrails.

The following are the three accounts AWS Control Tower created by default when configured.

  • A Master account that allows the business to create and manage member accounts on a financial level. Account Factory provisioning and accounts, Organizational Unit management, and supportive guardrails.
  • A Log Archive Account that includes a central Amazon S3 bucket to store API activity logs and resource configurations from all accounts of the solution.
  • Audit Account with programmatic access. A restrictive account that provides read/write access to all accounts in the landing zone to security and compliance teams.

👋 Join us today !!

️Follow us on LinkedIn, Twitter, Facebook, and Instagram

https://avmconsulting.net/

If this post was helpful, please click the clap 👏 button below a few times to show your support! ⬇

--

--

AVM Consulting Blog
AVM Consulting Blog

Published in AVM Consulting Blog

AVM Consulting — Clear strategy for your cloud

Kubernetes Advocate
Kubernetes Advocate

Written by Kubernetes Advocate

Vineet Sharma-Founder and CEO of Kubernetes Advocate Tech author, cloud-native architect, and startup advisor.https://in.linkedin.com/in/vineet-sharma-0164

No responses yet