AWS Control Tower: the easiest way to set up and govern AWS environment

In this article, we’ll deep dive into AWS Control Tower a tool that allows the easiest way to set up and govern a secure, multi-account AWS environment, called a landing zone. AWS Control Tower creates your landing zone using AWS organization, bringing ongoing account management and governance, and deployment best practices.

The need for multiple AWS accounts stems from the need to separate BUs on a logical level, to isolate their resources because they provide natural boundaries for security, access and billing.

Here are some of the benefits:

• Rapid innovation with various requirements: Accounts can be assigned to BU’s, workloads or products. Separate accounts can provide customized environments and meet different security needs for each team.
• Simplified billing: Using multiple accounts simplifies AWS cost allocation. You can use them to identify which projects or services are responsible for AWS expenses.
• Flexible security controls: You can create grouping mechanisms to ensure that certain accounts meet compliance requirements, such as HIPAA or PCI DSS.
• Easily adapt to business processes: Using multiple accounts allows you to set up your IT infrastructure in a way that reflects the needs of your business processes or requirements.

AWS Services

The introduction of control tower brings with it the introduction of several AWS services, below are the main ones.

AWS Organizations gives you the ability to centrally manage your environment across multiple accounts. You can create and organize accounts across an organization, consolidate costs, and enforce policies for custom environments. When combined with other AWS services, you can secure your environment, create and share resources, and centrally manage permissions.

You can use the AWS Organizations console, SDK, or AWS CLI to create an organization, and then add accounts, enable features, and enable access to other AWS services so they can operate within your organization. There is no cost to use AWS Organizations. The cost of using other integrated services varies, but is similar to activating services individually in separate accounts. When you use AWS Organizations, you have the flexibility to build your environment and adopt the services step-by-step.

AWS Control Tower automates many of the steps needed to build your environment. It gives you a pre-built multi-account structure so you can be up and running with just a few clicks. Control Tower abstracts other AWS services to set up and govern your multi-account environment. For example, it automatically creates new accounts, gives you a default OU structure, and provides resources in those accounts to assist you in managing your environment. It also applies managed guardrails, which are rules to govern your environment, using AWS Organizations, AWS Service Catalog, and AWS Config. In addition, you have visibility into your AWS environment from a single dashboard. Using Control Tower is free, but there are costs associated with the AWS services (such as AWS Service Catalog, AWS CloudTrail, and AWS Config) used to manage your environment in Control Tower.

Permissions Sets

AWS Single Sign-On (AWS SSO) is the easiest way to set custom permissions to your organization’s accounts created in AWS Organizations. AWS SSO is a cloud-based service that simplifies account and application access management. After you create your organization, you can enable AWS SSO in the console when you log in to your management account. You can then choose your identity source so that AWS SSO can recognize existing users and groups that need access. By default, AWS SSO gives you a cloud-native identity store that you can use to manage users and groups, but you can connect with an existing external identity source, such as G-Suite. After your identity store is connected, you can set up SSO access to accounts in your organization by creating user groups or assigning accounts to users.

SCPs allow you to provide highly customizable programmatic boundaries for service actions that can be taken in accounts. For example, if you are only required to operate in a specific AWS region, you can set up an SCP to ensure that resources are only deployed to approved AWS regions. To protect sensitive data from external sharing, you can set S3 bucket policies to private, and then apply an SCP to prevent any changes to the bucket policy. You can assign policies individually to each account, at the OU level, which applies the policy to all accounts in an OU, or to the entire organization automatically.

Security

Creating a multi-account environment provides many security benefits. Accounts act as containers with resources used for a common purpose. In the event of a security issue or misconfigured resource, the scope is reduced to a single account. AWS provides capabilities to ensure that security standards can be managed and applied consistently by a central team.

Recap

In conclusion, Control Tower is the tool we need for the centralized management of AWS governance in a scenario made of different BU’s with different needs and different infrastructures.

Control Tower facilitates the expansion of interactions and control of business and development needs while maintaining centralized policy management.

The set of services and security measures involved in the process in Control Tower bring the set of best practices necessary to achieve AWS certifications.

For example:

• Well architected review, which enables distribution of the application solution through the Amazon AWS marketplace.
• Foundational Technical Review, an approved FTR enables you to earn a “Reviewed by AWS” solutions badge, unlock funding benefits, and become eligible to participate in various AWS Partner Programs.

requirements already fulfilled in the last month together with the Bee BU which has been the forerunner for the other BU’s that will soon see the benefits given by the introduction of tools such as Control Tower and the CCoE.