What is AWS Control Tower?
AWS Control Tower is a service that provides for cloud governance for a multi-account AWS environment. (Cloud Governance is the process of defining and creating policies to control costs, minimize security risks, and improve efficiency.) It does this by orchestrating several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center (successor to AWS Single Sign-On). Control Tower accomplishes this primarily through the use of CloudFormation to provision resources into new or existing accounts. This account creation process is called account factory.
AWS Control Tower uses AWS Service Control Policies (SCPs) to provide preventive guardrails and AWS Config to provide detective guardrails. The management account keeps track of all subsidiary account’s compliance. A landing zone contains all of the subsidiary accounts. The landing zone is the enterprise wide object that contains all of your accounts, users, organizational units (OUs), and other resources.
Both new accounts and existing accounts can be brought under control of the management account. It is a bit more complicated to add an existing account to Control Tower than it is to create a new account. In our experience, a common use case for adding existing accounts to the management account is because a company is acquired that has their own AWS account(s) or initial Control Tower setup.
One of the primary benefits of using AWS Control Tower is that a central team can monitor and manage compliance and logging. The primary tool for central management is a dashboard, which offers continuous oversight of your landing zone.
What AWS Control Tower Actually Does
AWS takes many actions on your behalf when setting up Control Tower. We will briefly describe the components that are created and what each does.
A landing zone consists of the following:
AWS Organizations Organizational Units – Root, Security and Sandbox. The Root OU contains all other OUs in your landing zone. The Security OU contains the Log Archive and Audit AWS accounts. The Sandbox OU contains AWS accounts that users will use to do their work.
IAM Identity Center directory – This is the directory contains your users. Each user’s permissions are defined here.
IAM Identity Center users – These are the identities that your users can assume to do their work with with a control tower managed AWS account.
Mandatory Preventive Guardrails – All accounts, with the exception of the management account, have AWS SCPs for all mandatory policies deployed.
Mandatory Detective Guardrails – All accounts, with the exception of the management account, have AWS Config rules for all mandatory policies deployed.
Managing Resources Safely
Control Tower creates many resources on your behalf. In order to manage those resources properly, resources should only be deleted using the supported methods within Control Tower. Deleting or modifying resources outside of these supported methods will put your landing zone into an unknown state.
There are three accounts that AWS Control Tower manages when you first set it up. The management account is the account that you create when setting up Control Tower. Control tower creates a log archive and an audit account to help centrally manage the enterprise accounts within.
This is the AWS account that you created for your landing zone. It is the central billing account for the entire landing zone. It is used to create new accounts using the account factory and manage OUs and preventive and detective guardrails.
Log Archive Account
This AWS account acts as a central repository for all API activities and resource configurations for all accounts within the landing zone.
This AWS account is a restricted account designed to give your security and compliance team(s) both read and write access to all accounts within your landing zone. This account only has programmatic access to other accounts through a Lambda role. The account users do not have the ability to login to other accounts.
A guardrail is a high level rule that enforces a policy for your AWS environment. Guardrails are either preventive or detective. A preventive guardrail prevents an action from occurring. A detective guardrail detects when an action has occurred. Guardrails are applied to every account in your OU.
Guardrails come in three levels of guidance. Mandatory guardrails are always enforced. Strongly recommended guardrails enforce some common best practices. Elective guardrails address some common restrictions in an enterprise environment.
The root user and IAM administrators in the management account can perform work that would otherwise be denied by guardrails. This prevents the management account from entering an unusable state. All actions are still monitored and logged to the log archive account.
Key Orchestrated Services
As we have already covered, AWS Control Tower is a service that orchestrates other AWS services.
AWS Organizations is an account management service that allows you to consolidate multiple AWS accounts into a centrally manged and billed unit. You can organize member accounts into groups, called organizational units or OUs. Organizations allows you to attach policy-based controls to member accounts.
AWS CloudFormation is a service that uses templates to deploy infrastructure in a consistent, repeated, and automated manner. Control Tower uses CloudFormation StackSets to deploy guardrails to member accounts.
AWS Service Catalog
AWS Service Catalog allows administrators to create, manage, and distribute groups of approved products to end users. End users access Service Catalog through a personalized portal with the products they have access to. Account Factory in Control Tower is built using Service Catalog. Other products are also available to the Control Tower accounts through Service Catalog.
AWS CloudTrail keeps an audit trail of API actions taking within your AWS accounts. With Control Tower, CloudTrail is used to maintain a central audit log for all member accounts.
AWS Identity and Access Management (IAM) is a services that allows you to securely control access to AWS services. IAM lets you centrally manage users and security credentials. Control Tower creates groups in AWS IAM Identity Center (successor to AWS Single Sign-On). These groups have predefined IAM permission sets applied. Also users can use IAM to define users and permissions in member accounts.
AWS Simple Notification Service (SNS) allows applications and users to send notifications instantly. Control tower uses SNS to send programmatic alerts to the email addresses associated with the management and audit accounts.
AWS Lambda is a compute service that allows you to run units of code. The service is scalable and can be triggered from other AWS services or called directly. Control Tower uses Lambda roles to review other member accounts from the audit account. Control Tower Lifecycle events can trigger Lambda functions.
AWS introduced Control Tower on June 24, 2019. At Tribloom, we have done many implementations since then. If you think that Control Tower might provide your organization benefits and don’t know how to get started, please contact us and we can help.