For Large Enterprise and SMBs with multiple AWS accounts, monitoring and managing multi-accounts is a huge challenge as these are managed across multiple teams running too few hundreds in some organizations.
AWS Control Tower helps Organizations set up, manage, monitor, and govern a secured multi-account using AWS best practices.
Benefits of AWS Control Tower:
- Automate the setup of multiple AWS environments in few clicks with AWS best practices
- Enforce governance and compliance using guardrails
- Centralized logging and policy management
- Simplified workflows for standardized account provisioning
- Perform Security Audits using Identity & Access Management
Features of AWS Control Tower:
a) AWS Control Tower automates the setup of a new landing zone which includes,
- Creating a multi-account environment using AWS Organizations
- Identity management using AWS Single Sign-On (SSO) default directory
- Federated access to accounts using AWS SSO Centralized logging from AWS CloudTrail, and AWS Config stored in Amazon S3
- Enable cross-account security audits using AWS IAM and AWS SSO
b) Account Factory
- This helps to automate the provisioning of new accounts in the organization.
- A configurable account template that helps to standardize the provisioning of new accounts with pre-approved account configurations.
- Pre-bundled governance rules for security, operations, and compliance which can be applied to Organization Units or a specific group of accounts.
- Preventive Guardrails – Prevent policy violations through enforcement. Implemented using AWS CloudFormation and Service Control Policies
- Detective Guardrails – Detect policy violations and alert in the dashboard using AWS Config rules
d) 3 types of Guidance (Applied on Guardrails)
- Mandatory Guardrails – Always Enforced. Enabled by default on landing zone creation.
- Strongly recommended Guardrails – Enforce best practices for wel-architected, multi-account environments. Not enabled by default on landing zone creation.
- Elective guardrails – To track actions that are restricted. Not enabled by default on landing zone creation.
- Gives complete visibility of the AWS Environment
- Can view the number of OUs (Organization Units) and accounts provisioned
- Guardrails enabled
- Check the list of non-compliant resources based on guardrails enabled.
Steps to setup AWS CT:
Setting up a Control Tower on a new account is relatively simpler when compared to setting it up on an existing account. Once Control Tower is set up, the landing zone should have the following.
- 2 Organizational Units
- 3 accounts, a master account and isolated accounts for log archive and security audit
- 20 preventive guardrails to enforce policies
- 2 detective guardrails to detect config violations
The next step is to create a new Organizational unit and then create a new account using the account factory and map it to the OU that was created. Once this is done, you can start setting up your resources and any non-compliance starts reflecting in the Noncompliant resources’ dashboard. In addition to this, any deviation to the standard AWS best practices would be reflected in the dashboard.
With many of the organizations opting for and using AWS cloud services, AWS Control Tower with the centralized management service offers the simplest way to set up and govern multiple AWS accounts securely through beneficial features and established best practices. Provisioning new AWS accounts are as simple as clicking a few buttons while agreeing to the organization’s requirements and policies. Relevance Lab can help your organization to build AWS Control Tower and migrate your existing accounts to Control Tower. For a demo of Control Tower usage in your organization click here. For more details please reach out to firstname.lastname@example.org