Are you planning your journey to AWS and want to have a well architected design which is recommended by AWS ? Or do you have multiple AWS accounts and you are having nightmares managing the complex environment ?

Xerris recommends its customers to deploy AWS control tower simplifies the management and governance of multiple AWS accounts by leveraging services like AWS Organizations, AWS Service Catalog and AWS Single Sign On (SSO) and establishes a centralized landing zone for organizations based on security and compliance best practices.

Some terminology to be familiar with:

  • Guardrail: A pre-packaged SCP or AWS Config rule created by Control Tower focusing on security, compliance and cost management. Guardrails can be preventative by blocking actions that lead to policy violations or detective by raising alerts based on non-compliant resources.
  • Landing Zone: the starting point in the AWS Control Tower multi-account environment: it includes the default accounts, structures, security and network layouts that Control Tower sets up for you. The landing zone can be used to deploy workloads. A landing zone also controls access to resources by creating multiple roles for audit, logging, master account.
  • Blueprints: Best-practice and well-architected design patterns used to set up a Landing Zone.
  • AWS Account: An AWS account contains resources and is isolated from other resources. It can be associated with billing and payments and is different from an IAM user. The Account Factory creates AWS accounts.
  • IAM User: An IAM user provides a way for a person, application or service to authenticate to AWS and has more limited access than the root user created in an AWS account.

Now, let’s have a look at some of the underlying services that work with AWS Control Tower to create a landing zone:

AWS Organizations centralizes and groups the management of multiple accounts into Organizational Units (OU) based on operational needs or compliance requirements and attaches access policies called service control policies (SCPs) to them. SCPs define the maximum permissions in an OU member account and control the services available to the users in those accounts.

AWS Control Tower automatically sets up AWS Service Catalog and publishes Account factory as a product to the catalog. Service Catalog provides a standardized and centralized way to provision and manage which services/resources/versions (called products) are available, what’s configured in the service and who can access them. These products are grouped into files (called portfolios).  New Control Tower managed accounts will be provisioned through the Account Factory. Account Factory is sometimes referred to as an account “vending machine.”

AWS SSO creates user identities and manages access and permissions to AWS accounts and applications for individual users or groups. AWS SSO creates new users and groups or connects existing users and groups through services like Active Directory or Azure. AWS SSO stores the permission sets that determine the level of access a user or group has to AWS services in the specified account.

Control Tower also builds on AWS services like AWS Config, AWS Cloudtrail, and Identify and Access Management (IAM) for logging and security purposes, codifies AWS best practices through Cloudformation templates and unifies everything in a centralized dashboard where compliance information can be viewed in real time.

For more details, you can visit the official AWS Control Tower page available here

Control Tower - How It Works