You may have heard of AWS Control Tower, AWS Organizations and AWS Service Catalog – but what are these services and how do they integrate with one another? What are the benefits of leveraging Control Tower and the underlying services? If you’re interested to learn more, please read on and we’ll answer these questions and more below.
What is AWS Control Tower?
AWS Control Tower automates the ‘ at scale’ build out of a multi account structure on AWS. For large companies migrating to AWS, it makes sense to have a multi account architecture, as different business functions will have different access requirements, compliance requirements and so on – these functions can be segregated easily between accounts. With AWS Control Tower, administrators can set up a new multi-account environment with a single click in the AWS Management Console.
AWS Control Tower creates an orchestration layer for other AWS services including AWS Organizations, AWS Service Catalog and AWS Single Sign-on – this Orchestration layer makes it easier for administrators who are managing more than a handful of AWS accounts.
AWS Organizations – AWS Organizations allows AWS customers to centrally manage and govern their AWS environment. Organizations enables the automated creation of new AWS accounts. Additionally, AWS Organizations allows AWS admins to programmatically allocate resources, apply policies to accounts or groups, and simplify billing.
AWS Single Sign On – (SSO) – AWS SSO allows users to sign in and be authenticated once via multi factor authentication (MFA) then gain access to all permitted accounts within the Organization, rather than having to manage separate logins for each account in Identity and Access Management (IAM).
AWS Service Catalog – AWS Service Catalog allows AWS customers to create and manage pre approved catalogs of IT services that are approved by that customer for use by their users on AWS. A catalog may contain anything from server images, software, and even complete multi tier application architectures which can be deployed with a single click.
AWS Control Tower Features
AWS Control Tower has 4 main features:
Landing Zone – a ‘well architected’ multi account AWS environment configured in accordance with security & compliance best practise blueprints. The ‘Landing Zone’ is your entire business wide AWS deployment containing all of your organisational units, accounts, users and other resources.
Guardrails – Guardrails are clearly defined high level rules that provide governance for your AWS environment, curated by AWS and based on best AWS practises. Guardrails can be either Preventive – stopping actions from occurring, or Detective – detecting events as they occur. Guardrails can prevent the deployment of resources that don’t conform to policies. Each guardrail enforces a single rule and is expressed in plain English. Some examples of guardrails include:
- Disallow access as a root user without multi-factor authentication
- Disallow public write access to Amazon Simple Storage Service (Amazon S3) buckets
It should be noted that out of the box, guardrails do not automatically ensure compliance with standards such as ISO27001, SOC-1&2, HIPAA etc – it is the responsibility of the customer to ensure that their specific compliance requirements are met. This is of course something that an AWS Managed Services Provider can also assist with. Account Factory – The AWS Account Factory enables admins and SSO end users to provision AWS accounts in your Landing Zone. Account Factory provides account templates that enable standardized and automated provisioning of new AWS accounts with approved configurations. The Account Factory also automates the application of Guardrails to newly created accounts. Dashboard – administrator visibility into your AWS Landing Zone – you can view provisioned accounts, Guardrails enabled and any non compliant resources. AWS Control Tower is built on top of AWS Organizations, an AWS service which allows a parent account to enrol any number of child accounts and apply policies across all accounts from a single location.
A multi account AWS environment enables:
- Rapid Innovation – different teams can be allocated their own AWS accounts enabling them to rapidly innovate within their own security and compliance frameworks
- Simplified Billing – allocating costs by account is much simpler than other cost allocation methods
- Flexible security & compliance – the account construct can be used to easily isolate workloads with differing security and compliance requirements.
- Adapt easily to business processes – AWS accounts can be organized in alignment with your business processes which may have differing operational, regulatory and budgeting requirements.
AWS Control Tower Pricing
AWS Control Tower is free to use, but the services it deploys are not. When you start to use AWS Control Tower, AWS will bill you for the services that comprise your Landing Zone and Guard Rails. Some of these services are free of charge, such as AWS Single Sign On and AWS Organizations, but you will be charged for other services including CloudTrail, AWS Config, CloudWatch, S3 Storage, Simple Notification Service (SNS) and Virtual Private Cloud (VPC). All of these services have usage based charges, so you will only pay for what you actually use. You can find some pricing examples on the AWS website here: https://aws.amazon.com/controltower/pricing/
So, there you have it, you should now understand more about AWS Control Tower and the benefits it offers. If you are going to be building out AWS at scale in a large and complex organization, then Control Tower is a great place to start, to ensure that you start as you mean to go on. As Stephen R. Covey wrote ‘Begin with the end in mind‘ – it costs nothing to lay the appropriate foundations on which to scale, and doing so will likely prevent future headaches from sprawling complexity!