You may have heard of AWS Control Tower, AWS Organizations and AWS Service Catalog—but what are these services and how do they integrate with one another? What are the benefits of leveraging Control Tower and the underlying services? If you’re interested to learn more, please read on and we’ll answer these questions and more below.
What is AWS Control Tower?
AWS Control Tower automates the ‘at scale’ build out of a multi-account structure on AWS. For large companies migrating to AWS, it makes sense to have a multi-account architecture, as different business functions will have different access requirements, compliance requirements and so on, and these functions can be segregated easily between accounts. Administrators can set up a new multi-account environment with a single click in the AWS Management Console.
There are also customizations available for AWS Control Tower architecture, such as an AWS CloudFormation template that launches the components required to build the workflows, which in turn enable you to customize your landing zone (more on landing zones further down).
AWS Control Tower creates an orchestration layer for other AWS services, including AWS Organizations, AWS Service Catalog and AWS Single Sign-On. This orchestration layer makes it easier for administrators who are managing more than a handful of AWS accounts.
AWS Organizations allows AWS customers to centrally manage and govern their AWS environment. Organizations enable the automated creation of new AWS accounts. Additionally, AWS Organizations allows AWS admins to programmatically allocate resources, apply policies to accounts or groups, and simplify billing.
With all of these features, why the need for AWS Control Tower? Let’s take a quick look at AWS Control Tower vs Organizations to unpack that. Simply put, it comes down to automation. While AWS Organizations provide a central location from which to manage multiple accounts, AWS Control Tower saves you time and effort by automating and simplifying a large portion of the work involved in building and governing your environment at scale.
AWS Single Sign-On (SSO)
AWS SSO allows users to sign in and be authenticated once via multi-factor authentication (MFA) and then gain access to all permitted accounts within the Organization, rather than having to manage separate logins for each account in Identity and Access Management (IAM).
AWS Service Catalog
AWS Service Catalog allows AWS customers to create and manage pre-approved catalogs of IT services that are approved by that customer for use by their users on AWS. A catalog may contain anything from server images, software, and even complete multi-tier application architectures, which can be deployed with a single click.
AWS Control Tower Features
AWS Control Tower has four main features, which are outlined below.
A ‘well architected’ multi-account AWS environment configured in accordance with security and compliance best practice blueprints, the ‘landing zone’ is your entire business wide AWS deployment containing all of your organizational units, accounts, users and other resources.
Since there is the potential for confusion around AWS Landing Zone vs Control Tower, let’s address that here. The landing zone mentioned above is implemented via AWS Control Tower. However, there is also AWS Landing Zone solution.
With AWS Control Tower, creation of a new landing zone is done automatically using predefined blueprints. AWS Landing Zone solution takes things up a notch by providing a configurable landing zone setup with numerous customization options.
Curated by AWS and based on best AWS practices, guardrails are clearly defined high level rules that provide governance for your AWS environment. Guardrails can be either preventive (stopping actions from occurring) or detective (detecting events as they occur). Guardrails can prevent the deployment of resources that don’t conform to policies. Each guardrail enforces a single rule and is expressed in plain English. Some examples of guardrails include:
- Disallow access as a root user without multi-factor authentication
- Disallow public write access to Amazon Simple Storage Service (Amazon S3) buckets
It should be noted that out of the box, guardrails do not automatically ensure compliance with standards such as ISO27001, SOC-1&2, HIPAA etc. It is the responsibility of the customer to ensure that their specific compliance requirements are met. This is of course something that an AWS Managed Services provider can also assist with.
The AWS Account Factory enables admins and SSO end users to provision AWS accounts in your landing zone. Account Factory provides account templates that enable standardized and automated provisioning of new AWS accounts with approved configurations. The Account Factory also automates the application of guardrails to newly created accounts.
Provides administrator visibility into your AWS landing zone, where you can view provisioned accounts, guardrails enabled and any non-compliant resources. AWS Control Tower is built on top of AWS Organizations, an AWS service that allows a parent account to enroll any number of child accounts and apply policies across all accounts from a single location.
A multi-account AWS environment enables:
- Rapid innovation: different teams can be allocated their own AWS accounts, enabling them to rapidly innovate within their own security and compliance frameworks
- Simplified billing: allocating costs by account is much simpler than other cost allocation methods
- Flexible security and compliance: the account construct can be used to easily isolate workloads with differing security and compliance requirements.
- Adapt easily to business processes: AWS accounts can be organized in alignment with your business processes, which may have differing operational, regulatory and budgeting requirements.
AWS Control Tower Pricing
AWS Control Tower is free to use, but the services it deploys are not. When you start to use AWS Control Tower, AWS will bill you for the services that comprise your Landing Zone and Guard Rails. Some of these services are free of charge, such as AWS Single Sign-On and AWS Organizations, but you will be charged for other services, including CloudTrail, AWS Config, CloudWatch, S3 Storage, Simple Notification Service (SNS) and Virtual Private Cloud (VPC). All of these services have usage based charges, so you will only pay for what you actually use. You can find some pricing examples on the AWS website.
So, there you have it. You should now understand more about AWS Control Tower and the benefits it offers. If you are going to be building out AWS at scale in a large and complex organization, then Control Tower is a great place to start, to ensure that you start as you mean to go on. As Stephen R. Covey wrote: Begin with the end in mind—it costs nothing to lay the appropriate foundations on which to scale, and doing so will likely prevent future headaches from sprawling complexity!
If you’re new to Amazon Web Services, or even if you’ve been using it for a while, you might find our AWS glossary useful.