Control Tower is a newer AWS service that makes it easier to setup and govern a secure multi-account AWS environment. It brings together a number of governance best practices into an automated, extensible toolkit that can be deployed in new or existing AWS environments.
It leverages AWS Organizations to deploy a predefined Organisation Unit (OU) structure that provisions some initial accounts to help with centralising identity management, logging and auditing.
New accounts provisioned using its Account Factory will be deployed a consistent set of policies, specifically:
- Guardrails, which limit what can be performed in each account and monitor for non-compliant resource changes
- Audit logging with CloudTrail, which is configured to log all actions within the account and forward those logs to an audit account for centralised audit log monitoring
Control Tower is part of AWS’s well-architected set of services to ensure best practice governance, and can be used to implement and validate your compliance with various governance standards.
The configuration of each new account can be customised to add organisation-specific resources to the provisioning of new accounts, e.g. to add common backup policies with AWS Backup or add blueprints for VPC configuration that is bridged to your corporate LAN.
Lastly, it provides a centralised dashboard, giving you visibility over your entire organisation structure, the current compliance of each account, creation of new accounts, and the ability to manage the landing zone by applying new versions from AWS, or configuring guardrails.
There are a whole suite of AWS services which help with these requirements:
- AWS Organizations for provisioning accounts and deploying multi-account policies for limiting access or centralising backups with Service Control Policies (SCPs)
- AWS Config for resource tracking and resource configuration compliance monitoring
- CloudTrail for audit logging in each account, which is configured to log to an S3 bucket and is replicated into a central audit account for easy auditing across multiple accounts
- AWS Service Catalog, which is used to provision accounts with Account Factory
- Identity and Access Management (IAM) for the deployment of cross-account roles and implementation of guardrails with SCPs
- AWS SSO is provisioned with a user directory to permit federated access across accounts and with extra roles associated with Control Tower usage, such as provisioning new accounts, security audit of logs and a power-user role for development
Additionally, AWS CloudFormation, CloudWatch, Amazon SNS, Step Functions, and S3 are used by its various components to deploy configuration and provide monitoring of its activities.
- An initial account architecture which contains a logs and audit account with automatically centralised CloudTrail logs
- Guardrails, which are a combination of AWS Config rules for resource tracking and compliance notification, and Service Control Policies for limiting the scope of changes in an account
- Account Factory, which uses Service Factory to deploy all of the above configuration and can be customised to add to a new account’s landing zone with your own configuration and deployments
AWS doesn’t charge any extra for using Control Tower, but you will pay for the underlying services such as CloudTrail and AWS Config which implement audit logging and resource tracking (respectively).
One thing to note is that if you have an environment with a lot of activity, which is common in large applications with a lot of KMS key usage, your CloudTrail costs will be higher if you enable more than one trail per account.
Similarly, if you have an environment with lots of ephemeral resources, i.e. lots of resource creation, updates and destruction (e.g. you create a new stack for every branch you work on and delete it afterwards, the AWS Config charges can add up quickly.
This issue with AWS Config comes about as it costs per resource change it tracks, as well as any custom rules you deploy. This can particularly be a problem in modern development environments, such as those using serverless, because although the cost of the resources is virtually zero (in most cases), the resource tracking costs are quite high.
- AWS Single Sign-On (SSO) - you can configure AWS SSO before AWS Control Tower to use an external identity provider, or rely on Control Tower to provision and manage the SSO directory for you
- AWS Backup - not specifically related to AWS Control Tower, but can be configured to enable a multi-account dashboard for monitoring backups, and a stack-set used to deploy a backup policy to accounts
- AWS Security Hub - similar to AWS Backup, it can be enabled to provide a multi-account view of security alerts, with Control Tower events used to automate its configuration in new and updated accounts
- CloudFormation StackSets - provides easy integration with AWS Organizations for deploying a template to multiple AWS accounts
- New account provisioning: see this AWS solution for deploying customisations when new accounts are created
- Synchronising policy templates on new and updated accounts: using Control Tower lifecycle Events published to your event bus in your root account, you can deploy additional CloudFormation templates (using StackSets) or Service Factory applications in response to synchronise desired account configuration
- Multi-account setup with Control Tower
- Setting up your landing zone
- Control Tower Product Page (there’s a list of excellent blog articles and related multi-account management resources at the bottom of this page)
- Customising account configuration with AWS Control Tower lifecycle events