Skip to content

Controltower

Basics

  • Control Tower is used for quick and easy setup of multi account environments
  • Control Tower provides -
  • Landing-Zone - provides SSO/ID Federation, Centralized logging & Auditing
  • Guard Rails - Detect/Mandate rules or standards across all accounts
  • Account Factory - Automation and Standarization of Account creation
  • Dashboard - Single page view of entire environment
  • When Control Tower is setup it creates 2 OUs Foundation OU called Security & Custom OU called Sandbox
  • Inside the Security OU it creates 2 AWS accounts by default, an Audit Account & Log Archive Account
  • The account factory uses cloud formation to create accounts.
  • Account factory can also be made available through service catalogue
  • Landing Zone uses AWS SSO to give access to multiple AWS accounts.
  • Guard Rails are rules for account governance.They are of 3 types Mandatory, Strongly Recommended & Elective
  • Guard Rails can be preventative i.e. they stop you from doing certain things. These are implemented using SCPs
  • OR Guard Rails can be detective i.e. they perform complaince checks using AWS Config rules