Multi-Account Environments with AWS Control Tower

Nowadays many organizations are running multiple AWS accounts for their different teams, needs and projects. This may be challenging when it comes to securing your environments, tracking governance, applying standards and following best practices across all of your AWS accounts and entire environment.

In this blog post, we will explain briefly how AWS Control Tower helps you in setting up and orchestrating your multi-account AWS environment without pain while ensuring security and best practices are in place across all of your current and future AWS accounts.

Concept

Diagram Source: AWS

AWS Control Tower lets you easily set up an automated landing zone that applies best practices such as,

• Building a multi-account organizational structure with AWS Organizations.
• Managing users and federated access with AWS Single Sign-on.
• Enabling account provisioning through AWS Service Catalog.
• Creating a centralized log archive using AWS CloudTrail and AWS Config.

AWS Control Tower’s dashboard provides a top level centralized view for your multi-account AWS environment including accounts provisioned, guardrails enabled, and the compliance status.

Setting up the AWS Control Tower

AWS Control Tower requires two email addresses to set up AWS accounts, one for log archiving and another for auditing automatically for you. Log archive account is used as a repository of immutable logs of API activities and resource configurations from all of your accounts. The audit account is a restricted account for your security and compliance teams to gain read and write access to all accounts for auditing purposes.

After completing the setup of your landing zone, you will see enrolled accounts and registered organization units on your AWS Control Tower dashboard.

Features

Let’s go over Control Tower’s features briefly.

Landing Zone

A landing zone is an auto-built, well-architected, multi-account AWS environment that's based on security and compliance best practices. Basically, AWS Control Tower is automating the setup of a new landing zone using best-practices for IAM and the account structure. Here are some examples of blueprints that are implemented automatically in your landing zone:

• Create a multi-account environment with AWS Organizations.
• Provide IAM using AWS Single Sign-On (SSO).
• Provide federated access to accounts using AWS SSO.
• Centralize logging from AWS CloudTrail, and AWS Config stored in Amazon S3.
• Enable cross-account security audits using AWS IAM and AWS SSO.

The landing zone set up by AWS Control Tower is configured with a set of mandatory and strongly recommended guardrails, which you choose from a console to ensure your accounts and configurations comply with your desired policies.

Using Account Factory

Using the account factory, you can standardize your sub-account configurations from one place and provision new accounts easily with pre-flight configurations. You can define your network configuration standards and restrict regions that the account can use.

Guardrails

Guardrails are pre-packaged governance rules for security, operations and compliance that customers can select and apply enterprise-wide or to specific groups of accounts. AWS Control Tower provides you a set of guardrails based on AWS best practices and common policies to gain governance on your accounts. There are two types of guardrails that you can leverage, mandatory and optional guardrails.

Mandatory guardrails are automatically enabled on your landing zone to protect your logs’ integrity and AWS Control Tower setup by default.

For optional guardrails, you can choose the rules that you want to enable any time on OUs. All accounts provisioned under enabled OUs will automatically inherit those guardrails.

On dimensional perspective you will see there are also two types, preventive and detective. Preventive rules restrict actions on accounts, for example you can use strongly recommended preventive rules to disallow creation of access keys for the root user on all of your accounts. On the other side, detective rules check the account configuration and setup using AWS Config and assess changes continuously with respect to your detective guardrails rules. Guardrail checking whether MFA is enabled or not on the root account is an example of detective rules.

You can easily start by using strongly recommended rules that you will see after landing zone setup.Access full list of recommended guardrails and their details from here.

After setting up guardrails you can see a list of compliant and noncompliant resources over your AWS accounts on your AWS Control Tower dashboard.

Diagram Source: AWS

Supported regions

As we posted this blog entry, AWS Control Tower is available in the following regions.

• Europe (Ireland)
• Asia Pacific (Sydney)
• US East (N. Virginia)
• US East (Ohio)
• US West (Oregon)

For an up to date information please check AWS Regional Services List here.

Pricing

AWS Control Tower comes with no additional charge but you will be charged for AWS services configured to set up your landing zone and mandatory guardrails. While some AWS services like AWS Organizations and AWS Single Sign-On (SSO) come at no additional charge, you will pay for services such as S3, VPC, SNS, Cloudwatch, etc. based on your preferences of these services. You will only pay for what you provision and use.

If you are looking for professional help to build up a multi-account environment on AWS, you can book an appointment now. Our AWS experts are always glad to help you!