AWS Control Tower Cheat Sheet

• A service for configuring and managing a multi-account AWS environment.

AWS Control Tower Concepts

• Landing zone
  • A multi-account environment that is well-architected and adheres to security and compliance best practices.
  • Each organization can have one landing zone. 
  • A container that holds the following:
    • Organizational Units (OUs)
    • Accounts
    • Users
    • Other Resources
  • Structure of a landing zone:
    • Root – parent that contains all OUs.
    • Security OU – contains the shared accounts.
    • Sandbox OU – contain the registered accounts used by your users to carry out their AWS workloads.
    • IAM Identity Center directory – scope of permissions of each user.
    • IAM Identity Center users – identities that your users can use to perform AWS workloads.

• Guardrails
  • A high-level rule or policy that governs your AWS environment.
  • Applies to both OU and AWS accounts within the OU.
  • Guardrails are classified based on their behavior and guidance.
  • Behavior
    • Preventive 
      • Prohibits actions that result in policy violations.
      • Implemented using AWS Organizations SCPs.
      • Status is either enforced or not enabled.
    • Detective  
      • Detects noncompliance resources and provides alerts through the dashboard.
      • Implemented using AWS Config rules.
      • Status is either clear, in violation, or not enabled.
    • Proactive
      • Scan resources pre-provisioning.
      • Implemented with AWS CloudFormation hooks.
      • Status: ‘PASS,’ ‘FAIL,’ or ‘SKIP.’
  • Guidance
    • Mandatory – always enforced.
    • Strongly recommended – enforce best practices.
    • Elective – track actions that are commonly restricted.
  • By default, mandatory guardrails are applied to top-level OUs.
  • The exception for guardrails is only for root or management accounts. 
• Account Factory
  • Automates provisioning of new accounts.
  • It also helps you standardize the provisioning of new accounts by using pre-approved account configurations.
  • Shared accounts:
    • Management account – used for billing, provisioning of accounts, and managing OUs and guardrails.
    • Log Archive account – a repository for logs of API activities and resource configurations.
    • Audit account – a restricted account for security and compliance teams.
  • Member accounts are the accounts used by your users to perform AWS workloads. 
  • You can also provision accounts using AWS Control Tower Account Factory for Terraform.
• Dashboard
  • Offers continuous oversight to the following:
    • Accounts across your enterprise.
    • Guardrails enabled for policy enforcement.
    • Guardrails enabled for continuous detection of policy non-conformance.
    • Non-compliant resources organized by accounts and OUs.

AWS Control Tower Networking Features

• AWS automatically creates an AWS-default VPC in every Region, even those not governed by AWS Control Tower, as part of the account creation process. 
• The default VPC is not the same as the VPC created by AWS Control Tower for a provisioned account. 
• You also have the option to remove AWS default VPCs in non-governed Regions.
• Each AWS Control Tower VPC has three Availability Zones.
• By default, an AZ has one public and two private subnets.
• Supports VPC-to-VPC peering for multiple VPCs.
• Region deny guardrail
  • Applies to a landing zone.
  • Blocks API calls to services in non-governed Regions.
  • IAM users can still connect to an AWS default VPC in a Region where AWS Control Tower is not supported. 
  • If a guardrail is enabled, you will be unable to deploy resources in the denied Regions. 

• Proactive controls general availability
  
  Proactive guardrails are now generally available and can block noncompliant resources before they are created using AWS CloudFormation hooks.
• Custom guardrails support
  
  You can define custom preventive and detective guardrails using SCPs and AWS Config rules and manage them through Control Tower.
• AWS Control Tower integrations with AWS Organizations enhancements
  
  Improved support for registering existing AWS accounts and OUs into a Control Tower landing zone.
• Account Factory Customizations (AFC)
  
  Enables customization of account provisioning using CI/CD pipelines, AWS CodePipeline, and Terraform.
• Improved drift detection and landing zone updates
  
  Control Tower can detect configuration drift and provides guided updates for landing zone versions.
• Extended Region support and governance
  
  Supports governance across more AWS Regions with improved Region deny and Region allow guardrails.
• Service-managed StackSets
  
  Control Tower now uses service-managed StackSets for more reliable deployment and lifecycle management of resources.

AWS Control Tower Monitoring

• A log archive account is dedicated to collecting all logs centrally.
• You can use AWS CloudTrail to capture the actions or events of AWS Control Tower.
• With CloudWatch Logs and CloudWatch Logs Insights, you can view and query AWS Control Tower lifecycle events.
• A lifecycle event is only recorded after a series of actions has been completed.
• The event log for each lifecycle event indicates whether the originating Control Tower action was successful or unsuccessful. 
• Each lifecycle event is automatically recorded as a non-API AWS service event by AWS CloudTrail.
• Each lifecycle event is sent to Amazon EventBridge. 

AWS Control Tower Pricing

• You are charged for AWS services that are configured to set up your landing zone and mandatory guardrails.
• You are charged by AWS Config for running ephemeral workloads as it records configuration changes related to the creation and deletion of temporary resources. 

Related Articles:

Customizing Your AWS Control Tower Landing Zone

Managing AWS Organizations and Accounts with AWS Control Tower

References:
https://aws.amazon.com/controltower/
https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html