Last updated on April 17, 2024
AWS Control Tower Cheat Sheet
-
A service for configuring and managing a multi-account AWS environment.
AWS Control Tower Concepts
-
Landing zone
-
A multi-account environment that is well-architected and adheres to security and compliance best practices.
-
Each organization can have one landing zone.
-
A container that holds the following:
-
Organizational Units (OUs)
-
Accounts
-
Users
-
Other Resources
-
-
Structure of a landing zone:
-
Root – parent that contains all OUs.
-
Security OU – contains the shared accounts.
-
Sandbox OU – contain the registered accounts used by your users to carry out their AWS workloads.
-
IAM Identity Center directory – scope of permissions of each user.
-
IAM Identity Center users – identities that your users can use to perform AWS workloads.
-
-
-
Guardrails
-
A high-level rule or policy that governs your AWS environment.
-
Applies to both OU and AWS accounts within the OU.
-
Guardrails are classified based on their behavior and guidance.
-
Behavior
-
Preventive
-
Prohibits actions that result in policy violations.
-
Implemented using AWS Organizations SCPs.
-
Status is either enforced or not enabled.
-
-
Detective
-
Detects noncompliance resources and provides alerts through the dashboard.
-
Implemented using AWS Config rules.
-
Status is either clear, in violation, or not enabled.
-
- Proactive
- Scan resources pre-provisioning.
- Implemented with AWS CloudFormation hooks.
- Status: ‘PASS,’ ‘FAIL,’ or ‘SKIP.’
-
-
Guidance
-
Mandatory – always enforced.
-
Strongly recommended – enforce best practices.
-
Elective – track actions that are commonly restricted.
-
-
By default, mandatory guardrails are applied to top-level OUs.
-
The exception for guardrails is only for root or management accounts.
-
-
Account Factory
-
Automates provisioning of new accounts.
-
It also helps you standardize the provisioning of new accounts by using pre-approved account configurations.
-
Shared accounts:
-
Management account – used for billing, provisioning of accounts, and managing OUs and guardrails.
-
Log Archive account – a repository for logs of API activities and resource configurations.
-
Audit account – a restricted account for security and compliance teams.
-
-
Member accounts are the accounts used by your users to perform AWS workloads.
-
You can also provision accounts using AWS Control Tower Account Factory for Terraform.
-
-
Dashboard
-
Offers continuous oversight to the following:
-
Accounts across your enterprise.
-
Guardrails enabled for policy enforcement.
-
Guardrails enabled for continuous detection of policy non-conformance.
-
Non-compliant resources organized by accounts and OUs.
-
-
AWS Control Tower Networking Features
-
AWS automatically creates an AWS-default VPC in every Region, even those not governed by AWS Control Tower, as part of the account creation process.
-
The default VPC is not the same as the VPC created by AWS Control Tower for a provisioned account.
-
You also have the option to remove AWS default VPCs in non-governed Regions.
-
Each AWS Control Tower VPC has three Availability Zones.
-
By default, an AZ has one public and two private subnets.
-
Supports VPC-to-VPC peering for multiple VPCs.
-
Region deny guardrail
-
Applies to a landing zone.
-
Blocks API calls to services in non-governed Regions.
-
IAM users can still connect to an AWS default VPC in a Region where AWS Control Tower is not supported.
-
If a guardrail is enabled, you will be unable to deploy resources in the denied Regions.
-
AWS Control Tower Monitoring
-
A log archive account is dedicated to collecting all logs centrally.
-
You can use AWS CloudTrail to capture the actions or events of AWS Control Tower.
-
With CloudWatch Logs and CloudWatch Logs Insights, you can view and query AWS Control Tower lifecycle events.
-
A lifecycle event is only recorded after a series of actions has been completed.
-
The event log for each lifecycle event indicates whether the originating Control Tower action was successful or unsuccessful.
-
Each lifecycle event is automatically recorded as a non-API AWS service event by AWS CloudTrail.
-
Each lifecycle event is sent to Amazon EventBridge.
AWS Control Tower Pricing
-
You are charged for AWS services that are configured to set up your landing zone and mandatory guardrails.
-
You are charged by AWS Config for running ephemeral workloads as it records configuration changes related to the creation and deletion of temporary resources.
Related Articles:
Customizing Your AWS Control Tower Landing Zone
Managing AWS Organizations and Accounts with AWS Control Tower
References:
https://aws.amazon.com/controltower/
https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html