AWS Control Tower Cheat Sheet

• A service for configuring and managing a multi-account AWS environment.

AWS Control Tower Concepts

• Landing zone

  • A multi-account environment that is well-architected and adheres to security and compliance best practices.

  • Each organization can have one landing zone. 

  • A container that holds the following:

    • Organizational Units (OUs)

    • Accounts

    • Users

    • Other Resources

  • Structure of a landing zone:

    • Root – parent that contains all OUs.

    • Security OU – contains the shared accounts.

    • Sandbox OU – contain the registered accounts used by your users to carry out their AWS workloads.

    • IAM Identity Center directory – scope of permissions of each user.

    • IAM Identity Center users – identities that your users can use to perform AWS workloads.

• Guardrails

  • A high-level rule or policy that governs your AWS environment.

  • Applies to both OU and AWS accounts within the OU.

  • Guardrails are classified based on their behavior and guidance.

  • Behavior

    • Preventive 

      • Prohibits actions that result in policy violations.

      • Implemented using AWS Organizations SCPs.

      • Status is either enforced or not enabled.

    • Detective  

      • Detects noncompliance resources and provides alerts through the dashboard.

      • Implemented using AWS Config rules.

      • Status is either clear, in violation, or not enabled.

    • Proactive
      • Scan resources pre-provisioning.
      • Implemented with AWS CloudFormation hooks.
      • Status: ‘PASS,’ ‘FAIL,’ or ‘SKIP.’

  • Guidance

    • Mandatory – always enforced.

    • Strongly recommended – enforce best practices.

    • Elective – track actions that are commonly restricted.

  • By default, mandatory guardrails are applied to top-level OUs.

  • The exception for guardrails is only for root or management accounts. 



• Account Factory

  • Automates provisioning of new accounts.

  • It also helps you standardize the provisioning of new accounts by using pre-approved account configurations.

  • Shared accounts:

    • Management account – used for billing, provisioning of accounts, and managing OUs and guardrails.

    • Log Archive account – a repository for logs of API activities and resource configurations.

    • Audit account – a restricted account for security and compliance teams.

  • Member accounts are the accounts used by your users to perform AWS workloads. 

  • You can also provision accounts using AWS Control Tower Account Factory for Terraform.

• Dashboard

  • Offers continuous oversight to the following:

    • Accounts across your enterprise.

    • Guardrails enabled for policy enforcement.

    • Guardrails enabled for continuous detection of policy non-conformance.

    • Non-compliant resources organized by accounts and OUs.

  •  

AWS Control Tower Networking Features

• AWS automatically creates an AWS-default VPC in every Region, even those not governed by AWS Control Tower, as part of the account creation process. 

• The default VPC is not the same as the VPC created by AWS Control Tower for a provisioned account. 

• You also have the option to remove AWS default VPCs in non-governed Regions.

• Each AWS Control Tower VPC has three Availability Zones.

• By default, an AZ has one public and two private subnets.

• Supports VPC-to-VPC peering for multiple VPCs.

• Region deny guardrail

  • Applies to a landing zone.

  • Blocks API calls to services in non-governed Regions.

  • IAM users can still connect to an AWS default VPC in a Region where AWS Control Tower is not supported. 

  • If a guardrail is enabled, you will be unable to deploy resources in the denied Regions. 

AWS Control Tower Monitoring

• A log archive account is dedicated to collecting all logs centrally.

• You can use AWS CloudTrail to capture the actions or events of AWS Control Tower.

• With CloudWatch Logs and CloudWatch Logs Insights, you can view and query AWS Control Tower lifecycle events.

• A lifecycle event is only recorded after a series of actions has been completed.

• The event log for each lifecycle event indicates whether the originating Control Tower action was successful or unsuccessful. 

• Each lifecycle event is automatically recorded as a non-API AWS service event by AWS CloudTrail.

• Each lifecycle event is sent to Amazon EventBridge. 

AWS Control Tower Pricing

• You are charged for AWS services that are configured to set up your landing zone and mandatory guardrails.

• You are charged by AWS Config for running ephemeral workloads as it records configuration changes related to the creation and deletion of temporary resources. 

Related Articles:

Customizing Your AWS Control Tower Landing Zone

Managing AWS Organizations and Accounts with AWS Control Tower

References:
https://aws.amazon.com/controltower/
https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html