AWS Control Tower

What is AWS Control Tower?

  • A service for configuring and managing a multi-account AWS environment.


AWS Control Tower Concepts

  • Landing zone

    • A multi-account environment that is well-architected and adheres to security and compliance best practices.

    • Each organization can have one landing zone.

    • A container that holds the following:

      • Organizational Units (OUs)

      • Accounts

      • Users

      • Other Resources

    • Structure of a landing zone:

      • Root – parent that contains all OUs.

      • Security OU – contains the shared accounts.

      • Sandbox OU – contain the registered accounts used by your users to carry out their AWS workloads.

      • IAM Identity Center directory – scope of permissions of each user.

      • IAM Identity Center users – identities that your users can use to perform AWS workloads.

  • Guardrails

    • A high-level rule or policy that governs your AWS environment.

    • Applies to both OU and AWS accounts within the OU.

    • Guardrails are classified based on their behavior and guidance.

    • Behavior

      • Preventive

        • Prohibits actions that result in policy violations.

        • Implemented using AWS Organizations SCPs.

        • Status is either enforced or not enabled.

      • Detective

        • Detects noncompliance resources and provides alerts through the dashboard.

        • Implemented using AWS Config rules.

        • Status is either clear, in violation, or not enabled.

    • Guidance

      • Mandatory – always enforced.

      • Strongly recommended – enforce best practices.

      • Elective – track actions that are commonly restricted.

    • By default, mandatory guardrails are applied to top-level OUs.

    • The exception for guardrails is only for root or management accounts.

  • Tutorials dojo strip
  • Account Factory

    • Automates provisioning of new accounts.

    • It also helps you standardize the provisioning of new accounts by using pre-approved account configurations.

    • Shared accounts:

      • Management account – used for billing, provisioning of accounts, and managing OUs and guardrails.

      • Log Archive account – a repository for logs of API activities and resource configurations.

      • Audit account – a restricted account for security and compliance teams.

    • Member accounts are the accounts used by your users to perform AWS workloads.

    • You can also provision accounts using AWS Control Tower Account Factory for Terraform.

  • Dashboard

    • Offers continuous oversight to the following:

      • Accounts across your enterprise.

      • Guardrails enabled for policy enforcement.

      • Guardrails enabled for continuous detection of policy non-conformance.

      • Non-compliant resources organized by accounts and OUs.

AWS Control Tower Networking Features

  • AWS automatically creates an AWS-default VPC in every Region, even those not governed by AWS Control Tower, as part of the account creation process.

  • The default VPC is not the same as the VPC created by AWS Control Tower for a provisioned account.

  • You also have the option to remove AWS default VPCs in non-governed Regions.

  • Each AWS Control Tower VPC has three Availability Zones.

  • By default, an AZ has one public and two private subnets.

  • Supports VPC-to-VPC peering for multiple VPCs.

  • Region deny guardrail

    • Applies to a landing zone.

    • Blocks API calls to services in non-governed Regions.

    • IAM users can still connect to an AWS default VPC in a Region where AWS Control Tower is not supported.

    • If a guardrail is enabled, you will be unable to deploy resources in the denied Regions.

AWS Control Tower Monitoring

  • A log archive account is dedicated to collecting all logs centrally.

  • You can use AWS CloudTrail to capture the actions or events of AWS Control Tower.

  • With CloudWatch Logs and CloudWatch Logs Insights, you can view and query AWS Control Tower lifecycle events.

  • A lifecycle event is only recorded after a series of actions has been completed.

  • The event log for each lifecycle event indicates whether the originating Control Tower action was successful or unsuccessful.

  • Each lifecycle event is automatically recorded as a non-API AWS service event by AWS CloudTrail.

  • Each lifecycle event is sent to Amazon EventBridge.


AWS Control Tower Pricing

  • You are charged for AWS services that are configured to set up your landing zone and mandatory guardrails.

  • You are charged by AWS Config for running ephemeral workloads as it records configuration changes related to the creation and deletion of temporary resources.


Tutorials Dojo portal

FREE AWS Exam Readiness Digital Courses

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Browse Other Courses

Generic Category (English)300x250

Recent Posts

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?