Ends in
00
days
00
hrs
00
mins
00
secs
ENROLL NOW

🎁 $1.99 AIF-C01 eBook and 20% OFF on All Practice Exams, Video Courses, and eBooks!

Managing AWS Organizations and Accounts with AWS Control Tower

Last updated on August 10, 2023

Introduction

As organizations embrace the power of the cloud and scale their operations on Amazon Web Services (AWS), managing multiple AWS accounts can become a complex and daunting task. Challenges such as decentralized governance, inconsistent security controls, and manual provisioning processes can hinder an organization’s ability to harness the full potential of AWS.

To address these issues, AWS Control Tower steps in as a comprehensive solution that streamlines multi-account management and governance within AWS Organizations. AWS Control Tower provides a centralized, secure, and automated approach to managing AWS accounts, enabling organizations to maintain control and compliance across their entire AWS environment.

Benefits of Leveraging AWS Control Tower

By integrating AWS Control Tower into an existing AWS Organization, organizations can reap a wide range of benefits:

Centralized Governance: AWS Control Tower provides a centralized dashboard, allowing organizations to monitor and manage all accounts from a single location. This ensures consistent policies and compliance across the entire AWS environment.

Enhanced Security and Compliance: With predefined guardrails and policies, AWS Control Tower helps ensure that all accounts adhere to security standards and compliance requirements. This reduces the risk of misconfigurations and potential security breaches.

Efficient Account Management: AWS Control Tower’s automation streamlines creating and configuring new accounts, reducing manual overhead and accelerating deployment.

Consistency and Standardization: Organizations can ensure consistency across accounts and enforce the latest AWS security standards.

Multi-Account Structure

AWS Control Tower creates a landing zone. A landing zone is a preconfigured, secure, scalable multi-account AWS environment based on best practice blueprints. After set up, the landing zone will contain two OUs.

Security OU – An OU that consists of two default accounts created from AWS Control Tower.

  • Log Archive
  • Audit Account

Sandbox OU – This is the default destination for all accounts vended from AWS Control Tower. In this OU, you can build and scale your environment based on your needs.

Managing AWS Organizations and accounts with AWS Control Tower

AWS Control Tower allows you to create, register, and manage additional OUs to expand the initial environment to implement the guidance. You can create OUs 5 levels from the Root OU.

Tutorials dojo strip

Managing AWS Organizations and accounts with AWS Control Tower

AWS Control Tower Integration with Existing AWS Organizations

AWS Control Tower integrates with several AWS Services, including AWS Organizations. AWS Control Tower will set up a landing zone with AWS Organizations. However, utilizing the benefits is not limited to setting up the environment from scratch, and you can even extend the AWS Control Tower governance to existing organizations. This will also extend the benefits of the AWS Control Tower to your organization but will not delete the existing configurations. Setting up a landing zone in an existing organization follows the same steps as the usual setup from a single account.

The AWS Control Tower will use the same management account as your organization. There is no need to set up a management account for AWS Control Tower. You can already set up the landing zone from the AWS Control Tower console in the organization management account once the pre-checks of your management account are good.

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: This will create two OUs, Security and Sandbox. These names can be changed later on.

In configuring Shared Accounts. The Control Tower will use the same management as the existing organization. No new management account is needed.

Managing AWS Organizations and accounts with AWS Control Tower

The Control Tower will create two accounts for you. These accounts will be under Security OU.

The Log Archive account acts as a centralized storage repository, preserving immutable logs of API activities and resource configurations from all AWS accounts.

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: This must be a unique name throughout your organization. Although you can change the name of the account during this initial setup, you cannot change this name later on.

The Audit account allows the security and compliance team to access all accounts within the organization.

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: This must be a unique name throughout your organization. Although you can change the name of the account during this initial setup, you cannot change this name later on.

The organization will be under AWS Control Tower once the landing zone is complete. However, not all the existing organizational units are registered. The organizational units created outside AWS Control Tower are unregistered. This is also the same with the existing accounts created outside the AWS Control Tower. To extend the governance of the AWS Control Tower, you must register the existing OUs or enroll the existing accounts from the dashboard.

Registering OUs to AWS Control Tower

Use the dashboard to extend AWS Control Tower controls to an existing organizational unit. In the Organization page, select the OU to register, then choose Register organizational unit from the Actions dropdown.Managing AWS Organizations and accounts with AWS Control Tower

NOTE: This may take at least 10 minutes to process and additional 2 minutes for each account.

All the accounts under the OU are automatically enrolled. The AWS Control Tower extends controls to all individual accounts enforcing guardrails. The centralized logging and auditing accounts will start to receive the accounts’ information and activities.

Creating OU from the AWS Control Tower

Creating OU from the AWS Control Tower will automatically register the OU under the Control Tower. In the Organizations page, click Create Resources and select Create organizational unit.

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: Input the OU name and the parent OU. You can create nested OUs up to level 5.

Upon creation, it will automatically register the OU.

Managing AWS Organizations and accounts with AWS Control Tower

 

Updating OU from AWS Control Tower

When you update the landing zone, you must also update the OUs to reflect the changes to all accounts. You must update each OU individually. Re-register each OU to update and reflect the changes.

Managing AWS Organizations and accounts with AWS Control Tower

Deleting OU from AWS Control Tower

You can delete OU or accounts from the AWS Control Tower without the need to update. The Account Factory automatically updates the accounts list. On the same page, you can delete a registered OU by selecting Delete from the Actions dropdown.Managing AWS Organizations and accounts with AWS Control Tower

Managing AWS Organizations and accounts with AWS Control Tower

Management of Organizations using AWS Control Tower

Once an OU is registered or created under AWS Control Tower, it will be under the control of the AWS Control Tower.

Controls

You can implement controls to multiple OUs from the Control Tower Dashboard. A control, also known as a guardrail, is a top-level regulation that ensures continuous governance across your entire AWS environment. These controls are expressed in easily understandable language. There are three types of controls: preventive, detective, and proactive. Additionally, controls fall under three categories of guidance: mandatory, strongly recommended, or elective.

Managing AWS Organizations and accounts with AWS Control Tower

To implement the controls to OUs, from the All Controls page, select the control you want to implement.

Managing AWS Organizations and accounts with AWS Control Tower

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: Select which organization you want to implement the control. Then click enable control on OU.

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: If this is the first control that you will enable, it will enable the Security Hub and the Service-Managed Standard: AWS Control Tower to all OUs, including all the enrolled accounts.

Account Factory

Free AWS Courses

One of the main features of the AWS Control Tower is the Account Factory. Account Factory will allow you to provision new accounts and enroll existing accounts while setting up a baseline configuration.

To provision a new account using Account Factory, navigate to the Account Factory page and create an account.

Managing AWS Organizations and accounts with AWS Control Tower

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: Make sure that you are not using your root credentials when provisioning a new account.

Managing AWS Organizations and accounts with AWS Control Tower

NOTE: You can optionally configure Account Factory Customization (AFC). AFC will allow you to deploy customizations to the newly vended accounts. These customizations are CloudFormation templates configured as products in Service Catalog. These templates are used as blueprints in AFC.

 

Related Article:

Customizing Your AWS Control Tower Landing Zone

 

References:

https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/appendix-e-establish-multi-account.html#example-workloads-flat-structure

Get 20% Off – Christmas Big Sale on All Practice Exams, Video Courses, and eBooks!

Tutorials Dojo portal

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

 

Written by: Bill Junidez Liad

Bill works as a Cloud and DevOps Engineer and is situated in the Philippines. He is actively engaged in furthering his knowledge of the cloud and has significant experience with Web Application Development and Amazon Web Services (AWS). He presently has three AWS Associate certifications. He enjoys biking outside of tech.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?