AWS Control Tower: Governance, Security, and Automation Made Easy
Thank you to all our attendees for joining us today. In this session, we aim to dive into the world of AWS Control Tower, a governance and compliance tool designed to manage multiple AWS accounts. Whether you’re a small business or a large enterprise, Control Tower can help you maintain security, streamline operations, and improve efficiency.
AWS Control Tower is an exceptional service allowing organizations to establish guardrails for their AWS accounts and govern their policies on a go-forward basis. Panelists from PTP, AWS and Ingram Micro came together in a Panel Discussion to share their experiences in implementing AWS Control Tower, its value, considerations and share some examples. This Panel Discussion Highlight video breaks the 60 minute conversation down into less than 12 minutes of relevant commentary from AWS experts!
Panelists: Chris Lyth – AWS; Babu Srinivasan – AWS; Aaron Jeskey – PTP; Micah Frederick – PTP; Harold Bhatkoti – Ingram Micro
Moderator: Gary Derheim – PTP
What Is AWS Control Tower?
AWS Control Tower is a framework designed to provide governance and compliance across your AWS accounts. It uses several AWS native tools to orchestrate the management of your organization’s sub-accounts, granting you a centralized location to control user access and define security measures.
Control Tower is an extension of AWS Organizations, taking multi-account management to the next level. While AWS Organizations was a step toward a multi-account strategy, Control Tower offers more comprehensive governance, allowing customers to manage sub-accounts, user access, and service control policies with ease.
Why Use AWS Control Tower?
Control Tower offers out-of-the-box solutions that can be beneficial to both small and large organizations. If you’re a small shop with limited capacity, Control Tower provides defaults that work with minimal setup, saving you time and effort. Larger enterprises can use Control Tower to manage role-based access and maintain compliance across multiple applications and business units.
Key Features of AWS Control Tower
Guardrails
Control Tower uses two types of guardrails: preventative and detective. Preventative guardrails restrict specific actions, such as creating publicly accessible S3 buckets, while detective guardrails allow the action but send alerts when certain conditions are met.
Centralized Logging and Audit
Control Tower sets up CloudTrail logs and AWS Config in all regions and sub-accounts. It creates a central location for all log files, allowing for easier governance and compliance monitoring. This ensures a robust audit trail and reduces the need to access each account separately.
Service Control Policies (SCPs)
Control Tower allows you to apply Service Control Policies across your organization to maintain security and compliance. You can create policies that prevent certain behavior, like accessing specific instance types, and apply them to entire organizational units.
Control Tower vs. Landing Zones
Control Tower is a managed implementation of landing zones provided by AWS. Landing zones are open-source solutions designed for highly regulated environments, while Control Tower is an AWS-managed service offering a templated approach to governance. If you’re looking for quick setup and compliance, Control Tower is a great option, especially for smaller organizations. Larger enterprises with complex requirements might prefer custom landing zones for more flexibility.
Integration with AWS Security Hub
Combining AWS Security Hub with Control Tower simplifies compliance monitoring and reduces operational burdens. This integration can be especially useful for achieving operational excellence, a key aspect of the AWS Well-Architected Framework. By using Control Tower’s Account Factory, you can integrate AWS Security Hub to monitor compliance across your entire organization.
Control Tower and AWS Service Catalog
Service Catalog is a central feature of Control Tower, allowing you to create and deploy templated solutions across your organization. This feature can be especially useful for managing shared services and standardizing infrastructure deployment. By creating a Service Catalog, you can offer predefined solutions to your organization, reducing the need for manual setup and customization.
Conclusion
AWS Control Tower is a powerful tool for managing governance, compliance, and security across your AWS accounts. Whether you’re a small business looking for a simple solution or a large enterprise seeking to streamline operations, Control Tower provides the flexibility and features you need.
Thank you to everyone who joined this session, and a special thanks to our partners and panelists for sharing their insights on AWS Control Tower. If you’re interested in learning more, reach out to us to discuss how Control Tower can benefit your organization.