Regulate, control, and maintain the compliance with AWS Control tower!
By HSI | April 4, 2023
AWS Control Tower is a service that helps you set up and govern a secure, multi-account AWS environment. It provides pre-packaged best practices, a baseline environment, and automation to help you set up and manage your AWS accounts.
Structure of an AWS Control Tower Landing Zone
The structure of a landing zone in AWS Control Tower is as follows:
Root
The parent that contains all other OUs in your landing zone.
Core OU
This OU contains the log archive and audit member accounts. These accounts often are referred to as shared accounts.
Custom OU
The custom OU is created when you launch your landing zone. This and other member OUs contain the member accounts that your users work with to perform their AWS workloads.
AWS SSO directory
This directory houses your AWS SSO users. It defines the scope of permissions for each AWS SSO user.
AWS SSO users
These are the identities that your users can assume to perform their AWS workloads in your landing zone.
Structure of an AWS Control Tower Landing Zone
AWS Control Tower functions using CloudFormation stack let’s have a look into below architecture to have a better understanding of AWS Control Tower.
One of the key features of AWS Control Tower is automation. With Control Tower, you can automate the process of setting up new accounts, creating and configuring AWS resources, and enforcing security policies across your organization. In this blog, we’ll explore some of the ways you can automate AWS Control Tower.
1. Customizations
AWS Control Tower provides pre-packaged guardrails, which are predefined rules that enforce your security and compliance requirements. You can customize these guardrails to meet your specific needs. For example, you can add custom rules to ensure that your AWS resources are configured correctly, or to enforce naming conventions for your resources.
2. Landing Zone
AWS Control Tower provides a Landing Zone, which is a pre-configured environment that includes best practices for security and compliance. You can use the Landing Zone to quickly set up a secure and compliant AWS environment. The Landing Zone includes AWS Organizations, AWS Identity and Access Management (IAM), AWS Single Sign-On (SSO), and AWS Service Catalog.
3. Account Factory
AWS Control Tower includes an Account Factory, which is an automated process for creating and configuring new AWS accounts. With the Account Factory, you can create new accounts with pre-configured settings, such as AWS Organizations and AWS SSO. You can also apply guardrails to new accounts automatically. This enables you to create new accounts quickly and easily without worrying about manual configuration.
4. Guardrail Automation
AWS Control Tower allows you to automate the enforcement of guardrails across your AWS accounts. Guardrails are pre-packaged rules that help you enforce compliance and security policies. You can use AWS Config to monitor your AWS resources and take automated actions when a resource violates a guardrail. For example, you can automatically terminate an EC2 instance that violates a security rule. Guardrails enable you to automate the enforcement of security and compliance policies across your AWS environment.
5. AWS Service Catalog
AWS Control Tower includes AWS Service Catalog, which is a service that lets you create and manage catalogues of IT services that are approved for use on AWS. You can use AWS Service Catalog to automate the deployment of approved resources and services. This helps you ensure that your AWS environment is standardized and compliant.
6. Workload Templates
Workload Templates are another feature of Control Tower that enable you to automate the deployment of workloads in your AWS environment. Workload Templates are pre-configured templates that include all the resources necessary to deploy a specific workload.
7. Config Rules
Config Rules are another feature of Control Tower that enable you to automate compliance checks across your AWS accounts. Config Rules are pre-packaged rules that you can apply to your accounts to ensure that they meet specific compliance requirements.
CONTROL TOWER SETUP FOR NEW ACCOUNT
PREREQUISITE
1. Create an IAM User with Admin Privileges.
2. Identify the Region in which you want to create a Landing Zone.
3. Control Tower Requires Three E-mail Id which is used to create following accounts: –
Management Account
Logs Account
Audit Account
Note: – Make sure that this E-mail Id’s has never been used in AWS before.
Steps To Be Followed: –
1. Open the AWS Management Console for the Payer Account.
2. Search for the Control Tower from the search bar.
3. Click on the Set-up Landing Zone.
4. Select the AWS Home Region for AWS Landing Zone Setup.
5. Set the option as disabled because if you enable it while setting up control tower you will not be able to enable it for any other region later, so for best practice we put it as disabled.
6. If you want to add governance for multiple regions select the regions and add.
7. After setting up click on Next.
8. Configure Organization Unit (OUs) and then Next.
9. Now you can configure shared Accounts.
10. Add the E-mail Id of for Management account which we have created earlier.
11. Configure your log archive account and choose the appropriate option new or existing accordingly and if you have any existing account choose the existing option as for our scenario, we are using new.
12. Configure your audit account and choose the appropriate option new or existing accordingly and if you have any existing account choose the existing option as for our scenario, we are using New.
13. Configure cloud trail to get AWS Control Tower Aggregates information from all accounts into the organization trail and delivers the logged information to a specified s3 bucket.
14. Configure KMS encryption you want to enable it for resources in control tower
15. Configure S3 bucket for storing logs you can define the retention periods
16. Now Review all the configuration you have done click on the checkbox and setup the Landing Zone.
17. It will take around 60 Minutes to complete the Landing Zone Set-up
Conclusion
AWS Control Tower provides several automation features that help you set up and manage a secure, multi-account AWS environment. With Control Tower, you can automate the creation and configuration of AWS resources, enforce security policies, and standardize your environment. By using Control Tower automation, you can save time, reduce errors, and improve the security and compliance of your AWS environment.