Voiced by Amazon Polly |
Introduction
For any organization using AWS and dealing with multiple workloads across user accounts, AWS multi-account strategy is the common architectural blueprint to provide secure and isolated resources and billing for your different workloads. AWS Control Tower does not just simplify the process and quickly set up and provision. It also gives you a dashboard for manageability. A mandatory and recommended set of guardrails can manage Control Tower.
Customized Cloud Solutions to Drive your Business Success
- Cloud Migration
- Devops
- AIML & IoT
What is a Control Tower?
AWS Control Tower is an account management service used for multi-account setup. It allows us to create, manage and monitor AWS accounts. It helps us to centrally manage billing, and security, control access and compliance, and share resources across your AWS accounts.
Why Control Tower and not AWS Organization?
AWS Control Tower uses many AWS services, including AWS Organization. It provides a simplified way with custom automation to set up a multi-account structure. Control tower’s other services, along with Organization, are service catalog for landing zone, IAM Identity center for authentication, CloudTrail for logging purposes, and config for automation.
Few common terms in Control tower
Master Account
- It is the main account used to create the AWS organization.
- There can only be one root/master account within an organization.
- By using this account, new AWS accounts can be created, or you can invite an existing AWS account to the organization or remove an existing account.
Member Account
- Every other account except the master account is a member account.
- A new account can be created directly as a member account, or we can also add an existing AWS account.
Organization Unit (OU)
- It is a group of member accounts within an organization. It can also contain another OU within an OU of up to 5 levels.
Service Control Policy (SCP)
- The policy describes the permissions attached to the organization, OU, or individual accounts.
Landing Zone
- It is a well-architected multi-account setup that is secure and scalable. It helps set up multiple accounts with a baseline for security, access management, account structure, networking, etc.
Steps to set up the Control Tower
Prerequisite:
- AWS account.
- Email IDs to create a new AWS account or add an existing one.
Search the control tower, go to the dashboard, and click on set up a landing zone to get started.
Step 1: Setting up the region
Under Step 1, select the appropriate options
- For the home region, select the region. This will be the default region where the resources of your shared accounts will be provisioned
- Under the region deny setting, choose enabled if you want to deny access to other regions, accept home region, or any additional region you may select manually.
- Under additional AWS regions for governance, select any additional region apart from your home region where you plan to run your workloads.
- Click next
Step 2: Configuring Organizational Units
2 Organizational Units will be created. Give an appropriate name or leave it by default which will be “Security” for Foundational OU and “Sandbox” for Additional OU and click next.
Step 3: Configuring member accounts
Under step 3, we will be creating two new accounts. Enter the email address with which you want your AWS accounts to be created, and the account name by default is “Log Archive” and “Audit”.
There is also an option for using an existing account. To use an existing AWS account, we must first create an organization and add an existing one within our organization by sending in the invitation. Once it is accepted, we can use it in landing zone creation.
Step 4: Configuring CloudTrail and Encryption
Select enable under AWS CloudTrail configuration, as it will continuously log actions on AWS accounts and store them on the S3 bucket. You can also give the retention period for storing the logs. Click next.
Step 5: Review the setup
Review all the configurations, acknowledge, and click on set up a landing zone.
Setting up the whole landing zone will take approximately 30-60 minutes.
Once the landing zone is created, we can see the dashboard with all the details, such as OU, shared accounts, controls, etc.
Benefits of AWS Control Tower
- AWS Control Tower automates creating the landing zone, which takes around an hour to create.
- Guardrails can be applied to all accounts with the help of AWS Control Tower, and mandatory guardrails are enabled by default.
- It supports monitoring resources, logging, IAM, SCP, and alerts across all the accounts within the organization.
- Provisioning a new AWS account can be done very quickly.
- The control tower provides you with a dashboard where you can see the high-level summary.
Conclusion
AWS Control Tower is a valuable service for large enterprises to set up and manage secure multi-account AWS environments. It simplifies the building of multi-account and makes the management and governance of multi-account very easy.
If you plan to launch an AWS Control Tower-based environment, we encourage you to consult with an expert. Using an approved AWS Control Tower partner like CloudThat can significantly speed up the training, design, and build process. It also ensures a safe, cost-effective solution.
Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.
- Cloud Training
- Customized Training
- Experiential Learning
About CloudThat
CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding Amazon Control Tower and I will get back to you quickly.
To get started, go through our Consultancy page and Managed Services Package that is CloudThat’s offerings.
FAQs
1. What is the pricing of the Control Tower?
ANS: – AWS Control Tower does not charge anything. You only pay for the services enabled by Control Tower.
2. Can I use AWS Control Tower through API?
ANS: – No, you can only use AWS Control Tower from AWS Management Console.
3. Can I change my management account?
ANS: – No, once configured, you cannot change which account will be the management account. Therefore, you should choose the management account carefully.
WRITTEN BY Aniket Kumar Ambasta
Aniket Kumar Ambasta works as a Research associate- TC - Infra, Security, and Migration at CloudThat. He is AWS Solutions Architect- Associate certified and has completed his Bachelor's in Computer Applications. He has good experience in Cloud technologies. Apart from professional interests, he loves exploring and learning new technologies.
Click to Comment