AWS Control Tower aims to simplify multi-account management

Many organizations struggle to manage their massive collection of AWS accounts, but Control Tower could help. The service automates the creation and governance of user accounts.

Organizations often segregate AWS accounts to accommodate the various needs of their employees, based on the level of permissions an employee needs to accomplish a specific task. But each account requires configuration and monitoring, and missteps can hamper workload performance, compromise security or create compliance issues.

Without centralized account management, IT administrators need to manually establish and configure new accounts. An organization could establish a common configuration. However, that would rely on users to implement workflows or script manually, and account creation and management would still be difficult to oversee and enforce uniformly.

AWS Control Tower is a service that looks to tackle these account management issues that can bog down multi-account environments. Let's take a look at the service and consider its potential effects on public cloud users.

The role of AWS Control Tower

AWS developed Control Tower as a centralized management service that automates the creation of a baseline environment for each new account based on best practices for security, compliance and operations. As a result, developers or lines of business can maintain their independence on the platform, while Control Tower ensures that each AWS account meets the organization's established policies.

AWS Control Tower relies on the concepts of landing zones and blueprints. An administrator has access to blueprints, which is composed of AWS security, management and configuration best practices. The administrator can then use those blueprints to automate the creation of landing zones, which are the baseline environments.

For example, administrators can use blueprints for common tasks, such as identity management with AWS Organizations; federated access with AWS Single Sign-On (SSO); centralized logging with native services, such as AWS CloudTrail and AWS Config; cross-account security audits with AWS Identity and Access Management (IAM); network implementations with Amazon Virtual Private Cloud (VPC); and defining workflows for provisioning accounts with AWS Service Catalog.

AWS Control Tower applies rules, known as guardrails, that enforce the established policies and report any policy violations for examination and remediation. These guardrails reject nonconforming resource deployments and policies. The Control Tower dashboard provides a high-level summary of the AWS environment and all of its accounts.

How AWS Control depends on AWS Landing Zone

AWS Control Tower makes extensive use of AWS Landing Zone to help users set up secure multi-account environments. AWS Control Tower provides the automation and guidelines -- the blueprints and guardrails -- that form the basis for automating AWS Landing Zone behaviors.

The AWS Landing Zone service is comprised of four principal accounts: Organizations, Shared Services, Log Archive and Security. Each account contains specific AWS services and configurations that interrelate to underpin the multiuser accounts that Control Tower supports.

The AWS Organizations account holds the AWS Landing Zone configuration and helps create and manage all of the member accounts under the direction of the Landing Zone. This account will involve constituent services, such as Amazon S3, AWS CodePipeline, account configuration StackSets, AWS Organizations service control policies, AWS Service Catalog and the AWS SSO configuration. In effect, this is the backbone of the service that drives the authorization and creation of new member accounts.

The Shared Services account is responsible for the support, creation and management of shared services within the AWS infrastructure, such as the virtual network baseline configuration. The Shared Services account will include components such as AWS Managed Microsoft Active Directory (AD) for AWS SSO and Amazon VPC. These services automatically combine with new accounts created in AWS Landing Zone.

The Log Archive account is responsible for the retention of all log file content generated by services such as AWS CloudTrail and AWS Config in a separate S3 bucket.

Finally, the Security account establishes audit and administrator roles linked to all AWS Landing Zone accounts and enables IT or business leaders to address security incidents or audit activities to ensure ongoing compliance.

AWS Landing Zone functions with extensive automation based on rules meant to speed the creation of new, compliant AWS accounts. Amazon constructed Account Vending Machine (AVM) -- an offering within AWS Service Catalog -- for this. Thus, AWS Landing Zone calls the AVM to enable users to create new, on-demand accounts without administrator approvals. But the new accounts come preconfigured with the prerequisite security and networking rules established in Landing Zone.

How AWS Landing Zone establishes security

AWS Landing Zone enables different single sign-on options to handle users and groups. The default configuration deploys AWS SSO with the AWS SSO directory. This option enables user and group management with a single set of credentials that federate user access across AWS accounts.

The second option is to use AWS Managed Microsoft AD. This option deploys AWS Managed Microsoft AD and Directory Connector to connect AWS SSO to the AD environment and enables more granular control over users and groups.

Control Tower strengthens account security through baseline safeguards that stem from the multitude of native services that integrate with it. For example, AWS Landing Zone applies security baselines to constituent services, such as AWS CloudTrail, AWS Config, AWS Config Rules, AWS IAM, Amazon VPC and others. However, default baselines can be adjusted to accommodate the specific needs of the organization.

Notifications and alerts are a key defense mechanism for timely incident detection and remediation. AWS Landing Zone can configure Amazon CloudWatch alarms and events to send notifications on important incidents to Amazon Simple Notification Service. For example, Amazon CloudWatch can send alerts when someone logs in to the root account, sign-in failures occur, API authentication fails, network peering takes place, changes take place within an account and other events.

AWS Control Tower pricing and availability

AWS Control Tower is free, but users will incur standard charges for AWS products used in conjunction with the service.

However, those fees will also vary based on the region, number of accounts, hours used and other variables. As of January 2019, AWS Control Tower is still in beta and only available for limited testing and previews.

Next Steps

What you need to know to manage multiple AWS accounts

Dig Deeper on AWS management