Organizations often segregate AWS accounts to accommodate the various needs of their employees, based on the level of permissions an employee needs to accomplish a specific task. But each account requires configuration and monitoring, and missteps can hamper workload performance, compromise security or create compliance issues.
Without centralized account management, IT administrators need to manually establish and configure new accounts. An organization could establish a common configuration. However, that would rely on users to implement workflows or script manually, and account creation and management would still be difficult to oversee and enforce uniformly.
AWS Control Tower is a service that aims to tackle these account management issues that can bog down multi-account environments while enhancing governance. Let's look at the service and consider its potential effects on public cloud users, as well as how it depends on AWS Organizations and AWS Landing Zone.
The role of AWS Control Tower
AWS developed Control Tower as a centralized management service that automates the creation of a baseline environment for each new account, based on best practices for security, compliance and operations. As a result, developers or lines of business can maintain their independence on the platform, while Control Tower ensures that each AWS account meets the organization's established policies.
AWS Control Tower relies on the concepts of landing zones, blueprints and account factories. An administrator has access to the blueprints feature, which is composed of AWS security, management and configuration best practices. The administrator can then use those blueprints to automate the creation of landing zones, which are the baseline environments. For example, administrators can use blueprints for the following common tasks:
- identity management with AWS Organizations;
- federated access with AWS Single Sign-On (SSO);
- centralized logging with native services, such as AWS CloudTrail and AWS Config;
- cross-account security audits with AWS Identity and Access Management (IAM);
- network implementations with Amazon Virtual Private Cloud (VPC); and
- defining workflows for provisioning accounts with AWS Service Catalog.
AWS Control Tower applies rules that are known as guardrails. These rules enforce the established policies and report any policy violations for examination and remediation. Additionally, guardrails see and control nonconforming resource deployments and policies. The Control Tower dashboard provides a high-level summary of the AWS environment and all its accounts. Guardrails can possess multiple dimensions, including the following:
- Preventive. Preventive guardrails set restrictions and limits on the deployment of services or resources that do not conform to policies.
- Detective. Detective guardrails monitor services and resources for nonconforming use or change attempts.
- Mandatory. Mandatory guardrails are always invoked as part of the Landing Zone setup.
- Optional. Optional guardrails can be enabled as desired. All accounts within the organizational unit will inherit the optional guardrails.
Guardrails in AWS Control Tower rely on several constituent building blocks, including AWS CloudFormation to establish the required rules baseline, AWS Organizations service control policies (SCPs) to prevent undesired configuration changes, and AWS Config rules to detect and report potential conformance violations or unauthorized change attempts.
Additionally, the Account Factory feature brings automation to new account provisioning. It provides a configurable account template that offers approved account configurations, such as network configurations, region selections and an array of user-enabled features through AWS Service Catalog. A user only needs to request a new account, and Account Factory will automatically produce an account with approved parameters. This is another means of enhancing speed and governance through AWS Control Tower.
AWS Control Tower pricing
AWS Control Tower is free -- along with other related services, including AWS Organizations and AWS SSO -- but users incur standard charges for AWS products they use in conjunction with the landing zone and mandatory guardrails. For example, AWS Control Tower may precipitate charges for other services, including AWS Service Catalog, AWS CloudTrail, AWS Config, Amazon CloudWatch, SNS, S3 and VPC.
AWS provides a pricing calculator that can assist users in estimating the cost impact of AWS services and resources. However, fees also vary based on the region, number of accounts, hours used and other variables.
How AWS Control Tower depends on AWS Organizations
AWS Organizations is an AWS service designed to organize accounts and implement rules based on both default and custom policies that control the use of AWS services and resources across multiple AWS accounts. Consequently, AWS Control Tower makes extensive use of AWS Organizations as an underlying service.
Admins can create accounts and add them to AWS Organizations. They can also group accounts into organizational units (OUs) through various perspectives, such as workflow or use case. Rules and policies can be applied to an OU, which will then be applied to all accounts within the OU.
New OUs created through AWS Control Tower will automatically be added to the AWS Organizations environment. Admins can add existing accounts in AWS Organizations to OUs through AWS Control Tower.
How AWS Control Tower depends on AWS Landing Zone
AWS Control Tower makes extensive use of AWS Landing Zone to help users set up secure multi-account environments. AWS Control Tower provides the automation and guidelines -- the blueprints and guardrails -- that form the basis for automating AWS Landing Zone behaviors.
AWS Landing Zone functions with extensive automation based on rules meant to speed the creation of new, compliant AWS accounts. Amazon constructed Account Vending Machine (AVM) -- an offering within AWS Service Catalog -- for this. AWS Landing Zone calls the AVM to enable the creation of new, on-demand accounts without administrator approvals. But the new accounts come preconfigured with the prerequisite security and networking rules established in Landing Zone.
The AWS Landing Zone service is composed of four principal accounts. Each account contains specific AWS services and configurations that interrelate to underpin the multiuser accounts that Control Tower supports.
The AWS Organizations account holds the AWS Landing Zone configuration and helps create and manage all the member accounts under Landing Zone's direction. This account involves constituent services, such as Amazon S3, AWS CodePipeline, account configuration StackSets, AWS Organizations SCPs, AWS Service Catalog and the AWS SSO configuration. This is the backbone of the service that drives the authorization and creation of new member accounts.
The Shared Services account is responsible for the support, creation and management of shared services within the AWS infrastructure, such as the virtual network baseline configuration. The Shared Services account includes components such as AWS Managed Microsoft Active Directory (AD) for AWS SSO and Amazon VPC. These services automatically combine with new accounts created in AWS Landing Zone.
The Log Archive account is responsible for the retention of all log file content generated by services such as AWS CloudTrail and AWS Config in a separate S3 bucket.
Finally, the Security account establishes audit and administrator roles linked to all AWS Landing Zone accounts and enables IT or business leaders to address security incidents or audit activities to ensure ongoing compliance.
How AWS Landing Zone establishes security
AWS Landing Zone enables different single sign-on options to handle users and groups. The default configuration deploys AWS SSO with the AWS SSO directory. This option enables user and group management with a single set of credentials that federate user access across AWS accounts.
The second option is to use AWS Managed Microsoft AD. This option deploys AD and Directory Connector to connect AWS SSO to the AD environment and enables more granular control over users and groups.
Control Tower strengthens account security through baseline safeguards that stem from the multitude of native services that integrate with it. For example, AWS Landing Zone applies security baselines to the following constituent services:
- AWS CloudTrail
- AWS Config
- AWS Config Rules
- AWS IAM
- Amazon VPC
However, default baselines can be adjusted to accommodate the specific needs of the organization.
Notifications and alerts are a key defense mechanism for timely incident detection and remediation. AWS Landing Zone can configure Amazon CloudWatch alarms and events to send notifications on important incidents to Amazon Simple Notification Service (SNS). For example, Amazon CloudWatch can send alerts when someone logs in to the root account, sign-in failures occur, API authentication fails, network peering takes place, changes take place within an account and other events.