Establish secure cloud foundations in AWS using Control Tower

Before we discuss Control Tower, there are few other topics to discuss. You may have heard about Multi Account strategy. This is one of the best practices accepted in the industry for various reasons. In any organization, typically you have many departments, teams, products, environments etc. Segregating and placing resources in multiple accounts logically(by department/team/product/environment) which can be handy when it comes to billing.
However, if you have a large number of accounts to manage, you may encounter different problems.

How can we ensure that all accounts meet security and compliance requirements?
How can we make the account creation process more safe and precise?
Can we reduce repetitive tasks when setting up accounts?
How can we monitor these accounts?
How do we get to know if something goes wrong or if something unusual occurs in a multi-account environment?

This is where landing zone and Control Tower comes into picture.

What is a Landing Zone?

It is a preconfigured, secure, scalable multi-account environment based on best practice blueprints.

Blueprints are Well-architected design patterns that are used to set up the Landing Zone

Why do we need AWS Control Tower?

AWS Control Tower helps to automate the landing zone to set up baseline environment. In other words, this will help to build a secure environment for teams to provision development and production accounts in alignment with AWS recommendations and best practices.

What are the main AWS services used by AWS Control Tower?

AWS Organizations
AWS Cloudformation
AWS Service Catalog
AWS SSO
AWS IAM
AWS Config
AWS CloudTrail

What are guardrails and why they needed?

Guardrails are high-level rules that provides ongoing governance for your overall AWS environment which does preventive and detective controls. Typically Control Tower creates and enables some guardrails(mandatory guardrails) during the initial setup. Under the hood these are made from SCPs or AWS config rules. There 3 guardrail types called mandatory, strongly recommended and elective. This can be enabled per OU.

eg:- if you enable the detective guardrail Detect Whether Public Read Access to Amazon S3 Buckets is Allowed on an OU - you can determine whether a user would be permitted to have read access to any S3 buckets for any accounts under that OU.

You can find the details of available guardrails here: guardrails reference

What is Account Factory in Control Tower?

It is a set of pre-approved account configurations which helps to standardize the provisioning of new accounts. It includes baseline network configurations(VPC configuration options).Account factory is publish to AWS Service catalog automatically as a product.

What kind of AWS account require to setup Control Tower?

a fresh AWS master account that is both Master Payer(which pays the charges for all member accounts) and Organization Master.

What accounts Control Tower creates by default?

Log archiving account
Audit account

why? According to Well-Architected multi account environment, Any organization should have separate account for logging and for auditing. Idea of creating separate accounts is for isolation.

How long the Control Tower initial setup process will take?

Around 1 hour

What are the recommended action after the initial setup of the Control Tower?

Adding OUs to organize accounts and projects
Configure the Account factory
Enable more Guardrails - Not all guardrails are enabled by default, so you may need enable as you need. You can enable those guardrails from AWS Control Tower page.
Review the user identity store and SSO for your users across accounts
Review the settings of the shared accounts that AWS Control Tower setup for you.

How can you ensure your accounts are compliant with respect to the enabled guardrails?

When you click accounts or Organizational units, you will see list of accounts and OUs. Then check the compliance Status field under each OU or Account. It will show as shown below mentioning its compliant in green color.