Control Tower

setup & govern a secure, compliant multi-account environment

Documents |

Overview

• set up & govern your AWS multiple account environment base on best practices.

• Orchestrates the capabilities of several services:

  • AWS Organizations

  • AWS Service Catalog

  • AWS IAM Identity Center

Benefits

• Set up automatically with well-architecture blueprint

• Policy management, detect policy violations

• Dashboard for monitor compliance.

Features

Guardrails

Guardrails

• Preventive Guardrail (using SCPs): restrict regions across all your account

• Detective Guardrail (using AWS Config): identify untagged resources.

Landing zone

Multi-account environment

Controls

Account Factory

Dashboard

Trivia

• Need organization-level CloudTrail to be enabled

Concepts

• Landing Zone: the overall multi-account env that Control Tower set up.

• Organization Unit: an entity created within your org to group multiple account.

• Guiderails: are pre-packaged SCP and AWS Config governance rules for security, operations, and compliance that customers can select and apply enterprise-wide or to specific groups of accounts.