Recently, Amazon announced the general availability of AWS Control Tower, a service that automates the process of setting up a new baseline multi-account AWS environment that is secure, and well-architected. With AWS Control Tower, cloud administrators can consistently set-up security and compliance for multi-account AWS environments.
During the AWS re:Inforce event in Boston last month, Amazon unveiled both AWS Control Tower and Security Hub as new tooling for organizations to streamline their process of configuring and locking down AWS environments and accounts. Moreover, Amazon has incorporated their knowledge throughout thousands of successful customer engagements and recommendations found in their Whitepapers, documentation, the Well-Architected Framework, and training in the service.
Rich Mogull, CEO of Securosis, said in a duo.com security news article:
Control Tower is basically a template for an entire enterprise deployment and management of a full, multi-account environment with all key security controls pre-configured.
With Control Tower, a cloud administrator is provided with a tool that automates various tasks involving the initial setup of a new AWS environment, such as identity and access management, centralized logging, and security audits across accounts. Furthermore, the service consists of several components, including:
- A Landing Zone - the multi-account AWS environment the tool sets up
- Blueprints - design patterns used to establish the Landing Zone
- A set of default policy controls known as Guardrails
- The Environment – an AWS account with all of the attendant resources set up to run an application.
Source: https://aws.amazon.com/controltower/
Companies running larger AWS environments with lots of moving parts can especially benefit from Control Tower – for instance, it only takes one unprotected administrator account or misconfigured storage repository for data to be exposed.
Dave McCann, VP of Marketplace and Migration, AWS, said in a BusinessWire article:
Not only does AWS Control Tower make deploying a multi-account environment and establishing governance controls as easy as selecting items from a menu, but it also gives customers a roadmap for how to get it right based upon AWS’s experience helping thousands of enterprise customers create secure and compliant cloud environments.
AWS Control Tower is currently available in the US East (Virginia), US East (Ohio), US West (Oregon), and EU (Ireland) regions, with additional regions coming soon. Customers can use AWS Control Tower free of charge, and they only pay for AWS services set up by it – pricing examples are available on the pricing page.
Community comments
Clarification
by Michael Holzer,
Re: Clarification
by Steef-Jan Wiggers,
Clarification
by Michael Holzer,
Your message is awaiting moderation. Thank you for participating in the discussion.
Hi,
I'm confused by the claim 'the Environment – an AWS account with all of the attendant resources set up to run an application.' specifically the part 'all of the attendant resources set up to run an application'. In Amazon's docs I didn't find any references for this statement. Could the authoer please clarify?
Thanks
Michael
Re: Clarification
by Steef-Jan Wiggers,
Your message is awaiting moderation. Thank you for participating in the discussion.
Hi,
What it means is an AWS account and the resources within it, configured to run an application. Users make requests (via Service Catalog) for new environments and Control Tower uses automated workflows to provision them - see also the blog: aws.amazon.com/blogs/aws/aws-control-tower-set-...
Steef-Jan