DEV Community

Asanka Boteju
Asanka Boteju

Posted on • Edited on

Orchestrate your Organization around Best Practices, Security, Audit & Account Management using AWS Control Tower

Image description

AWS Control Tower

Is your organization considering a large-scale AWS deployment where you will need to manage, administer, and govern multiple account structures to match the different needs of your business units and groups within your organization?

Then, you can leverage free AWS native tools such as AWS Organizations and Control Tower (a.k.a. Landing Zone) to help you centrally orchestrate security, auditing, billing, regulatory, and compliance across your AWS accounts with the help of numerous other AWS services such as AWS SSO, AWS Identity Centre, AWS Service Catalog.

You can enforce guard rails, both detection only and preventive to protect your organizations and accounts against malicious security threats while staying compliant. and to support compliance and governance AWS Control Tower service will automatically provision its own accounts such as "Log Archive Account" and "Audit Account" and services like Cloud Watch, Cloud Trail, and Log Aggregation services within your AWS Management Accounts control boundary when you enable the Control Tower feature.

Apart from the above-mentioned automatically provisioned services, any AWS resource/service you need as an AWS Customer can be created in the Custom OU area and you AWS Admin users can help you define your own OUs (Organizational Units) depending on your Businesses / Organization’s needs.

For example, you can define your AWS resources used in Dev/Test/Research/Production purposes into its own OU for better visibility and management. Hence, planning the OU and AWS Account structure to suit your organization is something you should definitely consider before bringing the structure into place in AWS.

Once the OUs are defined by your admins, then they can define and apply SCPs (Service Control Policies, Tag Policies, etc) to control what the users within the OUs you define are allowed to do and not allowed to do.

For instance, if you want to control the users of a particular OU only to be able to create EC2 instances of a specific size “t2. micro” you can define a policy and apply that to the respective OU. Then any user who wants to create an EC2 instance will be able to create an EC2 instance of the “t2. micro” type only.

In Summary, AWS Control Tower orchestration extends the capabilities of AWS Organizations and provides preventive and detective guardrails to help keep your organizations and accounts from divergence from best practices.

Below are some of the key features the AWS Control Tower provides you;

  • Audit accounts based on a Well-Architected Framework created automatically from Best Practices Blueprints.

  • Dealing with Federated Identity and Dealing with Multi-Account scenarios for Security Compliance and Governance.

  • Helps to audit and deal with security drifts within your organizations.

  • Provide SSO Integration for users, groups, and permissions.

  • Guardrails to help you keep your user roles attached to Control Tower for compliance with your organization's security and regulatory needs.

  • Continual oversight of your Accounts and AWS Organization for security. Govern policies, users, roles, and resources. Implement security Detection / Prevention controls.

  • Further, you can plug in your own Active Directory into AWS SSO and configure it to work directly with your system regardless of whether it's Cloud Managed Active Directory or On-Prem managed Active Directory Service.

Useful Tips when Setting up Your Control Tower / Landing Zone;

  • Set up a Landing Zone in your home region where most of your workloads operate.

  • When deploying new Accounts, deploy from the Landing Zone region.

  • Avoid moving your Audit and other shared resources from your home region.

  • Be extra careful when deleting IAM Roles related to Control Tower management and governance purposes to prevent any accidental failures that will bring your Control Tower to an inconsistent / not functioning state.

  • Do not disallow any regions with SCP (Service Control Policies) or STS (Simple Token Service).

  • Make sure to Activate STS in the Management Account to avoid any issues when these compliance policies are being evaluated on the resources, services, and entities.

"Thank you for spending a moment to read this blog post."

_      Happy Cloud Computing with AWS!_
Enter fullscreen mode Exit fullscreen mode

Top comments (0)