In this AWS tutorial, you'll learn about AWS Control Tower and how you can use it to manage and govern many AWS accounts. You'll also have an opportunity to follow along as we show you how to create a Landing Zone using AWS Control Tower.
👉 Control Tower creates a well-architected, multi-account baseline based on AWS best practices
👉 And that's known as a landing zone
👉 Guardrails are used for governance and compliance:
-
Preventive guardrails: Those are based on service control policies (SCPs), and they're there to disallow API actions
-
Detective guardrails: Those are implemented using AWS Config rules and Lambda functions,
and they're there to monitor and govern compliance within the landing zone.
👉 The root user in the management account can perform actions that guardrails
would disallow. This is the same concept as with AWS Organizations, where the SCPs cannot
affect the root user in the management account.
In this tutorial, I'm going to show you the process Setting up a Landing Zone using AWS Control Tower for setting up a landing zone using AWS Control Tower.
- Navigate to your console, search for "AWS Control Tower" then click on "Set up Landing Zone"
NOTE: when we create our configuration in Control Tower, it's known as a landing zone, and that's the number of accounts and configurations that are applied. Essentially, Control Tower is going to have the ability to govern your resources across accounts and organizational units, but it's not going to take control of everything by default.
- Review Pricing and Select Regoin
A. We need to define our "Home region". I'll leave mine on 'US East (North Virginia)
B. The region deny setting can prohibit access to services based on your configuration. So, if you enable that, then you can define which regions you want to actually control and the preventive guardrails you want to use. I'm going to leave that one as not enabled. You can also select additional regions now for governance. So, initially, it's just going to be 'US East (North Virginia)'. Let's click on 'Next'
- Configure Organizational unit Structure
A. we can define the organizational unit structure. The foundational OU, which is called 'Security' in this example, is where we're actually going to have two shared accounts that will be the log archive account and the security audit account.
B. Then, you can also create an additional OU if you wish to. This one's called 'Sandbox', and you can create an account in there after setup, which you can then use for any kind of dev/test workloads. Let's just leave the defaults, and I'm going to click on 'Next'
- Configure the Shared Accounts and Encryption Settings
A. We can configure the shared accounts and Configure the Shared Accounts and Encryption Settings encryption settings. Now, we don't have anything to change for the management account. That will be this account that I'm logged in with.
B. The log archive account is a repository for logs of api activities and resource configurations from all accounts in the landing zone.
C. The audit account is a restricted account that gives your security and compliance teams read and write access to all accounts in your landing zone
Let's provide email addresses for the log archive and audit accounts
D. Next, give aws control tower permissionto administer aws resources and enforce rules on your behalf and then finish setting up the landing zone.
NOTE: Once your Control Tower configuration, your landing zone, has been created, you'll see this message confirming what's happened, you can see the control tower dashboard:
- 2 organizational units have been created,
- 3 shared accounts, a native cloud directory with pre-configured groups, and single sign-on access
- 20 preventive guardrails to enforce policies and two detective guardrails to detect configuration violations
👉 On the organizational units screen you can see the new OUs and your existing organizational units which remain unchanged from before control tower was set up because they are not managed by aws control tower
👉 Let's look at the account factory:
The account factory enables you to create standardized baselines and network configurations for accounts in your organization let's see how you can use it to quickly enroll a new account in your organization.
A. To enroll a new account in your organization, choose "account factory" then click on "Create account"
B. As a best practice for a well-architected multi-account environment aws control tower will set up accounts that offer isolated environments for specialized roles in your organization
-
Let's provide the basic information for the account including the account email address and display name
-
Next we'll designate the sso email and username next provide the first and last name intended for creating an aws sso user
-
Let's retain sandbox as the organizational unit and enroll the account you can monitor the creation of the account from aws service catalog
After a few minutes you can refresh the view to ensure the account is ready to use here you can see the newly enrolled account.
That's it for this tutorial. We've set up a landing zone, and I've shown you around some of the basic configuration settings of your landing zone. And if you have set up in your account, then it's a good opportunity to play around a bit further and really understand how it all works.
All services used are eligible for the AWS Free Tier. However, charges will incur at some point so it's recommended that you shut down resources after completing this tutorial.