As organizations grow, handling their cloud infrastructure becomes more complex and there’s a bigger need to keep things safe and organized. Using multiple AWS accounts is like having separate boxes for different things. For example:
Production Account: This box holds important stuff and makes sure only authorized people can access it.
Testing Account: Here, developers can play around without affecting the important stuff in the production box.
Backup Account: This one is like a replication of critical data in case something goes wrong with the other boxes.
Using different accounts like this helps keep things safe and makes it easier to manage everything. In our blog, we’ll look at AWS Control Tower, a tool that helps manage these boxes. We’ll see how to set it up and use it to make sure each box is doing its job well. It’s like having a smart helper to keep things organized and secure in the cloud.
Why Use AWS Control Tower?
In our organization, we handle various AWS accounts, and handling them all separately can be tough and take up a lot of time. Having many accounts also means we need more people to manage them and more time to do things like controlling who can use them and keeping them secure.
Tasks like managing who can use the accounts, making sure they’re secure, sharing resources, and keeping track of costs need to be done for each account separately. This can make things complicated and need a lot of time and effort.
To make things simpler, we have AWS Control Tower. It’s like having a helper that makes sure all our accounts are organized well. It helps create and manage accounts, groups them together, handles the bills, and makes sure everything is running smoothly. With AWS Control Tower, we can manage all our AWS accounts in one place and save time and effort.
Set up AWS Control Tower
let’s go through the process step by step. Here’s how you can do it:
Open the AWS Management Console using the AWS Account where you want to set up AWS Control Tower. This account is known as the Management account.
Once you’re logged in, you’ll find AWS Control Tower in the console. Set up the AWS control tower by configuring and launching your landing zones on your Management account.
Step 1: Review Pricing and select Regions
This page displays the services utilized with AWS Control Tower, and payment is determined by the usage of these services.
Next, in the “Home Region” section, choose your designated home region.
This region will be where resources for your shared accounts are set up by default. In the region deny setting, opt for “Enabled” to restrict access to other regions. Alternatively, selecting “Not Enabled” removes the guardrail on registered Organization Units (OUs), permitting resource deployment in regions beyond AWS Control Tower’s availability.
The default setting for this control is “Not Enabled.”
Step 2: Configure Organizational Units
During this stage, we have the Foundational Organizational Unit (OU), labeled as the Security OU. You have the flexibility to modify its name or retain it unchanged.
Furthermore, within the Additional Organizational Unit (OU) category, there’s an opportunity to establish a fresh OU tailored for development endeavors. Should you possess an established OU in AWS Organizations, you might have the option to bypass configuring an Additional OU within AWS Control Tower.
Step 3: Configure Shared accounts
it’s time to furnish two AWS accounts – one designated for log archiving and the other for audit purposes. You have the flexibility to either generate new accounts or employ pre-existing ones for this intent. In the event that you opt to create fresh shared accounts, ensure that the email addresses haven’t been linked to other AWS accounts previously.
Step 4: Additional Configuration
In this phase, you are presented with the option to determine how AWS Control Tower establishes access to AWS accounts. You can either let AWS Control Tower manage this through AWS Identity and Access Management (IAM), or you can choose to independently oversee account access using AWS IAM Identity Center users, roles, and permissions that you can customize.
By default, AWS Control Tower configures AWS IAM Identity Center for your landing zone.
For AWS CloudTrail Configuration, you can toggle between “Enabled” and “Not Enabled.” The default setting is “Enabled.”
You have the ability to customize the log retention policy for Amazon S3 in the Log Configuration section. By default, the retention period is set at one year for standard account logging and 10 years for access logging.
Furthermore, the option to enable and customize encryption settings under KMS Encryption is available through a checkbox. By default, this option remains unchecked.
Step 5: Review and setup the Landing Zone
After reviewing all your configurations, confirm your choices and proceed by clicking on “Set up a landing zone.” Please note that the setup process will require approximately 30 minutes to establish all the necessary resources in your landing zone.
Once the landing zone setup is complete, you’ll gain access to a comprehensive dashboard. This dashboard will provide you with a detailed overview of various elements, including Organizational Units (OUs), shared accounts, and control mechanisms.
Account Management with AWS Control Tower
After successfully setting up AWS Control Tower, you gain the ability to perform various actions on member accounts using the account factory. This includes creating, updating, unmanaging, closing, and relocating accounts across organizational units (OUs). The account factory facilitates the provision of new AWS accounts that automatically inherit policies from the management account.
Grouping Accounts for Organization
With AWS Control Tower, you can group accounts into organizational units (OUs) based on your organization’s structure or needs. OUs act as containers for AWS accounts, enabling distinct policies and guardrails to be applied to specific account groups. You can establish, remove, and register OUs within the AWS Control Tower’s organization panel. For existing organizations, registering existing OUs and their associated accounts is also possible.
Implementing Guardrails
AWS Control Tower offers a predefined set of guardrails that enforce compliance and best practices across member accounts. By default, 20 preventive controls and 3 detective controls are applied to ensure adherence to best practices. Guardrails consist of predefined rules that ensure governance and compliance. You also have the flexibility to tailor these guardrails according to your organization’s unique needs.
Centralized Billing and Cost Management
The option to set up consolidated billing for all AWS accounts allows you to monitor spending collectively, simplifying cost tracking and management across various workloads. Centralized billing enables comprehensive auditing of expenses from a single dashboard.
Logging and Monitoring
Upon setting up your landing zone, a dedicated shared account log archive is created to capture logs from member accounts and the management account. These logs facilitate review of actions and events. Management account actions and events are accessible via the Activities page, while member account actions and events are viewable in log archive files.
Robust Monitoring and Management
AWS Control Tower offers various tools, including Amazon CloudWatch and AWS CloudTrail, for monitoring resources and activities within your landing zone. Control status and account health are visible in the AWS Control Tower console. Additionally, the environment summary dashboard showcases vital information like controlled summary, non-compliant resources, organizational units, and AWS accounts.
In Conclusion
AWS Control Tower serves as an invaluable solution, providing a comprehensive toolkit and best practices for secure management of multi-account AWS environments. It streamlines the creation and management of AWS accounts, promoting consistent governance, heightened security through security-related guardrails, simplified resource oversight, and improved cost efficiency across your AWS accounts.
Certainly. I agree with told all above.