AWS Announces General Availability of AWS Control Tower
June 2019 by Marc Jacob
Amazon Web Services Inc., an Amazon.com company announced the general availability of AWS Control Tower, a service that makes it easy for customers to set up and continuously govern secure, compliant multi-account AWS environments. AWS Control Tower gives customers an automated landing zone – a pre-configured environment built according to AWS best-practices – as well as a pre-packaged set of guardrails – clearly defined rules for security, operations, and compliance – that provide ongoing governance. Customers can use AWS Control Tower to deploy their new multi-account environment with just a few clicks in the AWS Management Console. There are no additional charges or upfront commitments required to use AWS Control Tower, and customers pay only for AWS services enabled in order to set up their landing zone and operate their guardrails.
Organizations migrating to AWS often need to manage a large number of accounts across distributed teams. AWS’s existing management and governance services, such as AWS Organizations and AWS Config, give customers granular control over their environments, but many organizations also want more prescriptive guidance and help setting up a secure environment spanning many accounts. Customers also want to ensure that they’re using all the right tools and that they understand how those tools can create and enforce central policies for their teams to deploy workloads in a secure and compliant way. And of course they want to do all of this without sacrificing the speed, agility, and fine-grained control that AWS provides.
AWS Control Tower addresses these challenges by enabling central cloud teams to automatically deploy a single landing zone where their teams can provision accounts and workloads according to industry and AWS standards for identity, federated access, and account structure. The landing zone employs best-practices blueprints, such as configuring a multi-account structure using AWS Organizations, managing user identities and federated access with AWS Single Sign-On, provisioning accounts using an account factory through AWS Service Catalog, centralizing a log archive using AWS CloudTrail and AWS Config, and much more. AWS Control Tower offers a curated set of guardrails which are based on AWS best practices and common customer policies for governance. Guardrails establish a configuration baseline, prevent the deployment of resources that don’t conform to these policies, and continuously monitor deployed resources for non-conformance. The landing zone features a standard set of default guardrails, and customers can enforce more granular governance by applying recommended guardrails to groups of accounts at any time. Guardrails for an organization remain in effect as new accounts are created or existing accounts change. All of this can be easily managed and monitored through the AWS Control Tower dashboard, providing customers with centralized visibility into their AWS environment, including information about accounts provisioned, guardrails enabled, and the guardrail compliance status of accounts.