Control Tower

Leverage AWS ControlTower to create a set of Core AWS accounts and setup additional accounts for shared services such as build tools and individual environments for your workload. If you currently only have one account, create a new AWS account for your Control Tower management account and invite your existing account to join as a legacy AWS account. You can then migrate your workload to new accounts over time.

Control Tower applies a number of Service Control Policies to all accounts in your AWS Organization. This will prevent modification of AWS CloudTrail trails and AWS Config rule sets in addition to a number of actions on resources matching the pattern ‘*aws-controltower* or ‘*AWSControlTower*’. If you are enabling Control Tower in an existing account you can use an AWS Config conformance pack to evaluate how your accounts may be affected by some AWS Control Tower guardrails. See AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack.

Walk through

1. Understand best practices for your AWS environment and plan your landing zone. If you are building your own landing zone you should mirror the landing zone structure. This structure has a root account, specific accounts for logging and auditing, and allows for you to create an account per workload environment. If you are currently operating in a single account it is best practice to sign up for a new management account to enable Control Tower in and invite the existing account to join as a legacy account. This will allow you to continue to use your existing account as is but still apply baseline security controls and logging to it. If you are currently leveraging AWS Organizations it is best practice to sign up for a new management account if your current management account is used for purposes other than enabling Organizations and sharing identity. The only resources in your management account are those for enabling Control Tower, other guard rails and identity.

2. (If required) Sign up for a new management account

3. Enable Control Tower on the management account for your organization

   • If you have an existing organization refer to the documentation on applying Control Tower to existing organizations
   • If you are not leveraging Control Tower, create an AWS Organization in the root account

4. Invite any existing AWS accounts by enrolling an existing account in Control Tower. If you are not using Control Tower then invite an existing account to join your organization

5. For each additional AWS account required use the account factory to create a new account. Consider applying best practices as a baseline such as lock away your AWS account root user access keys and using multi-factor authentication. If you are not leveraging Control Tower then

   • Create a new account in organizations. Make note of the organizations account access role.
   • Create a new IAM role in the root account that has permission to assume that role to access the new AWS account *. Setup a logging account, secure Amazon S3 bucket and turn on your AWS Organization CloudTrail