Skip to main content

AWS Control Tower

AWS Control Tower features

Page topics

Landing Zone

Open all

A landing zone is a well-architected, multi-account AWS environment based on security and compliance best practices. AWS Control Tower automates the setup of a landing zone using best-practice integrations for identity, federated access, central data backup, and account structure. This can be deployed on a new or existing AWS Organization. 

Examples of pre-defined integrations include:

  • AWS Organizations: Use AWS Control Tower best practice organization structure to create recommended organizational units and shared accounts in accordance with the AWS multi-account strategy.
  • IAM Identity Center: Configure access to governed AWS accounts with an AWS Control Tower automated IAM Identity Center groups and permissions sets or choose to self-manage access.
  • AWS Config: AWS Config tracks activity on your AWS account resources in target organizational units that you specify and powers detective controls.
  • AWS Backup: Applying the backup plan for AWS Control Tower ensures it is consistent for all accounts in-line with best practice recommendations from AWS Backup.
  • AWS CloudTrail: AWS CloudTrail provides centralized logging tracks actions and API activity across your organization's AWS accounts, storing the log files in an Amazon S3 bucket where you can review them.

Within your landing zone you can optionally configure log retention, AWS CloudTrail trails, AWS KMS Keys, and AWS account access. The landing zone set up by AWS Control Tower is managed using a set of mandatory and optional controls. Mandatory controls are always applied on your behalf by AWS Control Tower, while optional controls can be self-selected based on your unique needs to ensure accounts and configurations comply with your policies.

Account Factory

Open all

The account factory automates provisioning of new accounts in your organization. As a configurable account template, it helps you standardize provisioning of new accounts by using the AWS Control Tower predefined account with default resources, configurations, or VPC settings. You can also define and implement your own custom account resources and requirements in addition to the pre-approved account configurations. By configuring your account factory with pre-approved network configuration and AWS Region selections, you enable self-service for your builders to configure and provision new accounts. Additionally, you can take advantage of AWS Control Tower solutions, such as Account Factory for Terraform, to automate the provisioning and customization of an account managed by AWS Control Tower in Terraform that meets your business and security policies, before delivering it to end users.

Comprehensive Controls Management

Open all

Comprehensive controls management in AWS Control Tower helps you reduce the time it takes to define, map, and manage the controls required to meet your most common control objectives such as enforcing least privilege, restricting network access, and enforcing data encryption.

Controls are prepackaged governance rules for security, operations, and compliance that you can select and apply enterprise-wide or to specific groups of accounts. A control is expressed in plain English and enforces a specific governance policy for your AWS environment that can be enabled within an AWS Organizations organizational unit (OU). Controls can be detective, preventive, or proactive and can be either mandatory or optional.

Detective controls (for example, Detect whether public read access to Amazon S3 buckets is allowed) continuously monitor deployed resources for nonconformance. Preventive controls establish intent and prevent deployment of resources that don’t conform to your policies (for example, Enable AWS CloudTrail in all accounts). Proactive control capabilities use AWS CloudFormation Hooks to proactively identify and block the CloudFormation deployment of resources that are not compliant with the controls you have enabled. You can disallow actions that lead to policy violations and detect noncompliance of resources at scale. In addition, you get updated configurations and technical documentation so you can more quickly benefit from AWS services and features.

Dashboard

Open all

AWS Marketplace offers integrated third-party software solutions for AWS Control Tower. Built by independent software vendors, these solutions help solve infrastructure and operational use cases including security for a multi-account environment, centralized networking, operational intelligence, and Security and Information Event Management (SIEM).

Solutions for AWS Control Tower in AWS Marketplace

Open all

AWS Marketplace offers integrated third-party software solutions for AWS Control Tower. Built by independent software vendors, these solutions help solve infrastructure and operational use cases including security for a multi-account environment, centralized networking, operational intelligence, and Security and Information Event Management (SIEM).