Mastering Governance & Compliance: An Introduction to AWS Control Tower
by James Crowley, Senior Enterprise Architect, SourceFuse
The article below contains a brief introduction to Control Tower and the most popular open-source methods for automation related to landing zones in AWS.
What is AWS Control Tower?
AWS Control Tower is a service provided by AWS that enables organizations to quickly and seamlessly orchestrate multi-account AWS environments via a landing zone. A landing zone can be thought of as a template for an AWS account that provides baseline security, networking, and core infrastructure. Control Tower itself orchestrates several other services on your behalf to create the landing zone. A typical landing zone implementation may utilize a combination of the services below
- AWS Identity Center
- AWS Organizations
- AWS Service Catalog
- AWS CloudFormation
- CloudTrail
- CloudWatch
- AWS Config
- IAM
- KMS
- Lambda
- S3
- Security Hub
- SNS
- Step Functions
What are the benefits of using Control Tower?
- Centralized governance and standardized security — Control Tower enables you to apply various Guardrails, Service Control Policies (SCPs), and Detective recommendations in a consistent manner across your entire AWS ecosystem. For organizations that value security as a top priority (most organizations these days), standardization is key for compliance and protection from data breaches. Control Tower provides a centralized view of security controls via Security Hub and ships with compliance checks for the following frameworks out of the box.
AWS Foundational Security Best Practices v1.0.0PCI DSS v3.2.1CIS AWS Foundations Benchmark v1.4.0NIST Special Publication 800-53 Revision 5- Complete automation of AWS accounts and account baselines — creating new workload accounts is done via an Account Factory and managing drift between accounts is completely automated.
- Cost optimization — Control Tower allows you to centralize cost optimization with AWS Cost Explorer and AWS budgets, providing you with a single pane of glass for all cost-related concerns.
- Enhanced collaboration — shared resources and services are simple to implement and allow you to easily achieve economies of scale.
What are my options for Infrastructure as Code and Control Tower?
Customizations for AWS Control Tower (CfCT) — CloudFormation-based solution.
Control Tower Account Factory for Terraform (AFT) — Terraform-based solution.
Landing Zone Accelerator (LZA) — AWS CDK-based solution.
We typically prefer the LZA and AFT over the CfCT, but we are proficient in all three. For more information, visit our implementation guides for the AFT and LZA.
AFT
Landing Zone Accelerator
3. GitHub — sourcefuse/arc-lza-config: Bootstrap config files for AWS LZA
Why the LZA vs CfCT/AFT?
The CfCT and AFT solutions provide the same capabilities, however, they will require additional effort to implement a holistic solution. The CfCT and AFT work very well for lightweight or smaller AWS implementations.
The LZA, on the other hand, ships with a set of sample configurations that enable enterprises with complex governance and security compliance requirements to implement their landing zones at scale. It is important to note the accelerator part of the name. The LZA enables organizations to achieve compliance, but it does not necessarily make you compliant. Please review the solutions provided to make sure they are in compliance with your organization’s security standards.
AWS Best Practices — this is the foundational set of configurations that serve as the baseline for all other configurations. These configurations are easily extended to accommodate the specifics of your workload. The baseline cost for the best practices LZA is ~$450/mo. The dimensions for the cost calculation can be found here.
- Centralized logging and auditing
2. Security Hub enabled with the following frameworks
AWS Foundational Security Best Practices v1.0.0PCI DSS v3.2.1CIS AWS Foundations Benchmark v1.4.0NIST Special Publication 800-53 Revision 5- Transit Gateway and VPC endpoints for enhanced network security
- Several OUs for workload, security, and auditing segregation across accounts
3. Canned policies for
- IAM
- SCPs
- Firewall Rules
- Backup
4. SSM Documents for
- S3 Encryption
- ALB logging
- Canadian Centre for Cyber Security (CCCS) Cloud Medium — Opinionated architecture that was collaboratively designed with CCCS and the Government of Canada’s Treasury Board Secretariat.
- AWS Best Practices for China
- Education Landing Zone Accelerator — Industry-specific LZA implementation intended for education organizations.
- LZA on AWS for Election — Reference architecture intended for use in elections by customers such as Committees and Campaigns, Federal, State, and Local election agencies, and Independent Software Vendors (ISVs) who produce solutions for election customers.
- LZA on AWS for Finance (Tax) — Reference architecture to secure Federal Tax Information (FTI) data. Since FTI data is typically also used in Finance, the reference architecture can be utilized by those customers as well.
- LZA on AWS for United State (US) Federal and Department of Defense (DOD) — GovCloud reference architecture that follows Federal Risk and Authorization Management Program (FedRAMP), National Institute of Standards and Technology (NIST) 800–53(3), NIST 800–171 Rev.2, and Cybersecurity Maturity Model Certification (CMMC) Level 3 compliance framework control requirements.
- AWS Best Practices Healthcare — Industry-specific reference architecture that implements controls for HIPAA, NCSC, ENS High, C5, and Fascicolo Sanitario Elettronico.
- Trusted Secure Enclaves Sensitive Edition (TSE-SE) — Reference architecture for national security, defense, and law enforcement organizations that handle sensitive data and implement compliant environments for medium security level profiles.
- LZA on AWS for State and Local Government Central IT — Reference architecture for state and local governments
