Mastering Governance & Compliance: An Introduction to AWS Control Tower

SourceFuse
4 min readJul 11, 2023

by James Crowley, Senior Enterprise Architect, SourceFuse

The article below contains a brief introduction to Control Tower and the most popular open-source methods for automation related to landing zones in AWS.

What is AWS Control Tower?

AWS Control Tower is a service provided by AWS that enables organizations to quickly and seamlessly orchestrate multi-account AWS environments via a landing zone. A landing zone can be thought of as a template for an AWS account that provides baseline security, networking, and core infrastructure. Control Tower itself orchestrates several other services on your behalf to create the landing zone. A typical landing zone implementation may utilize a combination of the services below

  • AWS Identity Center
  • AWS Organizations
  • AWS Service Catalog
  • AWS CloudFormation
  • CloudTrail
  • CloudWatch
  • AWS Config
  • IAM
  • KMS
  • Lambda
  • S3
  • Security Hub
  • SNS
  • Step Functions

What are the benefits of using Control Tower?

  • Centralized governance and standardized security — Control Tower enables you to apply various Guardrails, Service Control Policies (SCPs), and Detective recommendations in a consistent manner across your entire AWS ecosystem. For organizations that value security as a top priority (most organizations these days), standardization is key for compliance and protection from data breaches. Control Tower provides a centralized view of security controls via Security Hub and ships with compliance checks for the following frameworks out of the box.
  • AWS Foundational Security Best Practices v1.0.0
  • PCI DSS v3.2.1
  • CIS AWS Foundations Benchmark v1.4.0
  • NIST Special Publication 800-53 Revision 5
  • Complete automation of AWS accounts and account baselines — creating new workload accounts is done via an Account Factory and managing drift between accounts is completely automated.
  • Cost optimization — Control Tower allows you to centralize cost optimization with AWS Cost Explorer and AWS budgets, providing you with a single pane of glass for all cost-related concerns.
  • Enhanced collaboration — shared resources and services are simple to implement and allow you to easily achieve economies of scale.

What are my options for Infrastructure as Code and Control Tower?

Customizations for AWS Control Tower (CfCT) — CloudFormation-based solution.

Control Tower Account Factory for Terraform (AFT) — Terraform-based solution.

Landing Zone Accelerator (LZA) — AWS CDK-based solution.

We typically prefer the LZA and AFT over the CfCT, but we are proficient in all three. For more information, visit our implementation guides for the AFT and LZA.

AFT

1. Control Tower AFT Setup — ARC

2. GitHub — sourcefuse/terraform-aws-refarch-control-tower-aft: Terraform Module repo for managing the parent AFT configuration responsible for deploying AFT resources into accounts.

3. AWS Account Baseline — ARC

Landing Zone Accelerator

1. Control Tower LZA Setup

2. GitHub — awslabs/landing-zone-accelerator-on-aws: Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.

3. GitHub — sourcefuse/arc-lza-config: Bootstrap config files for AWS LZA

Why the LZA vs CfCT/AFT?

The CfCT and AFT solutions provide the same capabilities, however, they will require additional effort to implement a holistic solution. The CfCT and AFT work very well for lightweight or smaller AWS implementations.

The LZA, on the other hand, ships with a set of sample configurations that enable enterprises with complex governance and security compliance requirements to implement their landing zones at scale. It is important to note the accelerator part of the name. The LZA enables organizations to achieve compliance, but it does not necessarily make you compliant. Please review the solutions provided to make sure they are in compliance with your organization’s security standards.

AWS Best Practices — this is the foundational set of configurations that serve as the baseline for all other configurations. These configurations are easily extended to accommodate the specifics of your workload. The baseline cost for the best practices LZA is ~$450/mo. The dimensions for the cost calculation can be found here.

  1. Centralized logging and auditing

2. Security Hub enabled with the following frameworks

  • AWS Foundational Security Best Practices v1.0.0
  • PCI DSS v3.2.1
  • CIS AWS Foundations Benchmark v1.4.0
  • NIST Special Publication 800-53 Revision 5
  • Transit Gateway and VPC endpoints for enhanced network security
  • Several OUs for workload, security, and auditing segregation across accounts

3. Canned policies for

  • IAM
  • SCPs
  • Firewall Rules
  • Backup

4. SSM Documents for

--

--

SourceFuse

Strategic digital transformation helping businesses evolve through cloud-native technologies