AWS Control Tower

Overview

• AWS Control Tower provides a simplified way to set up, govern, and secure a multi-account AWS environment.

• Built on top of AWS Organizations, automating account provisioning and applying governance at scale.

• Ideal for enterprises and teams that want to follow AWS best practices without building their own governance framework from scratch.

Key Benefits

• Automated Setup
• Creates a landing zone with multiple accounts, organizational units (OUs), and network configurations.
• Applies security, compliance, and operational best practices automatically.

• Policy Management with Guardrails
• Guardrails are predefined governance rules applied to accounts and OUs.
• Can be preventive (block unwanted actions) or detective (monitor and report violations).

• Continuous Compliance
• Detects policy violations automatically.
• Can trigger remediation workflows.

• Compliance Monitoring
• Centralized interactive dashboard to view compliance status across all managed accounts.

Guardrails

Purpose

• Provide ongoing governance for environments managed by AWS Control Tower.

• Ensure that security, compliance, and operational rules are consistently applied across all accounts.

Types of Guardrails

1. Preventive Guardrails
• Enforced with Service Control Policies (SCPs).
• Block disallowed actions before they can be performed.
• Example: Restrict creation of resources in specific AWS Regions.

2. Detective Guardrails
• Enforced with AWS Config rules.
• Continuously monitor resource configurations and detect violations.
• Example: Detect resources that lack required tags.

Example – Detective Guardrail Remediation Flow

1. AWS Config detects a non-compliant resource (e.g., missing required tags).

2. Amazon SNS publishes a notification.

3. AWS Lambda function is triggered.

4. Lambda function either:
• Notifies the admin, or
• Automatically remediates the issue (e.g., applies missing tags).