AWS Control Tower, formally released in 2019, should have been one of the most impactful AWS service announcements since S3. It is almost inevitable that any meaningful usage of AWS will quickly entail the usage of many AWS accounts. Therefore, it becomes necessary to leverage AWS Organizations to sensibly govern these numerous AWS accounts. AWS Organizations, in isolation, offers tremendous benefits but ironically does not come prepared with built-in mechanisms to fully take advantage of the service itself. It is necessary to leverage some other solution in combination with AWS Organizations to truly take advantage of logical groupings of your AWS accounts. With this observation in mind, the next logical progression in this scenario was for AWS to create a layer built atop AWS Organizations that both consolidates and integrates the orchestration of various AWS services such as Identity Center, Service Catalog, and AWS Organizations. In theory, this layer should have been a “killer app” at launch, enabling enterprises to vend AWS accounts in a reproducible manner, easily apply ready-to-use collections of organizational controls, and view all necessary compliance information through a single pane in the AWS Console. In reality, AWS Control Tower was a moderately controversial service with a sizable crowd criticizing the service publicly.
The first and most obvious complaint with AWS Control Tower at launch was its lack of any mechanism to specify configurations in a code-defined manner. It is almost baffling that, despite the universal understanding of the importance of defining both infrastructure and configuration via code, AWS Control Tower launched without any IaC support. AWS seemed to think that ClickOps could perhaps be a viable approach for Control Tower management. While this issue with Control Tower is somewhat subjective, there were a variety of issues at launch that were more in the “objectively bad” category, unfortunately.
The first “objectively bad” problem with Control Tower was the inability to perform more than one action at a time. In other words, if you wanted to both provision an account as well as enable some new guardrail/control on an OU, you were forced to do those two things sequentially. To make matters even worse, these actions typically took an hour to complete. The second problem with Control Tower was a variety of either missing or broken features:
These issues, as you might expect, caused many in the AWS ecosystem to regard Control Tower as being a half-baked and ultimately unuseful service.
Today, however, Control Tower is gaining favor among AWS cloud architects. The most painful issue with Control Tower has now been partially alleviated—Control Tower now supports up to five concurrent account-related operations. Moreover, all of the previously mentioned “missing or broken features” have been addressed by AWS at this point:
Even more importantly, with the release of AWS Control Tower Account Factory for Terraform (AFT), you are now able to manage the most important aspect of Control Tower in a code-defined manner: account provisioning and customization. AFT integrates with Control Tower and enables some degree of GitOps capabilities to the otherwise ClickOps-centric service.
Control Tower continues to evolve and improve in nearly every regard. For example, the recent release of APIs for managing Control Tower landing zone configurations are a welcome addition that we are very excited about. We might expect that there will soon be Terraform support for managing landing zone configurations such as log retention settings or CloudTrail trails. It should soon be possible to fully manage Control Tower’s most important configurations via IAC. The Control Tower API includes not only the newly added support for landing zone configurations but also support for managing Control Tower controls. There is already Terraform support for this configuration, so this provides a vastly more manageable way to manage controls compared to previous “ClickOps” approaches. I fully expect Control Tower to continue to improve with respect both to its feature set as well as its scalability. Improved API support for Control Tower brings the service closer every day to being fully manageable via IAC, which has the benefit of making the service even better when used at scale to manage hundreds of AWS accounts. The 2023 Release Notes for Control Tower demonstrate that AWS is certainly continuing to maintain this service and will continue to do so for the foreseeable future. As the service continues to mature over time, we are happy to keep track of this progress and engage with the service as it is today, rather than mislabel it as being the same service that was launched four years ago. Control Tower today is not the same Control Tower that you may have been introduced to in the past.
Learn how AWS X-Ray is a vital tool for enhancing the observability of containerized applications on ECS.
