AWS Control Tower gives users the ability to set up and govern a secure multi-account AWS environment. This is achieved through several key features of AWS Control Tower.
First and foremost AWS Control Tower automates the setup of a baseline environment in your AWS organization, known as a Landing Zone, which is a well-architected, multi-account AWS environment. As an account factory, AWS Control Tower can significantly speed up the process of setting up new accounts while maintaining consistency. Users in your organization can create new AWS accounts as needed, based on blueprints that adhere to AWS best practices, including configurations for AWS IAM, logging with AWS CloudTrail, resource auditing with AWS Config, and more.
AWS Control Tower also applies guardrails to a user’s AWS accounts. Guardrails are prepackaged governance rules for security, compliance, and operations, and can be applied across accounts. These come in two flavors, preventative and detective. These are exactly as they sound, the former denies certain actions while the latter flags non-compliant actions, making it easier to ensure all accounts adhere to the intended policies. Furthermore, AWS Control Tower provides the user with a dashboard that provides a high-level view of their AWS environment. This dashboard contains information pertaining to the status of guardrails, accounts, organizational units, and more.
AWS Control Tower uses AWS Organizations behind the scenes. When a new landing zone is set up with AWS Control Tower, the service integrates closely with AWS Organizations to set up and manage accounts in groups called Organizational Units. OUs, for short, are used to manage similar accounts together, applying the same set of guardrails to all accounts within the OU.
AWS Control Tower is aimed at organizations that need to manage multiple AWS accounts efficiently and effectively. It helps ensure security, compliance, and operational best practices. The service enables users to set up a well-architected, multi-account environment in under 30 minutes by automating the creation of these accounts.
AWS Control Tower also comes with no additional cost. You pay for the AWS services that are enabled within your Landing Zone and for each account that is created and managed, for example, AWS Config Rules, AWS CloudTrail, Amazon S3, and others.