Traffine I/O

English

2022-10-03

What is AWS Control Tower

AWS
AWS
AWS Control Tower
AWS Control Tower

What is AWS Control Tower

As businesses continue to migrate to the cloud, managing the security, compliance, and governance of multiple AWS accounts becomes increasingly complex. To help organizations maintain control over their AWS environments while ensuring scalability and agility, Amazon Web Services introduced AWS Control Tower.

AWS Control Tower is a fully managed, multi-account management service that streamlines the process of setting up, configuring, and maintaining an AWS environment. It provides a centralized dashboard and a set of pre-configured governance rules, called guardrails, to help businesses enforce consistent policies across their AWS accounts.

Architecture
What is AWS Control Tower?

Core Concepts and Terminology

In this chapter, I will discuss the core concepts and terminology used in AWS Control Tower.

Organizational Units (OUs)

Organizational Units (OUs) are groups of AWS accounts that share common characteristics, such as function, department, or project. OUs help you manage your accounts more effectively by applying consistent policies and guardrails across accounts within the same OU. You can create a hierarchy of OUs to reflect your organization's structure.

Accounts

AWS Control Tower manages individual AWS accounts, which are containers for AWS resources. Each account is associated with a single OU and can be assigned to multiple users. Control Tower provides a streamlined process for creating and enrolling accounts, enabling you to enforce consistent policies and guardrails across your AWS environment.

Service Control Policies (SCPs)

Service Control Policies (SCPs) are JSON documents that define the permissions for AWS services and actions available to users within an OU or account. SCPs help you maintain fine-grained control over the permissions granted to your AWS accounts, ensuring that users have the appropriate level of access to resources and services.

Guardrails

Guardrails are pre-configured rules that help you enforce governance and compliance policies across your AWS accounts. Control Tower offers three types of guardrails:

  • Mandatory Guardrails
    These are always enabled and cannot be disabled. They provide essential security and governance features.

  • Strongly Recommended Guardrails
    These guardrails provide additional security and compliance benefits and are recommended by AWS, but can be disabled if needed.

  • Elective Guardrails
    These guardrails allow you to customize your policies according to your organization's requirements and can be enabled or disabled as needed.

Blueprints

Blueprints are pre-packaged AWS infrastructure configurations that simplify account provisioning and help you maintain consistency across your AWS environment. AWS Control Tower offers two types of blueprints:

  • Account Factory
    The Account Factory blueprint automates the account creation process, ensuring that all new accounts adhere to your organization's policies and guardrails.

  • Landing Zone
    The Landing Zone blueprint provides a secure, multi-account architecture that is aligned with AWS best practices. It includes a set of core accounts, such as a management account, log archive account, and security audit account, which help you manage, monitor, and audit your AWS environment.

Setting Up and Configuring AWS Control Tower

In this chapter, I will walk you through the process of setting up and configuring AWS Control Tower to manage your AWS environment effectively.

Prerequisites

Before you begin, ensure that you meet the following prerequisites:

  • You must have an AWS account with root user access.

  • Your AWS account should be free from any existing Organizations or Control Tower setups to avoid conflicts during deployment.

Deploying AWS Control Tower

To deploy AWS Control Tower, follow these steps:

  1. Sign in to the AWS Management Console using your root user credentials.
  2. Navigate to the AWS Control Tower console at https://console.aws.amazon.com/controltower/.
  3. On the AWS Control Tower home page, click Set up Control Tower.
  4. AWS Control Tower will check for prerequisites and display the status. Ensure all prerequisites are met and click Set up Control Tower again.
  5. Provide an email address for the log archive account, and click Next.
  6. Review the settings, and click Set up Control Tower to begin deployment.

AWS Control Tower will start deploying resources, and the process may take up to an hour to complete.

Once the deployment is finished, AWS Control Tower will display a confirmation message, and you can start using the service.

Configuring AWS Control Tower

After deploying AWS Control Tower, you can configure the service according to your organizational requirements. This section covers the primary configuration tasks.

Creating Organizational Units (OUs)

Organizational Units (OUs) help you manage your AWS accounts by grouping them based on specific criteria, such as business units, departments, or projects. To create an OU:

  1. Navigate to the AWS Control Tower console.
  2. In the left-hand menu, click Organizational Units.
  3. Click Create Organizational Unit.
  4. Provide a name and an optional description for the OU, and click Create Organizational Unit.

Adding and Managing AWS Accounts

To add and manage AWS accounts within your OUs, follow these steps:

  1. Navigate to the AWS Control Tower console.
  2. In the left-hand menu, click Accounts.
  3. Click Enroll Account to add a new account or Register Account to bring an existing AWS account under the control of AWS Control Tower.
  4. Fill in the required account details and choose an OU for the account.
  5. Click Enroll Account or Register Account to complete the process.

Configuring Guardrails

Guardrails help you enforce policies and maintain compliance across your AWS accounts. To configure guardrails:

  1. Navigate to the AWS Control Tower console.
  2. In the left-hand menu, click Guardrails.
  3. Browse through the list of guardrails and select the ones you want to enable.
  4. Click Enable guardrail or Disable guardrail to toggle the status.

Implementing Governance and Compliance with Guardrails

Guardrails are a central feature of AWS Control Tower, designed to help organizations enforce consistent policies and maintain compliance across their AWS accounts. Guardrails come in three categories:

  • Mandatory Guardrails
  • Strongly Recommended Guardrails
  • Elective Guardrails

Mandatory Guardrails

Mandatory Guardrails are always enabled in AWS Control Tower and cannot be disabled. They provide essential security and governance features to help ensure a secure and compliant environment. Some examples of Mandatory Guardrails include:

  • Disallow creation of access keys for the root user
  • Enable AWS Config in all regions
  • Enable AWS CloudTrail log file validation

By enforcing these fundamental security measures, Mandatory Guardrails help protect your AWS environment and reduce the risk of unauthorized access or misconfiguration.

Strongly Recommended Guardrails provide additional security and compliance benefits beyond the Mandatory Guardrails. While they can be disabled, AWS strongly recommends keeping them enabled to optimize your environment's security posture. Some examples of Strongly Recommended Guardrails include:

  • Disallow public read access to Amazon S3 buckets
  • Disallow public write access to Amazon S3 buckets
  • Enable Amazon GuardDuty

These guardrails enhance your security by preventing data leaks and enabling threat detection capabilities, further reducing the risk of security incidents.

Elective Guardrails

Elective Guardrails allow you to customize your policies according to your organization's specific requirements. They can be enabled or disabled as needed. Some examples of Elective Guardrails include:

  • Disallow internet access for Amazon RDS instances
  • Require MFA for AWS Management Console access
  • Require encryption for Amazon S3 objects

Elective Guardrails give you the flexibility to adapt your governance and compliance policies to your organization's unique needs, while still maintaining a secure and compliant environment.

References

https://aws.amazon.com/blogs/architecture/fast-and-secure-account-governance-with-customizations-for-aws-control-tower/
https://digitalcloud.training/what-is-aws-control-tower/
https://www.youtube.com/watch?v=daLvEb44d5Q&t=6s&ab_channel=AmazonWebServices

Redshift Data API

AWS Chalice

AlloyDB
AlloyDB
Amazon Cognito
Amazon Cognito
Amazon EC2
Amazon EC2
Amazon ECS
Amazon ECS
Amazon QuickSight
Amazon QuickSight
Amazon RDS
Amazon RDS
Amazon Redshift
Amazon Redshift
Amazon S3
Amazon S3
API
API
Autonomous Vehicle
Autonomous Vehicle
AWS
AWS
AWS API Gateway
AWS API Gateway
AWS Chalice
AWS Chalice
AWS Control Tower
AWS Control Tower
AWS IAM
AWS IAM
AWS Lambda
AWS Lambda
AWS VPC
AWS VPC
BERT
BERT
BigQuery
BigQuery
Causal Inference
Causal Inference
ChatGPT
ChatGPT
Chrome Extension
Chrome Extension
CircleCI
CircleCI
Classification
Classification
Cloud Functions
Cloud Functions
Cloud IAM
Cloud IAM
Cloud Run
Cloud Run
Cloud Storage
Cloud Storage
Clustering
Clustering
CSS
CSS
Data Engineering
Data Engineering
Data Modeling
Data Modeling
Database
Database
dbt
dbt
Decision Tree
Decision Tree
Deep Learning
Deep Learning
Descriptive Statistics
Descriptive Statistics
Differential Equation
Differential Equation
Dimensionality Reduction
Dimensionality Reduction
Discrete Choice Model
Discrete Choice Model
Docker
Docker
Economics
Economics
FastAPI
FastAPI
Firebase
Firebase
GIS
GIS
git
git
GitHub
GitHub
GitHub Actions
GitHub Actions
Google
Google
Google Cloud
Google Cloud
Google Search Console
Google Search Console
Hugging Face
Hugging Face
Hypothesis Testing
Hypothesis Testing
Inferential Statistics
Inferential Statistics
Interval Estimation
Interval Estimation
JavaScript
JavaScript
Jinja
Jinja
Kedro
Kedro
Kubernetes
Kubernetes
LightGBM
LightGBM
Linux
Linux
LLM
LLM
Mac
Mac
Machine Learning
Machine Learning
Macroeconomics
Macroeconomics
Marketing
Marketing
Mathematical Model
Mathematical Model
Meltano
Meltano
MLflow
MLflow
MLOps
MLOps
MySQL
MySQL
NextJS
NextJS
NLP
NLP
Nodejs
Nodejs
NoSQL
NoSQL
ONNX
ONNX
OpenAI
OpenAI
Optimization Problem
Optimization Problem
Optuna
Optuna
Pandas
Pandas
Pinecone
Pinecone
PostGIS
PostGIS
PostgreSQL
PostgreSQL
Probability Distribution
Probability Distribution
Product
Product
Project
Project
Psychology
Psychology
Python
Python
PyTorch
PyTorch
QGIS
QGIS
R
R
ReactJS
ReactJS
Regression
Regression
Rideshare
Rideshare
SEO
SEO
Singer
Singer
sklearn
sklearn
Slack
Slack
Snowflake
Snowflake
Software Development
Software Development
SQL
SQL
Statistical Model
Statistical Model
Statistics
Statistics
Streamlit
Streamlit
Tabular
Tabular
Tailwind CSS
Tailwind CSS
TensorFlow
TensorFlow
Terraform
Terraform
Transportation
Transportation
TypeScript
TypeScript
Urban Planning
Urban Planning
Vector Database
Vector Database
Vertex AI
Vertex AI
VSCode
VSCode
XGBoost
XGBoost

Ryusei Kakujo

researchgatelinkedingithub

Focusing on data science for mobility

Bench Press 100kg!