Control Tower Security Features
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Mastering AWS Control Tower Security Features
Introduction: The Necessity of Multi-Account Governance
In the early days of cloud adoption, many organizations operated with a single AWS account. As workloads grew and team structures became more complex, this approach quickly became a bottleneck. Security teams struggled to maintain visibility, manage permissions, and ensure compliance across disparate departments. The industry responded by moving toward a multi-account strategy, where each team or application environment resides in its own isolated AWS account. While this solves the problem of resource isolation, it creates a new challenge: how do you maintain a consistent security posture across dozens, or even hundreds, of accounts?
AWS Control Tower was designed specifically to answer this question. It acts as an orchestration layer that automates the setup of a multi-account environment based on best practices. Instead of manually configuring security policies in every single account, Control Tower allows you to define "Guardrails" that propagate automatically throughout your organization. This lesson explores the security features of Control Tower in depth, explaining how to use these tools to build a secure, scalable, and compliant cloud foundation.
Understanding Control Tower is not just about learning a service; it is about adopting a philosophy of "Security by Design." By centralizing your governance, you reduce the risk of human error, eliminate configuration drift, and gain the ability to audit your entire environment from a single pane of glass. Whether you are a security engineer, a cloud architect, or a lead developer, mastering these features is essential for managing enterprise-scale cloud operations effectively.
The Architecture of Control Tower Security
To understand how Control Tower secures your environment, you must first understand the concept of an "AWS Landing Zone." A landing zone is a well-architected, multi-account environment that serves as the starting point for your cloud journey. Control Tower automates the creation of this landing zone using AWS Organizations, which provides the underlying structure for managing accounts at scale.
Control Tower organizes your accounts into Organizational Units (OUs). Think of an OU as a container that groups accounts with similar security or functional requirements. For example, you might have a "Production" OU, a "Sandbox" OU, and a "Security" OU. By applying security controls to an OU, you ensure that every account placed inside that container automatically inherits those controls. This hierarchical approach is the bedrock of multi-account security.
Callout: The Hub-and-Spoke Security Model Control Tower encourages a hub-and-spoke security model. In this setup, security logs and audit data are centralized in a "Log Archive" and "Audit" account (the hub), while individual workload accounts (the spokes) stream their diagnostic information to these locations. This prevents attackers from deleting logs in a compromised workload account, as they lack the permissions to access the centralized hub.
Guardrails: The Heart of Control Tower Security
Guardrails are high-level rules that provide ongoing governance for your overall AWS environment. They are categorized into two types: Preventive and Detective. These rules are implemented behind the scenes using Service Control Policies (SCPs) and AWS Config rules.
Preventive Guardrails
Preventive guardrails stop non-compliant actions before they happen. They are implemented using Service Control Policies (SCPs) applied at the OU level. Because SCPs are based on the same policy language as IAM policies, they act as a "deny-by-default" filter that sits above all users and roles in your accounts. Even if an account administrator has full IAM privileges, they cannot override an SCP that denies a specific action.
For example, you can enforce a preventive guardrail that denies the ability to turn off AWS CloudTrail. If a user attempts to stop logging, the API call will fail with an "Access Denied" error, regardless of their IAM permissions. This is a powerful tool for ensuring that your audit trails remain intact at all times.
Detective Guardrails
Detective guardrails identify non-compliant resources after they have been created. These are implemented using AWS Config rules. When a resource is created or modified, AWS Config evaluates the resource against your defined rules. If the resource fails the check, the guardrail marks the account as "Non-compliant" in the Control Tower dashboard and can trigger automated notifications via Amazon SNS.
Unlike preventive guardrails, detective guardrails do not stop the action. Instead, they provide visibility and allow for remediation. This is useful for scenarios where you want to allow flexibility but need to be alerted when a team deviates from your security standards.
Note: Always prioritize Preventive Guardrails for security-critical operations (like blocking public S3 buckets or disabling security services) and use Detective Guardrails for operational or compliance standards that require more nuance.
Implementing and Managing Guardrails
Setting up guardrails in Control Tower is a straightforward process, but it requires careful planning to avoid breaking legitimate workflows. You should never apply a restrictive guardrail to an entire organization without first testing it in a sandbox OU.
Step-by-Step: Enabling a Guardrail
- Log in to the Control Tower management console using your management account.
- Navigate to the "Guardrails" section in the left-hand navigation pane.
- Browse the library of available guardrails. You can filter by category, such as "Security," "Compliance," or "Cost."
- Select the guardrail you wish to enable. You will see a description of what the guardrail does and which service it impacts.
- Click "Enable guardrail" and select the OU or specific accounts to which you want to apply it.
- Monitor the "Compliance status" of your OUs to ensure the guardrail is functioning as expected.
Customizing Guardrails
While the library provides many pre-built guardrails, you may eventually need custom rules. You can create custom SCPs in AWS Organizations and attach them to your OUs. However, ensure that you follow the principle of least privilege. When writing custom SCPs, always test the policy in a limited environment first, as an overly broad Deny statement can inadvertently lock you out of your own accounts.
// Example of a custom SCP to block the creation of resources in non-approved regions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "RestrictRegion",
"Effect": "Deny",
"NotAction": [
"iam:*",
"route53:*",
"support:*"
],
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2"
]
}
}
}
]
}
In the example above, the policy denies any action that is not related to IAM, Route53, or Support if the request is made in any region other than us-east-1 or us-west-2. This is a classic example of a "Region Lockdown" policy, which helps keep data sovereignty and costs under control.
Identity and Access Management (IAM) Integration
Control Tower integrates with AWS IAM Identity Center (formerly known as AWS SSO) to provide a centralized identity management experience. Instead of managing local IAM users in every account—a practice that is highly discouraged due to the administrative overhead—you manage users in one place and assign them access to specific accounts.
The Power of Permission Sets
Permission Sets are the primary method for defining what a user can do within an account. A Permission Set is essentially a collection of IAM policies that you define once and then assign to users or groups across multiple accounts. When you update a Permission Set, the changes propagate to all accounts where that set is assigned.
- AdministratorAccess: Full access to all services.
- ReadOnlyAccess: Standard access for auditing and monitoring.
- PowerUserAccess: Full access to services but restricted from managing users and groups.
Best Practices for IAM
- Avoid local IAM users: Use IAM Identity Center to federate your existing identity provider (like Active Directory or Okta).
- Use Groups for Assignment: Do not assign permissions directly to individual users. Instead, create groups (e.g., "Developers," "SecurityAuditors") and assign permission sets to those groups.
- Regularly Review Access: Use the IAM Identity Center dashboard to audit who has access to which accounts and remove unnecessary permissions.
Warning: Never use the root user account for daily tasks. In a multi-account environment, the root credentials should be stored in a secure vault and used only for emergency recovery or specific administrative tasks that cannot be performed via other means.
Centralized Logging and Audit
Security is only as good as your ability to detect and investigate incidents. Control Tower automates the setup of a centralized logging account, which stores logs from CloudTrail and AWS Config for all accounts in your organization. This provides a tamper-proof audit trail that is critical for incident response and compliance reporting.
How Centralized Logging Works
When you enroll an account in Control Tower, it automatically configures CloudTrail to deliver logs to an S3 bucket in the dedicated Log Archive account. Because these logs are stored in a separate account from where the workloads reside, a developer or an attacker who compromises a workload account cannot delete or modify the logs to cover their tracks.
The Audit Account
The Audit account is intended for your security team. It is granted read-only access to all accounts in the organization, allowing your security operations center (SOC) to perform cross-account monitoring without needing to manage credentials for every single workload account. This separation of duties is a fundamental requirement for most compliance frameworks, such as SOC2, HIPAA, and PCI-DSS.
Monitoring and Compliance Dashboards
Control Tower provides a dashboard that gives you an immediate view of your environment's health. You can see which accounts are compliant, which guardrails are in place, and if there are any outstanding issues. This dashboard is the starting point for your daily security operations.
Key Metrics to Monitor
- Compliance Status: The percentage of accounts that are currently meeting all enabled guardrails.
- Guardrail Failures: A list of specific resources that are violating a detective guardrail.
- Account Enrollment Status: Ensure that all accounts have been properly "enrolled" in Control Tower; unenrolled accounts will not have the required guardrails applied.
Tip: Use Amazon EventBridge to trigger automated workflows when a guardrail failure occurs. For example, you can set up a Lambda function that automatically tags a non-compliant resource or sends an alert to a Slack channel.
Common Pitfalls and How to Avoid Them
Even with a tool as powerful as Control Tower, there are common mistakes that organizations make. Being aware of these can save you significant time and effort.
1. Over-restricting the Environment
It is tempting to enable every single guardrail available. However, many guardrails are restrictive and can break legitimate automation or third-party tools. Always start with a core set of security guardrails and introduce others incrementally.
2. Ignoring Account Enrollment
Control Tower only manages accounts that have been explicitly enrolled. If you create an account through AWS Organizations but do not enroll it in Control Tower, it will be "invisible" to your governance rules. Always verify that new accounts appear in the Control Tower dashboard shortly after creation.
3. Mismanaging the Management Account
The management account should be used strictly for governance and billing. Never deploy production workloads or sensitive data into the management account. If the management account is compromised, your entire organization is at risk.
4. Relying Solely on Automated Tools
Control Tower is an excellent foundation, but it is not a "set it and forget it" solution. You still need to perform regular security assessments, penetration testing, and architectural reviews. Automation handles the baseline, but human oversight is required for complex security challenges.
Comparison Table: Preventive vs. Detective Guardrails
| Feature | Preventive Guardrails | Detective Guardrails |
|---|---|---|
| Mechanism | Service Control Policies (SCPs) | AWS Config Rules |
| Action | Blocks the API call | Flags the resource |
| Timing | Real-time (at request time) | Near real-time (after change) |
| Use Case | Preventing unauthorized access/config | Monitoring compliance/drift |
| Impact | High (can stop workflows) | Low (no disruption) |
Advanced Security Governance: Beyond Control Tower
While Control Tower provides the framework, you should augment it with other AWS security services to create a comprehensive defense-in-depth strategy.
Amazon GuardDuty
GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior. By enabling GuardDuty at the organization level, you can aggregate findings from all accounts into your Audit account. This allows your security team to see a global view of threats, such as unusual API calls, compromised EC2 instances, or attempts to access data from known malicious IP addresses.
AWS Security Hub
Security Hub acts as the central aggregator for all your security alerts. It pulls data from GuardDuty, Inspector, IAM Access Analyzer, and other services, and presents them in a single interface. It also maps these findings to compliance frameworks like the CIS AWS Foundations Benchmark. If you are using Control Tower, you should definitely enable Security Hub to consolidate your security posture.
AWS IAM Access Analyzer
Access Analyzer helps you identify resources that are shared with external entities. It continuously monitors your resource policies (like S3 bucket policies) and flags any that grant access to accounts outside of your organization. This is a critical control for preventing accidental data exposure in a multi-account environment.
Step-by-Step: Setting Up a Secure New Account
When you need to add a new account to your environment, follow this rigorous process to ensure it is secure from day one:
- Create via Control Tower: Always use the "Create account" feature within the Control Tower console. This ensures the account is automatically enrolled and inherits the necessary organizational guardrails.
- Assign to the Correct OU: Do not put the account in the root OU. Place it in a functional OU (e.g., "Development") that already has the appropriate guardrails applied.
- Configure SSO Access: Immediately assign the relevant permission sets to the team members who need access. Avoid creating any IAM users within the new account.
- Verify Logging: Confirm that the new account is successfully sending logs to the Log Archive account by checking the CloudTrail dashboard.
- Tagging: Apply mandatory resource tags (e.g.,
Owner,Environment,CostCenter) to ensure the account is visible in your cost and security reporting tools.
The Role of Compliance in Multi-Account Environments
For organizations in regulated industries (finance, healthcare, government), Control Tower is a game-changer. It allows you to demonstrate compliance at scale. Instead of gathering evidence for every single account, you can point to the Control Tower guardrails as evidence that a specific control is enforced globally.
For instance, if your auditor asks how you ensure that all S3 buckets are encrypted, you can show them the "Enable S3 Bucket Encryption" guardrail enabled in Control Tower. This provides a clear, documented, and automated proof of compliance that is far more reliable than manual checks.
Callout: Compliance as Code By using Control Tower, you are essentially practicing "Compliance as Code." Your security posture is defined in configuration files and policies, which can be version-controlled, audited, and peer-reviewed. This shifts the focus from "checking boxes" to building a system that is inherently compliant.
Troubleshooting Common Issues
Even the best-laid plans can encounter obstacles. Here are some common troubleshooting steps for Control Tower:
- Guardrail Not Applying: If a guardrail does not seem to be working, check the compliance status in the dashboard. It may take some time for the policy to propagate to all accounts. If it has been a long time, ensure the account is properly enrolled.
- Permission Denied Errors: If your developers are experiencing unexpected "Access Denied" errors, use the "CloudTrail Event History" in the account where the error occurred. Look for the
errorCode: AccessDeniedand check therequestParametersto see if the action was blocked by an SCP. - Account Enrollment Failure: If an account fails to enroll, check the "Account Factory" logs. This is often caused by service quotas being reached or issues with the underlying AWS Organizations structure.
Building a Security Culture
Control Tower provides the tools, but your team provides the culture. It is important to foster an environment where security is considered a shared responsibility. When a developer triggers a guardrail, treat it as a learning opportunity rather than a punishment. Use the incident to explain why the guardrail exists and how they can achieve their goals while remaining compliant.
Regularly hold "Security Office Hours" where team members can ask questions about how to use the platform securely. Encourage developers to suggest new guardrails or improvements to existing ones. When the team feels like they are part of the security process, they are much more likely to follow the rules and help identify potential vulnerabilities.
Key Takeaways
- Centralization is Key: Control Tower transforms a complex, fragmented multi-account environment into a unified, governed structure. By centralizing management, logging, and identity, you significantly reduce the surface area for potential attacks.
- Guardrails are Your First Line of Defense: Leverage both Preventive (SCPs) and Detective (AWS Config) guardrails to enforce security policies. Preventive rules should be used for critical security boundaries, while detective rules provide visibility into operational compliance.
- Identity Management Matters: Never manage local IAM users in individual accounts. Use IAM Identity Center to federate your identity provider and assign permissions using standardized Permission Sets.
- Auditability is Non-negotiable: The Log Archive and Audit accounts are the most critical components of your landing zone. They ensure that your audit trails are immutable and that your security team has the visibility they need without needing administrative access to every account.
- Automation, but with Oversight: While Control Tower automates the foundation, security is an ongoing process. Supplement your automated guardrails with proactive monitoring (GuardDuty), centralized alerting (Security Hub), and regular human-led security reviews.
- Avoid the "Management Account Trap": Treat your management account as the "keys to the kingdom." Keep it empty of workloads, secure it with multi-factor authentication, and limit access to only a handful of highly trusted individuals.
- Culture Drives Security: Technology is only half the battle. Use the visibility provided by Control Tower to educate your team and build a culture where security is a collaborative effort rather than an obstacle to development.
By following these principles and deeply integrating Control Tower into your operations, you can build a cloud environment that is both highly flexible and incredibly secure. Remember that security is not a destination but a journey of continuous improvement, and Control Tower is the best vehicle for that journey.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons