Control Tower Governance
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Security Foundations and Governance: Mastering Control Tower
Introduction: The Necessity of Multi-Account Governance
In the early days of cloud adoption, many organizations began their journey with a single account. This approach worked well for small projects or proof-of-concept environments. However, as organizations grow, the need for isolation—both for security and billing purposes—becomes paramount. Managing dozens or hundreds of individual cloud accounts manually leads to "configuration drift," where security settings vary wildly between accounts, creating massive blind spots for security teams.
Control Tower serves as the foundational service for managing a multi-account environment. It acts as an orchestrator, automating the setup of a landing zone that adheres to industry-standard security and compliance best practices. Without a centralized governance tool, you would be forced to manually apply policies across every account, a process that is prone to human error and scaling failures.
Understanding Control Tower is not just about learning a specific tool; it is about adopting a philosophy of "Governance as Code." By centralizing your identity management, logging, and security guardrails, you ensure that every new account added to your organization starts from a position of strength. This lesson will guide you through the architectural principles, configuration steps, and operational best practices required to secure a multi-account environment effectively.
1. The Architecture of a Landing Zone
Before diving into the mechanics of Control Tower, we must define the "Landing Zone." A landing zone is a well-architected, multi-account environment that serves as the starting point for your cloud deployments. It provides the necessary plumbing—networking, identity, and security logging—that every application team needs to operate safely.
Control Tower creates this environment by leveraging several core cloud services, including Organizations, Service Control Policies (SCPs), and CloudTrail. When you launch a landing zone, Control Tower automatically organizes your accounts into a hierarchical structure using Organizational Units (OUs).
The Organizational Structure
The hierarchy is the backbone of your governance strategy. By grouping accounts into OUs, you can apply policies to entire segments of your business simultaneously.
- Core OU: This contains your shared services accounts. It typically houses your logging account (for audit trails) and your security account (for central monitoring).
- Sandbox OU: This is for experimentation. Developers can have full access here, but you can apply strict policies to prevent them from accessing production data or exceeding specific budget limits.
- Workload OU: This contains the production, staging, and development accounts for your actual applications.
Callout: The "Logging" and "Security" Distinction A common point of confusion is why you need separate accounts for logging and security. The Logging Account serves as an immutable repository for audit logs. The Security Account is where you run your security analysis tools, such as threat detection engines. Keeping these separate ensures that if one account is compromised, the audit trail remains intact and untouched.
2. Implementing Guardrails: The Engine of Governance
Guardrails are the high-level rules that Control Tower applies to your environment. They act as automated safety nets, preventing users from performing actions that would violate your security policies. Guardrails are categorized into two types: Preventive and Detective.
Preventive Guardrails
Preventive guardrails use Service Control Policies (SCPs) to stop an action before it happens. For example, you might create a guardrail that prevents anyone from disabling CloudTrail in any account. Because this is applied at the OU level, even an administrator of a member account cannot override this restriction.
Detective Guardrails
Detective guardrails use managed rules to monitor your accounts for non-compliance. If someone performs an action that violates a policy—such as creating an unencrypted S3 bucket—the detective guardrail will trigger an alert. This allows security teams to respond to issues in real-time without necessarily blocking the developer's workflow.
How to Apply a Guardrail
- Navigate to the Control Tower dashboard.
- Select "Guardrails" from the left-hand navigation pane.
- Browse the library of pre-packaged policies.
- Select the desired guardrail and click "Enable."
- Choose the Organizational Unit (OU) where you want the guardrail to be active.
Tip: Start with "Detective" guardrails for new environments to avoid breaking existing workflows. Once you have a clear understanding of what your teams need to do, transition to "Preventive" guardrails to enforce strict compliance.
3. Account Factory: Scaling Onboarding
One of the most difficult challenges in a multi-account environment is ensuring that every new account is created with the same security baseline. The "Account Factory" feature in Control Tower solves this by providing a standardized blueprint for account creation.
When you use the Account Factory, you are not just creating an empty shell. You are provisioning an account that is already joined to your directory service, has logging enabled, and is subject to the guardrails you defined for its OU.
Step-by-Step: Provisioning an Account
- Select the Account Factory: In the Control Tower console, select "Account Factory."
- Define Account Details: Enter the account name, email address (must be unique), and the AWS SSO user email.
- Choose the OU: Select the Organizational Unit where the account should reside.
- Provision: Click "Create Account." Control Tower will now trigger the automation to build the account, join it to the organization, and apply the baseline configurations.
Note: The email address used for the account must be unique and not currently associated with another cloud account. Many teams use email aliases (e.g.,
[email protected]) to manage this efficiently.
4. Identity and Access Management (IAM) Integration
Control Tower integrates natively with your identity provider to manage how users log in. By centralizing identity, you ensure that you can revoke access for an employee across the entire organization with a single action.
The Role of AWS IAM Identity Center
Control Tower automatically sets up the IAM Identity Center (formerly known as SSO). This allows you to manage users and groups in one place and assign them permissions across multiple accounts. Instead of creating local IAM users in every account—which is a security nightmare—you assign a user to a "Permission Set."
A Permission Set is essentially a collection of policies that defines what a user can do. For example, you might have a "ReadOnly" set and a "PowerUser" set. When you assign a user to the "PowerUser" set in the "Production" account, they get those permissions instantly.
Best Practices for Permission Sets
- Principle of Least Privilege: Always start with the most restrictive policy possible.
- Avoid AdministratorAccess: Even for developers, rarely should they have full
AdministratorAccessin production. Use managed policies that limit access to specific services. - Regular Audits: Periodically review which users have access to which accounts and remove any permissions that are no longer needed.
5. Security Logging and Monitoring
A multi-account environment generates a massive volume of logs. If these logs are scattered across individual accounts, they are useless for security analysis. Control Tower mandates that all logs be centralized.
Centralized Logging Architecture
When you set up Control Tower, it creates a dedicated "Log Archive" account. Every CloudTrail and Config log from every account in your organization is automatically forwarded to an S3 bucket in this account. This bucket is locked down with strict policies, ensuring that even if an attacker gains control of a member account, they cannot delete the audit logs.
Analyzing the Data
While storing the logs is the first step, analyzing them is where the actual security work happens. You should integrate your log archive with a security information and event management (SIEM) tool or a native analysis service. By querying these logs, you can identify patterns such as:
- Failed login attempts across multiple accounts.
- Unauthorized attempts to modify security groups.
- Data exfiltration attempts from S3 buckets.
6. Common Pitfalls and How to Avoid Them
Even with a tool as powerful as Control Tower, there are common mistakes that can undermine your security posture. Avoiding these requires a proactive approach to governance.
Pitfall 1: "Shadow" Accounts
Users often create accounts outside of the Control Tower managed organization to avoid restrictions.
- The Fix: Use SCPs to restrict the ability of users to create new accounts or join existing accounts to other organizations. Regularly scan for rogue accounts using the organization's API.
Pitfall 2: Over-reliance on "Administrator" Permissions
It is easy to assign AdministratorAccess to everyone to avoid "permission denied" errors.
- The Fix: Invest the time to build custom IAM policies that match the actual job functions of your teams. If a developer only needs to manage Lambda functions, do not give them access to the entire network stack.
Pitfall 3: Ignoring "Detective" Guardrail Alerts
If your dashboard is full of "Non-compliant" statuses, teams will eventually stop paying attention to them.
- The Fix: Treat security alerts like application bugs. If a guardrail is triggering, fix the underlying configuration or update the guardrail to be more permissive if it is not actually serving a security purpose.
Pitfall 4: Manual "Hotfixes"
When a production issue occurs, it is tempting to go into the console and manually change a security group or an IAM role. This creates configuration drift.
- The Fix: All changes should be made through your infrastructure-as-code (IaC) pipeline. If you fix it manually, it will be overwritten or forgotten, and your documentation will no longer match reality.
7. Operationalizing Governance: The Workflow
To make Control Tower effective, you need a defined process for how your organization interacts with it. This is not just a "set it and forget it" tool; it requires ongoing participation from your cloud engineering and security teams.
The Lifecycle of a Workload
- Request: A project team requests a new account.
- Provision: The platform team uses the Account Factory to create the account in the appropriate OU.
- Baseline: The account inherits the guardrails of the OU.
- Deployment: The team deploys their application using an automated CI/CD pipeline.
- Audit: The security team reviews the logs in the Log Archive account to ensure the application is behaving as expected.
- Decommission: When the project ends, the account is closed, and all resources are purged, ensuring no orphaned infrastructure remains.
Comparison: Manual vs. Control Tower Governance
| Feature | Manual Management | Control Tower |
|---|---|---|
| Account Creation | Manual, inconsistent | Automated, standardized |
| Policy Application | Per-account, error-prone | OU-based, centralized |
| Logging | Scattered, hard to audit | Centralized, immutable |
| Drift Detection | None | Automated monitoring |
| Scalability | Low | High |
8. Advanced Configuration: Customizing Guardrails
While the built-in guardrails cover many common scenarios, your organization may have unique regulatory requirements that aren't addressed out of the box. Control Tower allows you to create custom guardrails using AWS Config.
Creating a Custom Guardrail
- Define the Rule: Write an AWS Config rule (using Python or specific policy languages) that defines what "non-compliant" looks like.
- Deploy the Rule: Deploy the rule to the relevant OUs.
- Monitor: Use the Control Tower dashboard to track compliance across your organization.
Example: Custom Guardrail for Tagging
If your organization requires every resource to have an Owner tag, you can write a custom Config rule.
# Simplified logic for a custom Config rule
def evaluate_compliance(resource):
tags = resource.get('tags', {})
if 'Owner' in tags:
return 'COMPLIANT'
return 'NON_COMPLIANT'
This code would be wrapped in a Lambda function that Config triggers every time a resource is created or modified. If the Owner tag is missing, the resource is marked as non-compliant, and you can even set up an automated remediation action to delete the resource or tag it with a default value.
9. Best Practices for Long-Term Success
Governance is a journey, not a destination. To ensure your Control Tower implementation remains effective over time, follow these industry-standard best practices:
- Treat the Landing Zone as Infrastructure: Store all your Control Tower configurations in a version-controlled repository. This allows you to track changes, perform peer reviews on policy updates, and roll back if a change causes unintended outages.
- Automate Everything: If you find yourself doing a task more than twice, automate it. This applies to account provisioning, user access requests, and even responding to common security alerts.
- Communication is Key: Governance should not be a "black box." Ensure that developers understand why certain guardrails exist. If they understand that a guardrail is there to protect them from a data breach, they are more likely to support it than if they see it as an arbitrary roadblock.
- Regular Compliance Reviews: Schedule quarterly reviews of your OUs and guardrails. As your business changes, your security needs will change. Old guardrails may become obsolete, and new threats may require new policies.
- Focus on Visibility: The dashboard in Control Tower is your primary view into the health of your organization. Make it a habit to check it daily. If you see an increase in non-compliance, address it immediately rather than waiting for a monthly audit.
10. Frequently Asked Questions
Q: Can I move an existing account into Control Tower? A: Yes, you can "enroll" existing accounts into your landing zone. However, be careful: enrolling an account will apply the OU's guardrails immediately. This can cause existing resources to suddenly become "non-compliant" or even break them if you have strict preventive guardrails. Always test this in a non-production OU first.
Q: What happens if I hit a guardrail? A: If you trigger a preventive guardrail, the cloud platform will deny your request with an "Access Denied" error. If you trigger a detective guardrail, your action will succeed, but a non-compliance event will be logged in the dashboard.
Q: How do I handle emergency access? A: You should avoid "break-glass" accounts if possible. Instead, use a temporary "Elevated Access" request process where a user can request higher permissions for a limited time, which is then automatically revoked.
Q: Does Control Tower cost extra? A: Control Tower itself is a free orchestrator. However, you will pay for the underlying services it creates, such as CloudTrail logs, Config rules, and the resources within the accounts you provision.
Key Takeaways
- Centralization is Mandatory: In a multi-account environment, you cannot manage security on a per-account basis. Control Tower provides the centralized control plane necessary to maintain consistent security policies.
- Governance as Code: Use the organizational structure and guardrails to codify your security requirements. This reduces human error and ensures that every account, regardless of when it was created, adheres to the same standards.
- The Power of OUs: Use Organizational Units to segment your business logic. By applying policies at the OU level, you can tailor the security posture to the needs of the workload (e.g., stricter for production, more flexible for sandboxes).
- Logging is Non-Negotiable: A secure environment is useless if you cannot audit it. The centralized log archive is the most important component of your disaster recovery and incident response strategy.
- Automation of Onboarding: The Account Factory is your best tool for scaling. By standardizing the way new accounts are created, you eliminate "configuration drift" before it even starts.
- Iterative Improvement: Governance is not a static setup. You must continuously monitor your guardrails, review your logs, and adjust your policies as your organization evolves and new threats emerge.
- Culture Matters: Security is a shared responsibility. Ensure that your developers understand the "why" behind the guardrails to build a culture of security rather than a culture of compliance.
By mastering Control Tower, you move from a reactive security posture—where you are constantly chasing down misconfigurations—to a proactive one, where your infrastructure is designed to be secure by default. This transition is the hallmark of a mature cloud organization.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons