code for article pfeilbr/aws-control-tower-playground
learn AWS Control Tower
AWS Control Tower provides the easiest way to set up and govern a secure, compliant, multi-account AWS environment based on best practices established by working with thousands of enterprises. With AWS Control Tower, end users on your distributed teams can provision new AWS accounts quickly. Meanwhile your central cloud administrators will know that all accounts are aligned with centrally established, company-wide compliance policies.
Notes
Control Tower is the composition of many AWS services
- AWS SSO - integrated with Microsoft AD on-prem and cloud/azure
- Organizations
- Service Control Policies - central control over the maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control guidelines
- Guardrails - two kinds of guardrails exist: preventive (block) and detective (after the fact notification of non-compliance)
- implemented as AWS Config - monitor for compliance
- Service Catalog - self-service provisioning of cloud products
- AWS landing zone is a solution that helps customers more quickly set up a secure, multi-account AWS environment based on AWS best practices.
Resources
- AWS Control Tower Documentation
- AWS re:Inforce 2019: Using AWS Control Tower to Govern Multi-Account AWS Environments (GRC313-R) (video)
- Using AWS Control Tower to govern multi-account AWS environments at scale - GRC313-R - AWS re:Inforce 2019(slides)
- AWS Control Tower is now generally available
Twitter • Reddit