Operations Management

Building a Multi-Account Environment with AWS Control Tower - Landing Zone and Guardrails

Automatically build a best-practice multi-account environment and maintain continuous compliance with over 400 guardrails. Learn extension techniques using Account Factory and Customizations for Control Tower.

約 3 分で読めます

Overview of Control Tower

Control Tower is a service that automates the setup and governance of multi-account environments. It manages accounts with Organizations, enforces security policies with guardrails, and standardizes account provisioning with Account Factory. Building a landing zone automatically sets up a best-practice multi-account configuration that includes a log archive account and an audit account.

Guardrails and Account Factory

Preventive guardrails use SCPs (Service Control Policies) to enforce prohibited actions. Examples include "prevent disabling CloudTrail" and "prevent public access to S3 buckets." Detective guardrails use Config rules to detect non-compliant resources and display them on the dashboard. Account Factory is a Service Catalog-based account creation workflow that provisions accounts with VPC settings, IAM roles, and guardrails automatically applied in minutes. Customizations (CfCT) apply additional CloudFormation templates during account creation, automating tasks like security tool installation and log configuration.

Customizations and AFT

Account Factory Customization (AFC) automatically applies custom templates (CloudFormation, Terraform) during account creation, standardizing security baselines, network configurations, and IAM roles. Account Factory for Terraform (AFT) is a Terraform-based account provisioning pipeline that manages account configurations through a GitOps workflow. Control Tower's landing zone is periodically updated with new guardrails and region support. Custom guardrails can be defined using SCPs or CloudFormation Guard rules to enforce organization-specific policies. For a comprehensive study of multi-account management, refer to technical books (Amazon).

Control Tower Pricing

Control Tower itself incurs no additional charges. Costs depend on the underlying services (Organizations, CloudTrail, Config, S3). Config rule evaluations from guardrails are billed as Config charges. Since CloudTrail trails and Config recording are enabled for each managed account, these costs accumulate as the number of accounts grows. Manage costs by disabling unnecessary guardrails and limiting Config recording to only the resource types you need.

Summary

Control Tower automates multi-account environment governance through landing zones and guardrails. Account Factory standardizes account provisioning, and AFT enables Terraform-based GitOps workflows. Preventive guardrails (SCPs) and detective guardrails (Config rules) enforce security policies across the entire organization.

Related Services

AWS Control TowerA service that automates multi-account environment setup and governanceAWS OrganizationsA service for centrally managing multiple AWS accountsAWS IAM Identity CenterA service that provides single sign-on to multiple AWS accounts and SaaS applications

Related Articles

Multi-Account Management with AWS Organizations - OU Design and Governance with SCPsEstablish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.Centralized Security Posture Management with AWS Security Hub - Aggregating Findings and Automated ResponseAggregate findings from GuardDuty, Inspector, and Macie using ASFF, quantify your security score through automated security standard evaluations, and set up automated remediation via EventBridge.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.

More on This Topic

How AWS Keeps Time Internally - Amazon Time Sync Service and Leap Second Smearing DesignLearn how Amazon Time Sync Service works, how GPS and atomic clocks provide high-precision time sources, the design decision to absorb leap seconds through smearing, and why time synchronization matters in distributed systems.Centralizing SaaS Audit Logs with AWS AppFabric - OCSF Standardization and Security Lake IntegrationLearn how AppFabric collects audit logs from SaaS applications, standardizes them to OCSF format, and builds analysis pipelines.Implementing Feature Flags with AWS AppConfig - Safe Configuration Deployment and RollbackRoll out configuration changes independently from code deployments using Linear and Exponential strategies. Ensure safety with automatic rollback triggered by CloudWatch alarms.Architecture Review - Systematically Evaluate Workloads with the AWS Well-Architected ToolLearn about architecture reviews using the AWS Well-Architected Tool. Covers evaluation based on the six pillars, improvement planning, and custom lens usage.Audit Log Design and Operations - Complete API Activity Recording with CloudTrailLearn how to design audit logs using AWS CloudTrail, including recording API activity, long-term storage in S3, and compliance automation through integration with AWS Config.Lessons from AWS Incident Reports (COE) - How Past Major Outages Shaped Design PrinciplesAnalyze the root causes of past major incidents including the S3 outage, us-east-1 DNS failure, and Kinesis outage from AWS's published Correction of Errors (COE) and incident reports, and explain how they changed AWS's design principles.Tag Design Determines Operations - Trivia and Practical Naming Conventions for AWS Resource Tagging StrategyWe explain why AWS resource tags are not just labels but the foundation for cost allocation, access control, and automation, covering tag key naming conventions, how to use the 50-tag limit, and governance through tag policies.Why AWS Service Quotas Exist - Multi-Tenant Design That Protects Shared InfrastructureExplain how AWS service quotas (formerly service limits) are not mere restrictions but a design to protect other customers in a multi-tenant environment, covering the noisy neighbor problem, soft vs hard limits, and what happens behind quota increase requests.

Similar Articles and Services

Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.AWS Control TowerA service that automates the setup and governance of multi-account AWS environments, centrally managing security and compliance baselinesAWS Multi-Account Governance - Organizational Control with Organizations, Control Tower, and SCPsThis article examines the multi-account governance mechanisms centered on AWS Organizations, Control Tower, and SCPs (Service Control Policies), comparing them with Azure Management Groups to explain the differences in enterprise governance design capabilities.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.