Building a Multi-Account Environment with AWS Control Tower - Landing Zone and Guardrails

Establish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.

The Role of Control Tower

Control Tower is a service that automatically builds and manages AWS multi-account environments. It creates accounts with Organizations, applies policies with SCPs, monitors compliance with Config, and aggregates logs with CloudTrail, all automatically set up as a landing zone. A multi-account best-practice configuration that would take days to build manually can be completed in just a few hours with Control Tower. The landing zone establishes a baseline of three accounts - a management account, a log archive account, and an audit account - along with auto-created Security and Sandbox OUs. The log archive account aggregates CloudTrail logs and Config logs from all accounts into centralized S3 buckets, while the audit account hosts a Config Aggregator and SNS notifications.

Designing Guardrails

Over 400 guardrails are provided across three tiers: mandatory, strongly recommended, and elective. Preventive guardrails are implemented as SCPs and proactively block prohibited actions. Examples include "prevent changes to CloudTrail settings in the log archive account" and "restrict regions (block operations in unauthorized regions)." Detective guardrails are implemented as Config rules and detect non-compliant configurations with notifications. Examples include "EBS volumes are not encrypted" and "S3 buckets are publicly accessible." Proactive guardrails are implemented as CloudFormation hooks and block the creation of non-compliant resources before they are provisioned. For organization-specific policies, custom guardrails can be defined using SCPs or CloudFormation Guard rules and applied at the OU level just like managed guardrails. Guardrails are applied at the OU level, enabling graduated control - strict preventive guardrails for production OUs, and detective-only guardrails for development OUs.

Account Factory and Customization

Account Factory is an account creation feature integrated with Service Catalog. When developers request an account through self-service, a new account with standardized settings (VPC, subnets, security groups, IAM roles) is automatically provisioned in minutes. Using Customizations for Control Tower (CfCT), you can automatically apply custom CloudFormation templates during account creation. This automates tasks like installing security tools, configuring monitoring agents, and creating standard IAM roles, ensuring a consistent configuration across all accounts. Account Factory Customization (AFC) supports both CloudFormation and Terraform custom templates for standardizing security baselines and network settings. Account Factory for Terraform (AFT) enables managing account creation and customization through Terraform workflows with IaC, achieving GitOps-driven account provisioning. To deepen your operational knowledge of Control Tower, specialized books (Amazon) are a great resource.

Design Best Practices and Pitfalls

For OU design in Control Tower, a layered structure based on workload type (production, staging, development) and security boundaries (networking, shared services, security) is recommended. A typical configuration consists of three layers: Security OU (log archive and audit), Infrastructure OU (networking and shared services), and Workloads OU (production and non-production). A common pitfall is that the landing zone home region cannot be changed after initial setup - the region selection during setup requires careful consideration. Additionally, when guardrail drift detection flags non-compliance, repair operations from the Control Tower dashboard are required; directly editing SCPs manually causes state inconsistencies. Avoid directly modifying Organizations SCPs on accounts under Control Tower-managed OUs - always manage them through the Control Tower console or APIs.

Control Tower Pricing

Control Tower itself incurs no additional charges. Costs come from the AWS services that Control Tower uses internally (Organizations, Config, CloudTrail, S3, SNS). Detective guardrails are implemented as Config rules, so Config evaluation charges (approximately $0.003 per evaluation) apply. Config costs increase with the number of guardrails and accounts, so selectively enable only the guardrails you need rather than enabling all of them uniformly. The VPC and subnet configurations created by Account Factory also affect costs, so minimizing unnecessary automatic resource creation is recommended. For large organizations (100+ accounts), Config evaluation costs can reach several hundred dollars per month, making it important to optimize guardrail scope per OU.

Comparison with Organizations-Only Setup

While it is possible to build a multi-account environment using Organizations and SCPs directly, Control Tower significantly simplifies the process. With Organizations alone, you must manually configure CloudTrail multi-account log aggregation, Config Aggregator setup, log bucket access policies, and baseline application during account creation. Control Tower automates all of this and continuously monitors governance consistency through drift detection. However, Control Tower does have constraints: limited combinations of supported regions, restrictions on nested OU hierarchies, and potential downtime during landing zone updates. If your organization already has a custom governance framework managing SCPs and Config rules entirely through Terraform or CDK, direct Organizations management without Control Tower may provide greater flexibility.

Summary

Control Tower automates the setup and governance of multi-account environments. It automatically builds a best-practice configuration with a landing zone, enforces security policies with guardrails, and standardizes account creation with Account Factory. By combining layered OU design with graduated guardrail application, you can balance security with developer agility. It is an essential foundation as your organization's AWS usage grows.