AWS Control Tower のアイコン

AWS Control Tower Popular2019年〜

A service that automates multi-account environment setup and governance

About 3 min read

What It Does

AWS Control Tower is a service that sets up a multi-account AWS environment following best practices and continuously applies governance. It automatically builds a landing zone (a secure, standardized multi-account environment) and controls operations in each account using guardrails (preventive and detective policies). Pre-defined policies are automatically applied when new accounts are created.

Use Cases

Control Tower is used when organizations expand their AWS usage and need to safely create and manage separate accounts for each department. For example, it is used to create dedicated accounts for development teams, production environments, and security teams, and to apply common security policies (such as restricting usage to specific regions or requiring MFA for root users) across all accounts at once.

Everyday Analogy

Think of it like a franchise headquarters. Each store (AWS account) operates independently, but the headquarters (Control Tower) sets unified standards for store setup procedures, interior design, and hygiene rules. When a new store opens, it is automatically set up according to the headquarters' manual, and any operations that violate the rules are detected and corrected.

What Is Control Tower?

AWS Control Tower is a service for securely and efficiently managing multiple AWS accounts. AWS best practices recommend separating AWS accounts by workload or environment. However, as the number of accounts grows, maintaining unified security policies and compliance becomes challenging. Control Tower solves this problem by automating governance for multi-account environments.

Landing Zone

A landing zone is the foundation of the multi-account environment that Control Tower builds. During setup, it automatically configures an organizational structure with AWS Organizations, a log archive account, an audit account, and single sign-on through IAM Identity Center. You then add accounts for departments or projects on top of this foundation.

Guardrails

Guardrails are policies applied to each account. Preventive guardrails block prohibited operations from being executed in the first place (e.g., preventing resource creation in regions other than those specified). Detective guardrails detect states that violate policies and send notifications (e.g., when public access is enabled on an S3 bucket). They are offered in three tiers - mandatory, strongly recommended, and elective - so you can select guardrails that match your organization's requirements. For practical know-how on guardrails, related books on Amazon are also a great resource.

Getting Started

To get started with Control Tower, run "Set up landing zone" in the Control Tower console. Select a home region and configure the log archive and audit account settings, and the landing zone will be built in approximately 60 minutes. After that, creating new accounts through Account Factory automatically provisions them with guardrails already applied.

Things to Watch Out For

  • Control Tower setup takes approximately 60 minutes, during which you should not perform other operations. Interrupting the setup may leave the environment in an inconsistent state
  • Control Tower internally uses multiple services including Config, CloudTrail, and Organizations, so charges for those services will apply
  • When introducing Control Tower to an existing AWS Organizations environment, verify compatibility with your existing account structure beforehand
共有するXB!

Related Services

AWS Organizations iconAWS OrganizationsA service for centrally managing multiple AWS accountsAWS Config iconAWS ConfigA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAWS CloudTrail iconAWS CloudTrailA service that records and monitors API activity in your AWS accountAWS IAM Identity Center iconAWS IAM Identity CenterA service that provides single sign-on to multiple AWS accounts and SaaS applications

Related Articles

Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsAutomatically build a best-practice multi-account environment and maintain continuous compliance with over 400 guardrails. Learn extension techniques using Account Factory and Customizations for Control Tower.Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.Multi-Account Management - Organization-Wide Governance with AWS Organizations and RAMLearn how to deploy CloudTrail, Config, GuardDuty, and Security Hub across all accounts using the Organizations delegated administrator model, achieving unified security and compliance management.Multi-Account Management with AWS Organizations - OU Design and Governance with SCPsEstablish governance for multi-account environments through OU hierarchy design and SCP-based access control. Also covers cost management with consolidated billing.

More in This Category

AWS AppFabric iconAWS AppFabric NewA service that standardizes and aggregates audit logs from SaaS applicationsAWS AppConfig iconAWS AppConfig SpecializedA service for safely deploying and managing application configurationAWS Chatbot iconAWS Chatbot SpecializedAn interactive agent that delivers AWS notifications and enables resource operations through Slack and Microsoft TeamsAWS CloudFormation iconAWS CloudFormation EssentialAn IaC service that defines and provisions AWS resources as code using templatesAWS CloudTrail iconAWS CloudTrail EssentialA service that records and monitors API activity in your AWS accountAmazon CloudWatch iconAmazon CloudWatch EssentialA service that provides monitoring, log management, and alarms for AWS resources and applicationsAWS Config iconAWS Config PopularA service that records and evaluates AWS resource configuration changes and continuously monitors complianceAmazon CloudWatch RUM iconAmazon CloudWatch RUM NewA real user monitoring service that collects client-side performance and error data from web applications

Similar Articles and Services

Building a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsEstablish governance for your multi-account environment with automated landing zone construction and guardrail-based policy enforcement. Also covers automated account creation with Account Factory.AWS Control TowerA service that automates the setup and governance of multi-account AWS environments, centrally managing security and compliance baselinesBuilding a Multi-Account Environment with AWS Control Tower - Landing Zone and GuardrailsAutomatically build a best-practice multi-account environment and maintain continuous compliance with over 400 guardrails. Learn extension techniques using Account Factory and Customizations for Control Tower.AWS Multi-Account Governance - Organizational Control with Organizations, Control Tower, and SCPsThis article examines the multi-account governance mechanisms centered on AWS Organizations, Control Tower, and SCPs (Service Control Policies), comparing them with Azure Management Groups to explain the differences in enterprise governance design capabilities.Multi-Account Strategy and AWS Organizations - The Optimal Approach to Cloud GovernanceEstablish security boundaries and optimize cost allocation through OU hierarchy design and SCP governance controls in Organizations. This article covers the full picture of multi-account operations, including Control Tower guardrails and consolidated billing.