AWS Control Tower: easy multi-account environment setup by orchestrating other AWS functionalities (organization, IAM Identity Center, CloudFormation, Config, etc)
- Landing Zone: multi-account environment
- Account Factory: standardizes new account creation process & automation
- Terraform: Account Factory for Terraform
Creates 2 default OUs
- Sandbox OU: for accounts with less rigid rules and security
- Security OU with 2 default accounts
- Audit Account
- CloudWatch
- SNS
- … any third party tool for auditing
- Log Archive: read-only logging archive account
- AWS Config
- CloudTrail
- Audit Account
- … create Custom OUs
- Account Factory uses CloudFormation & Config to provision new accounts from templates
Home Region: account where Control Tower is initially enabled
GuardRails: governance rules with 3 different levels of recommendation
- Mandatory
- Strongly Recommended
- Elective
Types of GuardRail rules
- Preventitive: prevent certain actions (AWS Service Control Policy)
- Detective: compliance/best practices (AWS Config rules)
- e.g. Is CloudTrail enabled?
- e.g. Does EC2 instance has public IP?
Account Factory: automated account provisioning
- requires either admins or users with proper permissions
- GuardRails are automatically added
- Can configure network
- Can close/repurpose accounts
- Enables integration with SDLC