You are looking to get into AWS for the first time, you may know a bit about platform architecture such as Regions, Availability Zones, EC2, S3, VPN's etc but you may not know that there is a whole other space around procurement, billing, and AWS account, organization and OU structure that needs to be considered as part of any enterprise-grade service, especially at scale.
Here are some useful resources to get you started down that path.
Both Control Tower and Landing Zone help set up and manage secure multi-account AWS environments. Which one should customers use? Let's take a closer look and figure out together.
AWS Landing Zone and AWS Control Tower help set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Both consist of core accounts and resources which will implement an initial security baseline. The following table compares the managed service (AWS Control Tower) with the solution (AWS Landing Zone).
This article also includes some great references
Landing zones have traditionally been how enterprises would address this concern, as they use a best practice security approach to help ensure the safe setup of AWS accounts. Yet, with the introduction of AWS Control Tower, enterprises may consider migrating from AWS Landing Zone to AWS Control Tower. Today we’ll walk you through why you might want to migrate, but first, we’ll start with a little background.
Amazon knows that when you have multiple AWS accounts, it can be hard to manage, control and secure all of them in one go. Enter AWS Control Tower. It combines power and simplicity, making it easy to set up, govern and secure your multiple accounts using built-in services from AWS like AWS Organizations, AWS Service Catalog, AWS Single Sign-on, AWS IAM, AWS Config, AWS Cloudtrail, and more. This combination of services makes life easy and secure for your AWS accounts. You can also provision new accounts very quickly using the Control Tower dashboard with limited steps. Last, it also provides built-in guardrails to protect your accounts.
We are currently rolling out AWS Landing Zone but i have been seeing that Control Tower is essentially a service offering for Landing Zone and should be out soon. I was just wondering if anyone is testing one or the other and has any input. We are definitely going to use one or the other to execute our multi account…
You may have heard of AWS Control Tower, AWS Organizations and AWS Service Catalog – but what are these services and how do they integrate with one another? What are the benefits of leveraging Control Tower and the underlying services? If you’re interested to learn more, please read on and we’ll answer these questions and more below.
What Is AWS Control Tower?
AWS Control Tower automates the ‘ at scale’ build out of a multi account structure on AWS. For large companies migrating to AWS, it makes sense to have a multi account architecture, as different business functions will have different access requirements, compliance requirements and so on – these functions can be segregated easily between accounts. With AWS Control Tower, administrators can set up a new multi-account environment with a single click in the AWS Management Console.
AWS Control Tower creates an orchestration layer for other AWS services including AWS Organizations, AWS Service Catalog and AWS Single Sign-on – this Orchestration layer makes it easier for administrators who are managing more than a handful of AWS accounts.
Many years ago, I was working in a company where everything had to be created from scratch. Defining the requirements, designing the Rack, configuring the firewall, routers, and storage to be able to save data, defining user management, how to create all the infrastructure, and the list went on and on. This was a definitive infrastructure that hosted all customers and then managed them. Today, the way of thinking and drawing the entire infrastructure has changed. It has become much simpler thanks to flexibility and automation tools, but many of the requirements are the same.
When we start thinking about AWS and what customers want to do on AWS, we need to first think about requirements to better understand what the customers need. For example, which is the right service to use? What about security, governance, and baseline? How many accounts should I create for my customer based on own use cases? How many users, groups, and what permissions should they have?
Let me introduce you to the concept of a Landing Zone and Control Tower, and why they work well together.
After looking at alternatives, I'm very heavily leaning toward AWS Control Tower Landing Zone, but I had some burning questions. I can't seem to find too much relevant or recent documentation on this. The landing zone pattern vs AWS Landing Zone vs AWS Control Tower Landing Zone definitely contributes to the confusion! I've read, for example, that you shouldn't…
I'm looking into the best way to manage a relatively small number (<50) of AWS accounts in an organization. AWS is trying to push for Control Tower or Landing Zone, but I'm not sure of the added-value compared to Terraform.
More precisely, I've PoC'ed managing the following with Terraform:
- Master account: Organization, children accounts, OUs, service control policies, tagging…
I've started working with an organization that's only just getting their feet wet with AWS. A couple weeks before I came on board they started using Control Tower to manage multiple accounts and provision access to them. They're happy with it, and it seems relatively user friendly, but I have concerns about potential issues that could pop up long term…
I've been looking at using AWS Control Tower for the past few days. From what I'm reading with their documentation, you need a new AWS account to then launch service.
I already have an existing multi-account infrastructure so would I be able to add these accounts to the new org?