Control Tower

Jan 1, 0001

Definition

Control Tower is an AWS service that provides a centralized governance solution for managing multi-account AWS environments. It automates the setup of a secure, compliant, and scalable landing zone using AWS best practices. Control Tower integrates with AWS Organizations to enforce policies and guardrails across accounts, ensuring consistent security and compliance.

Secure Settings Example

{
  "AWSControlTower": {
    "Guardrails": [
      {
        "Name": "Disallow S3 Buckets Without Logging",
        "Type": "Mandatory",
        "Description": "Ensures all S3 buckets have logging enabled for security auditing."
      },
      {
        "Name": "Enforce MFA for Console Access",
        "Type": "Mandatory",
        "Description": "Requires multi-factor authentication for all IAM users accessing the AWS Management Console."
      }
    ]
  }
}

Insecure Settings Example

{
  "AWSControlTower": {
    "Guardrails": [
      {
        "Name": "Disallow S3 Buckets Without Logging",
        "Type": "Optional",
        "Description": "Allows S3 buckets to be created without logging, potentially missing audit trails."
      },
      {
        "Name": "Enforce MFA for Console Access",
        "Type": "Optional",
        "Description": "Does not enforce multi-factor authentication, increasing the risk of unauthorized access."
      }
    ]
  }
}