AWS Control Tower
AWS Control Tower:
AWS Control Tower is a service that enables you to enforce and manage governance rules for security, operations, and compliance at scale across all your organisations and accounts in the AWS Cloud.
How it works:
- Setup: Setup the automated AWS control tower to monitor and governance rules of cloud premises.
- Apply guardrails: The second step is to apply the security promises to your cloud account. Like single-sign in and many more through IAM policies.
- Get Visibility: Monitor compliances and resources, have a look in every movement of resources and compliances.
Why should we use Control tower?
- Setup basic practices of AWS environments in a few clicks.
- Standardise account provisions.
- Centralised policy management.
- Enforce governance and compliance proactively.
- Enable end user self services.
- Get continuous visibility of your AWS environment.
Setup an AWS landing zone:
- Landing zone: a pre-configured, secure, scalable, multi-account AWS environment based on the best practice blue-prints.
- Multi-account management using AWS organisation.
- Identity and federated access management using AWS SSO.
- Centralised log archive using AWS cloudtrail and AWS config.
- Cross account audit using AWS IAM and AWS SSO.
- End user account provision using service catalog.
- Centralised monitoring and notifications using AWS cloudwatch and AWS SNS.
Steps Involved:
1. Centralised identity and access:
- AWS SSO provides a default directory for identity.
- AWS SSO enables federated access management across all accounts in your organisation.
- Preconfigured groups (eg. AWS control tower administrator. Auditors. AWS service catalog end users).
- Preconfigured permission sets (e.g admin, read-only, write).
- Option to integrate with your managed or on-premises Active directory (AD).
2. Establish guardrails
- Guardrails are preconfigured governance rules for security, compliance and operations.
- Expressed in simple english to provide abstraction over granular AWS policies.
