AWS Control Tower

AWS Control Tower:

AWS Control Tower is a service that enables you to enforce and manage governance rules for security, operations, and compliance at scale across all your organisations and accounts in the AWS Cloud.

How it works:

  1. Setup: Setup the automated AWS control tower to monitor and governance rules of cloud premises.
  2. Apply guardrails: The second step is to apply the security promises to your cloud account. Like single-sign in and many more through IAM policies.
  3. Get Visibility: Monitor compliances and resources, have a look in every movement of resources and compliances.

Why should we use Control tower?

  1. Setup basic practices of AWS environments in a few clicks.
  2. Standardise account provisions.
  3. Centralised policy management.
  4. Enforce governance and compliance proactively.
  5. Enable end user self services.
  6. Get continuous visibility of your AWS environment.

Setup an AWS landing zone:

  1. Landing zone: a pre-configured, secure, scalable, multi-account AWS environment based on the best practice blue-prints.
  2. Multi-account management using AWS organisation.
  3. Identity and federated access management using AWS SSO.
  4. Centralised log archive using AWS cloudtrail and AWS config.
  5. Cross account audit using AWS IAM and AWS SSO.
  6. End user account provision using service catalog.
  7. Centralised monitoring and notifications using AWS cloudwatch and AWS SNS.

Steps Involved:

1. Centralised identity and access:

  1. AWS SSO provides a default directory for identity.
  2. AWS SSO enables federated access management across all accounts in your organisation.
  3. Preconfigured groups (eg. AWS control tower administrator. Auditors. AWS service catalog end users).
  4. Preconfigured permission sets (e.g admin, read-only, write).
  5. Option to integrate with your managed or on-premises Active directory (AD).

2. Establish guardrails

  1. Guardrails are preconfigured governance rules for security, compliance and operations.
  2. Expressed in simple english to provide abstraction over granular AWS policies.

Comments are closed