AWS Control Tower
# Related Notes
- AWS Wiki
AWS Wiki
AWS Wiki Helpful Links AWS Pricing Calculator AWS Documentation AWS Extend Switch Roles AWS Services AWS Artifact API Gateway AWS AppSync Athena Aurora AWS Backup AWS Batch AWS Cost Explorer AWS Certificate Manager Cloud Map CloudFront CloudHSM CloudEndure Data...
# AWS Control Tower
- Allows quick and easy setup of multi-account environment
- Orchestrates other AWS services to provide this functionality
- Leverages
Organizations, IAM Identity Center (formerly AWS SSO), CloudFormation
AWS Organizations
Related Notes AWS Wiki Organizations AWS Organizations is an account management services that lets you consolidate multiple AWS accounts into an organization that...
, AWS ConfigCloudFormation
Related Notes AWS Wiki Resources CloudFormation Docs CloudFormation User Guide CloudFormation Template Reference CloudFormation CloudFormation begins with a template, which is a document written in JSON or...
and AWS Service CatalogAWS Config
Related Notes AWS Wiki AWS Config Primary function is to record configuration changes over time (configuration items) on resources, and grouping this information...
AWS Service Catalog
Related Notes AWS Wiki AWS Service Catalog AWS Service Catalog enables a (usually internal user) to directly users or customers to deploy infrastructure...
- Landing Zone - multi-account environment
- SSO/ID Federation, Centralized Logging and Auditing
- Guard Rails - Detect/Mandate rules/standards across all accounts
- Config is used under the hood to implement these guardrails
- Account Factory - Automates and Standardizes new account creation
- Basic template is applied (CloudFormation is used under the hood for this)
- Dashboard - single page oversight of the entire environment
# Landing Zone
- Allows for implementation of a Well Architected multi-account environment
- Home Region - The region you initially deploy into
- You can explicitly allow or deny the usage of other regions
- Built with Organizations, Config and CloudFormation
- Security OU - Log Archive & Audit Accounts (CloudTrail & Config Logs)
- Sandbox OU - Test/less rigid security
- You can create other OU’s and Accounts
- IAM Identity Center (AWS SSO) - SSO, multiple accounts, ID Federation (use existing identity stores)
- Monitoring and Notifications - CloudWatch and SNS
- End User account provisioning using Service Catalog
# Guard Rails
- Guardrails are rules - multi-account governance
- Mandatory, Strongly Recommended or Elective
- Preventative - Stop you from doing things (AWS ORG SCP)
- enforced or not enabled
- i.e allow or deny regions or disallow bucket policy changes
- Detective - compliance checks (AWS Config Rules)
- Clear, in violation, or not enabled
- Detect CloudTrail enabled or EC2 Public IPv4
# Account Factory
- Automated Account Provisioning
- Cloud Admins or end users (with appropriate permissions)
- Guardrails - automatically added
- Account admin given to a named user (IAM Identity Center)
- Account & network standard configuartion
- Accounts can be closed or repurposed
- Can be fully integrated with a business SDLC using Account Factory / Control Tower APIs
#aws #aws-sysops