Skip to content

Everything technology

AWS Control Tower

AWS Control Tower enable us to:

  • Quick set up and configure new AWS environment. AWS blueprints can be used to automate set ups. These blueprint captures best practices for AWS Configurations.
  • Automate ongoing policy management using guardrails. We use SCP to enforce and detect policy violations using AWS Config rules.
  • View policy-level summaries of AWS environment. We can view guardrails and account level compliance status with guardrails.

Features of AWS Control Tower:

  • Landing zone:- AWS Control tower automates the set up of a new landing zone ensuring security and compliance best practices. Blueprints that is automatically implemented include:
    1. multi-account environment using AWS Organizations
    2. Identity Management using AWS SSO default directory.
    3. Federated access to accounts using AWS SSO.
    4. Centralize logging using AWS CloudTrail and AWS Config in S3.
    5. Enable cross-account security audits using IAM and AWS SSO.
  • Account Factory:- Automates the provisioning of new accounts. It’s a configurable template and can be used to standardize new accounts based on configuration.
  • Guardrails:- Guardrails are pre-packaged rules for security, operations and compliance that we selects and apply enterprise wide or to particular accounts. Guardrails has two dimensions, it can be Preventive or Detective and it can be Mandatory or Optional.
  • Dashboard:- Provides visibility into AWS environment. We can view OUs , accounts provisioned, guardrails active, status of OUs and accounts against those guardrails and noncompliant resources with respect to enabled guardrails.

Guardrails

Preventive & Detective Guardrails :- Preventive guardrails establish intent and prevent deployment of resources that don’t conform to policies defined. For example enable AWS CloudTrail in all accounts.
Detective guardrails in other hand monitor resources. For example disallow read access for S3 buckets. Guardrails are translated to AWS policies by:

  • Setting up configuration baseline using AWS CloudFormation.
  • Preventing configuration changes.
  • Detecting configuration changes using AWS Config.
  • Update guardrail status on the Control Tower dashboard.

Mandatory & Optional Guardrails: – Mandatory guardrails offers:

  • Disallow changes to IAM roles set up for Control Tower.
  • Disallow public read access to log.
  • Disallow policy changes to log archive.
  • Disallow access to root user without multi-factor authentication.
  • Enable encryption for EBS block store volume attached to EC3 instance.


Author AmarPosted on November 11, 2019September 27, 2020Categories AWSTags AWS, AWS Account Management, AWS Control Tower, AWS Governance

Post navigation

Previous Previous post: AWS Organizations Features
Next Next post: AWS Well Architected Tool

Recent Posts

  • LogP vs LogD
  • KeyCloak – Generate Tokens
  • KeyCloak Identity and Access Management
  • PBPK Modeling
  • High Availability vs Fault Tolerant vs Disaster Recovery

Categories

  • AWS (16)
  • Behavior Interviews (2)
  • Microservices (2)
  • OAuth 2.0 (4)
  • Pharmaceutical Sciences (23)
  • R Programming (3)
  • Tantra (1)

Tags

  • Amazon VPC
  • ANOVA
  • ANOVA Minitab
  • AWS
  • AWS Account
  • AWS Account Management
  • AWS Control Tower
  • AWS Cost Management
  • AWS Data Exchange
  • AWS Glue
  • AWS Governance
  • AWS License Manager
  • AWS Organization
  • AWS Organizations Features
  • AWS Organization Units
  • AWS VPC
  • AWS Well-Architected Tool
  • BCS
  • BE and Biowaiver
  • Behavior Interview
  • Cloud computing
  • cohort_case control_study design
  • Design of Experiment
  • Dissolution
  • Drug Transporters
  • Functions in R
  • HPLC
  • IVIVC
  • LC-MS Troubleshooting
  • LCMS
  • Microservices
  • Nano-Formulation
  • Nucleotides
  • OAuth 2.0
  • PBPK Modeling
  • Pharmaceutical Sciences
  • PK Basics
  • PLGA Release Mechanism
  • Power_Analysis
  • R
  • R Programming
  • Service Control Policies
  • t-test
  • USP4
  • Z-Test
Everything technology Proudly powered by WordPress