AWS Control Tower enable us to:
- Quick set up and configure new AWS environment. AWS blueprints can be used to automate set ups. These blueprint captures best practices for AWS Configurations.
- Automate ongoing policy management using guardrails. We use SCP to enforce and detect policy violations using AWS Config rules.
- View policy-level summaries of AWS environment. We can view guardrails and account level compliance status with guardrails.
Features of AWS Control Tower:
- Landing zone:- AWS Control tower automates the set up of a new landing zone ensuring security and compliance best practices. Blueprints that is automatically implemented include:
- multi-account environment using AWS Organizations
- Identity Management using AWS SSO default directory.
- Federated access to accounts using AWS SSO.
- Centralize logging using AWS CloudTrail and AWS Config in S3.
- Enable cross-account security audits using IAM and AWS SSO.
- Account Factory:- Automates the provisioning of new accounts. It’s a configurable template and can be used to standardize new accounts based on configuration.
- Guardrails:- Guardrails are pre-packaged rules for security, operations and compliance that we selects and apply enterprise wide or to particular accounts. Guardrails has two dimensions, it can be Preventive or Detective and it can be Mandatory or Optional.
- Dashboard:- Provides visibility into AWS environment. We can view OUs , accounts provisioned, guardrails active, status of OUs and accounts against those guardrails and noncompliant resources with respect to enabled guardrails.
Guardrails
Preventive & Detective Guardrails :- Preventive guardrails establish intent and prevent deployment of resources that don’t conform to policies defined. For example enable AWS CloudTrail in all accounts.
Detective guardrails in other hand monitor resources. For example disallow read access for S3 buckets. Guardrails are translated to AWS policies by:
- Setting up configuration baseline using AWS CloudFormation.
- Preventing configuration changes.
- Detecting configuration changes using AWS Config.
- Update guardrail status on the Control Tower dashboard.
Mandatory & Optional Guardrails: – Mandatory guardrails offers:
- Disallow changes to IAM roles set up for Control Tower.
- Disallow public read access to log.
- Disallow policy changes to log archive.
- Disallow access to root user without multi-factor authentication.
- Enable encryption for EBS block store volume attached to EC3 instance.