Accelerating Multi-Account Environments with AWS Control Tower

September 11th,2020

Multi-Account Environments on AWS

Successful IAM ensures cloud users have the control and visibility of the services they need. In a multi-account environment, administrators need to balance security and usability for teams across different environments.

A secure and scalable approach to multi-account environment offers:

- Grouped resources. Services across the development, UAT and production environments can be separated.

- Limited blast radius. Least privilege is granted, therefore reducing the scope of errors or internal attacks.

- Simple user access. All accounts have a baseline level of security and are automatically given authorisation to key resources.

Existing Multi-Account Solutions on AWS

Existing solutions on AWS bring together a variety of interconnected services to offer fine-grained access control, centralised management and visibility over IAM policies.

The AWS Organizations service groups accounts into Organisational Units (OUs) with common IAM access, producing logical boundaries between accounts. This allows businesses to:

- Automate the assignment of IAM policies to accounts.

- Centrally manage accounts, permissions and billing.

- Monitor and audit the environment for compliance.

Basic Organization

Defining a strong IAM configuration, however, requires the use of other services. For example:

- AWS Config defines rules, enforces compliance and monitors IAM changes.

- AWS CloudTrail is a security aid with logging and auditing.

- AWS Service Catalog allows for central management of AWS services.

Further complexities arise implementing best practices and additional business requirements, such as single-sign-on, MFA and monitoring tools.

Introducing AWS Control Tower

AWS Control Tower is a new IAM service which offers an easy way to start building a well-designed multi-account system. As of March 2020, Control Tower is available in the Asia Pacific alongside a range of other selected regions.

Control Tower automatically creates organisational units and shared accounts, as opposed to manually configuring multiple services to establish IAM. It also sets up single-sign-on and recommended guardrails based on best-practice blueprints.

“(Control Tower) automates the process of setting up a new baseline multi-account AWS environment that is secure, well-architected, and ready to use. Control Tower incorporates the knowledge that AWS Professional Service has gained over the course of thousands of successful customer engagements...” - Jeff Barr, AWS

The AWS Control Tower dashboard offers a unified interface for adding additional guardrails, automating account processes and gaining visibility into IAM compliance.

Control tower dashboard

Control Tower is set up in just a few clicks. AWS Organizations can be migrated with some additional work enrolling accounts.

With Control Tower established, businesses are provided with policies and limits along with a best-practice configuration that makes them well-placed to manage IAM and security at scale.

On-Demand Tech-Talk: AWS Organisations Advanced Features and Intro to AWS Control Tower

Want to know more? Watch our on-demand tech-talk where we demonstrate the helpful advanced features available within AWS Organisations to help manage security and policies within your AWS environment and give an introduction to AWS Control Tower.

• Managing multi-account AWS environments with AWS Organisations

• AWS Organisations Advanced Searches

• An introduction to AWS Control Tower

Watch on-demand