Skip to main content

AWS Control Tower Documentation

Landing Zone

A landing zone is a well-architected, multi-account AWS environment. AWS Control Tower enables setting up a landing zone using integrations for identity, federated access, central data backup, and account structure. This can be deployed on a new or existing AWS Organization.

Examples of integrations include:

  • AWS Organizations: Use AWS Control Tower organization structure to create organizational units and shared accounts.
  • IAM Identity Center: Configure access to governed AWS accounts with AWS Control Tower IAM Identity Center groups and permissions sets or choose to self-manage access.
  • AWS Config: AWS Config tracks activity on your AWS account resources in target organizational units that you specify and powers detective controls.
  • AWS Backup: Applying the backup plan for AWS Control Tower is designed to be consistent for all accounts.
  • AWS CloudTrail: AWS CloudTrail provides centralized logging that tracks actions and API activity across your organization's AWS accounts, storing the log files in an Amazon S3 bucket where you can review them.

Within your landing zone you can configure log retention, AWS CloudTrail trails, AWS KMS Keys, and AWS account access. The landing zone set up by AWS Control Tower is managed using a set of mandatory and optional controls. Mandatory controls are applied on your behalf by AWS Control Tower, while optional controls can be self-selected to help support accounts and configurations that comply with your policies.

Account Factory

The account factory is designed to provision new accounts in your organization. As a configurable account template, it helps you standardize provisioning of new accounts by using the AWS Control Tower account with default resources, configurations, or VPC settings. You can also define and implement your own custom account resources and requirements in addition to the account configurations. By configuring your account factory with network configuration and AWS Region selections, you enable self-service for your builders to configure and provision new accounts. Additionally, you can take advantage of AWS Control Tower solutions, such as Account Factory for Terraform, to provision and customize an account managed by AWS Control Tower in Terraform that meets your business and security policies, before delivering it to end users.

Control Catalog

Control Catalog provides a centralized catalog of controls that consolidates AWS controls in one single place. The catalog contains 750+ managed AWS controls for common customer use cases including security, cost, durability, and operations. Customers can start enabling controls on their AWS Organization without setting up a landing zone.

Controls are governance rules for security, operations, and compliance that you can select and apply enterprise-wide or to specific groups of accounts. A control is expressed in plain English and enforces a specific governance policy for your AWS environment that can be enabled within an AWS Organizations organizational unit (OU). Controls can be detective, preventive, or proactive and can be either mandatory or optional.

Detective controls (for example, Detect whether public read access to Amazon S3 buckets is allowed) monitor deployed resources for nonconformance. Preventive controls establish intent and help prevent deployment of resources that don't conform to your policies (for example, Enable AWS CloudTrail in accounts). Proactive control capabilities use AWS CloudFormation Hooks to identify and block the CloudFormation deployment of resources that are not compliant with the controls you have enabled. You can disallow actions that lead to policy violations and detect noncompliance of resources at scale. In addition, you get updated configurations and technical documentation so you can benefit from AWS services and features.

Solutions for AWS Control Tower in AWS Marketplace

AWS Marketplace offers integrated third-party software solutions for AWS Control Tower. Built by independent software vendors, these solutions help solve infrastructure and operational use cases including security for a multi-account environment, centralized networking, operational intelligence, and Security and Information Event Management (SIEM).

Additional Information

For additional information about service controls, security features and functionalities, including, as applicable, information about storing, retrieving, modifying, restricting, and deleting data, please see https://docs.aws.amazon.com/index.html. This information does not form part of the Documentation for purposes of the AWS Customer Agreement available at http://aws.amazon.com/agreement, or other agreement between you and AWS governing your use of AWS's services.