🪴 DEEPAK NISHAD

Search

SearchSearch

AWS Control Tower Deep Dive

Jun 21, 20267 min read

AWS Control Tower Deep Dive

Enterprise Multi-Account Governance, Account Separation, Monitoring & Auditing at Scale

1. Introduction

What is AWS Control Tower?

AWS Control Tower is a managed AWS service that enables organizations to set up and govern a secure, compliant, and scalable multi-account AWS environment using AWS Organizations.

It provides an opinionated framework for building enterprise-grade cloud foundations through:

  • Centralized governance
  • Automated account provisioning
  • Organizational guardrails
  • Security baselines
  • Monitoring and auditing integrations
  • Identity federation
  • Policy enforcement at scale

Control Tower automates the setup of a secure AWS “Landing Zone” and continuously governs the environment using Service Control Policies (SCPs), AWS Config, CloudTrail, and organizational controls.

It is designed for enterprises operating dozens, hundreds, or even thousands of AWS accounts.

2. Core Components of AWS Control Tower

2.1 AWS Organizations

AWS Organizations forms the foundational hierarchy for Control Tower.

It enables:

  • Centralized account management
  • Organizational Units (OUs)
  • SCP-based governance
  • Consolidated billing
  • Cross-account policy inheritance

All governance controls in Control Tower flow through the AWS Organizations hierarchy.

2.2 Landing Zone

The Landing Zone is the secure baseline environment automatically created by Control Tower.

It includes:

  • Organizational Unit structure
  • Shared foundational accounts
  • Logging architecture
  • Governance baselines
  • Identity integration
  • Security controls
  • Organization-wide CloudTrail
  • AWS Config setup

The Landing Zone serves as the standardized enterprise cloud foundation.

2.3 Account Factory

Account Factory automates AWS account provisioning using AWS Service Catalog.

It enables:

  • Standardized account creation
  • Automatic guardrail application
  • Baseline networking setup
  • IAM Identity Center integration
  • Tagging and naming standards
  • Pre-configured security controls

New accounts can be provisioned within minutes without manual console operations.

2.4 Guardrails (Controls)

Guardrails are governance mechanisms applied at the OU level.

Preventive Controls

Implemented using Service Control Policies (SCPs).

These actively block prohibited actions.

Examples:

  • Prevent disabling CloudTrail
  • Prevent deletion of Config rules
  • Prevent public S3 buckets
  • Prevent leaving AWS Organizations

Detective Controls

Implemented using AWS Config rules.

These monitor resource compliance and flag violations.

Examples:

  • Detect unencrypted EBS volumes
  • Detect public security groups
  • Detect missing tagging standards

Proactive Controls

Implemented using CloudFormation hooks.

These prevent non-compliant resources from being created during deployment.

Examples:

  • Block S3 buckets without versioning
  • Block EC2 instances without IMDSv2
  • Block unencrypted RDS databases

2.5 Control Catalog

AWS Control Tower provides 300+ built-in controls aligned with:

  • CIS Benchmarks
  • NIST
  • PCI-DSS
  • HIPAA
  • SOC2
  • AWS Security Best Practices

Controls can be enabled selectively per Organizational Unit.

2.6 Shared Foundational Accounts

Control Tower creates three foundational accounts:

Management Account

  • Root organization administration
  • Billing and governance
  • Identity management

Log Archive Account

  • Centralized immutable log storage
  • CloudTrail logs
  • Config snapshots
  • VPC Flow Logs
  • Access logs

Audit Account

  • Centralized security operations
  • Security Hub administration
  • GuardDuty aggregation
  • Compliance visibility

These accounts should never host workloads.

2.7 Customizations for Control Tower (CfCT)

CfCT enables deployment of custom enterprise standards automatically across all accounts.

Examples:

  • VPC endpoints
  • CloudWatch agents
  • Baseline IAM roles
  • Security groups
  • Config rules
  • Organizational tagging standards

Deployments are automated using StackSets and CodePipeline.

3. Environment-Wise Account Separation Strategy

Why Account Separation Matters

Control Tower promotes strong isolation boundaries using separate AWS accounts.

Benefits:

  • Blast-radius reduction
  • Independent billing
  • Security isolation
  • Compliance segmentation
  • Separate deployment pipelines
  • Independent quotas and limits

A compromised development account cannot impact production infrastructure.

4. Recommended Organizational Unit Structure

Root

Security OU

  • Log Archive Account
  • Audit Account

Infrastructure OU

  • Network Account
  • Shared Services Account

Workloads OU

Dev OU

  • One account per team/application

Staging OU

  • Mirrors production topology

Production OU

  • One account per bounded business domain

Examples:

  • payments-prod
  • identity-prod
  • analytics-prod

Sandbox OU

  • Temporary developer experimentation accounts
  • Auto-expiration policies

Policy Staging OU

  • SCP testing before production rollout

5. SCP Layering Strategy

Development OU Policies

More permissive controls:

  • Allow experimentation
  • Restrict only destructive organization-level actions

Examples:

  • Deny deleting CloudTrail
  • Deny leaving Organizations

Staging OU Policies

Moderate restrictions:

  • Deny public exposure
  • Enforce encryption
  • Enforce tagging

Examples:

  • Deny public S3 access
  • Deny open security groups

Production OU Policies

Strict governance:

  • Deny KMS key deletion
  • Enforce IMDSv2
  • Deny Config disabling
  • Deny CloudTrail disabling
  • Restrict expensive resource provisioning
  • Enforce mandatory tagging

6. Account Factory for Terraform (AFT)

GitOps-Based Account Provisioning

AFT enables fully automated account creation using Terraform.

Workflow

  1. Developer submits pull request to account-requests repository
  2. Terraform pipeline validates request
  3. New AWS account is provisioned
  4. Control Tower enrollment occurs automatically
  5. Baseline networking is configured
  6. SCPs are attached
  7. IAM Identity Center permissions are assigned
  8. Logging and monitoring integrations are enabled

Provisioning time:

  • Approximately 15–20 minutes

Benefits:

  • Fully auditable
  • Zero manual console operations
  • Infrastructure-as-Code governance
  • Repeatable onboarding

7. Monitoring and Auditing at Scale

7.1 Log Archive Account

Centralized immutable logging account.

Stores:

  • Organization CloudTrail logs
  • AWS Config snapshots
  • VPC Flow Logs
  • ELB access logs
  • S3 access logs

Security controls:

  • S3 Object Lock
  • Deny-delete SCPs
  • Glacier archival policies

Typical retention:

  • 1 year hot storage
  • 7 years archival

7.2 Audit Account

Centralized security operations account.

Acts as delegated administrator for:

  • Security Hub
  • GuardDuty
  • Macie
  • Inspector
  • IAM Access Analyzer

Security teams operate from this account without requiring direct workload access.

7.3 Organization-Wide CloudTrail

Single organization trail captures:

  • All API activity
  • All regions
  • All accounts

Benefits:

  • Centralized forensic analysis
  • Compliance auditing
  • Threat investigation

CloudTrail Lake enables SQL querying across events.

Example investigation query:

  • External AssumeRole activity in production accounts over 30 days

7.4 AWS Config Aggregator

Aggregates configuration compliance data from all accounts.

Capabilities:

  • Organization-wide compliance dashboards
  • Resource drift visibility
  • Centralized policy evaluation

Integrations:

  • EventBridge
  • SNS
  • Lambda remediation
  • PagerDuty alerts

7.5 GuardDuty Centralized Threat Detection

GuardDuty runs organization-wide by default.

Detects:

  • Cryptocurrency mining
  • Credential compromise
  • Malicious IP communication
  • Suspicious API activity

Centralized findings flow into:

  • Security Hub
  • EventBridge
  • SIEM platforms

Automated response actions may:

  • Isolate EC2 instances
  • Revoke credentials
  • Block network traffic

7.6 Security Hub

Security Hub acts as the centralized security dashboard.

Aggregates findings from:

  • GuardDuty
  • Macie
  • Inspector
  • Config
  • IAM Access Analyzer

Provides:

  • Compliance scoring
  • CIS benchmarking
  • PCI-DSS posture
  • Security analytics

Large organizations export findings into:

  • Splunk
  • Datadog
  • Elastic
  • SIEM platforms

8. Operational Patterns at Scale

Drift Detection

Control Tower continuously validates account baseline compliance.

Detects:

  • Missing Config rules
  • Removed CloudTrail trails
  • Drifted SCPs
  • Unauthorized changes

Auto-Remediation Pattern

Workflow:

  1. Config rule detects violation
  2. EventBridge triggers Lambda
  3. Lambda executes SSM Automation
  4. Resource is remediated automatically

Examples:

  • Enable S3 versioning
  • Close public security groups
  • Terminate public RDS instances

Cost Governance

Implemented using:

  • AWS Budgets
  • Cost Anomaly Detection
  • SCP-based service restrictions

Examples:

  • Restrict expensive GPU services in Dev OU
  • Enforce tagging for chargeback
  • Alert on spending spikes

Identity Federation

IAM Identity Center integrates with:

  • Okta
  • Azure AD
  • Active Directory

Permission Sets are assigned automatically during account vending.

Examples:

  • Developers → Dev access
  • SREs → Elevated production access
  • Auditors → Read-only access

9. Quick-Start Deployment Sequence

Step 1

Enable AWS Control Tower in the management account.

Creates:

  • Landing Zone
  • Audit account
  • Log Archive account
  • Baseline governance

Step 2

Configure IAM Identity Center with enterprise IdP.

Step 3

Define Organizational Unit hierarchy:

  • Security
  • Infrastructure
  • Dev
  • Staging
  • Production
  • Sandbox

Step 4

Enable mandatory and recommended guardrails.

Step 5

Set up Account Factory for Terraform (AFT).

Step 6

Deploy CfCT customizations:

  • Networking baselines
  • CloudWatch agents
  • Security tooling
  • Config rules

Step 7

Enable organization-wide:

  • Security Hub

  • GuardDuty

  • Macie

  • Inspector

Step 8

Integrate EventBridge with SIEM pipelines.

Step 9

Deploy auto-remediation workflows.

Step 10

Run quarterly Landing Zone updates.

10. Key Benefits of AWS Control Tower

Security

  • Centralized governance

  • Organization-wide visibility

  • Strong account isolation

Scalability

  • Supports thousands of accounts

  • Automated onboarding

  • Standardized governance

Compliance

  • Built-in compliance frameworks

  • Continuous auditing

  • Immutable logging

Operational Efficiency

  • GitOps-based account provisioning

  • Automated remediation

  • Reduced manual effort

Enterprise Readiness

  • Multi-team support

  • Federated identity

  • Centralized security operations

11. Conclusion

AWS Control Tower provides a highly scalable and enterprise-ready framework for governing AWS environments at scale.

By combining:

  • AWS Organizations

  • SCPs

  • Guardrails

  • Centralized logging

  • Automated account vending

  • Security aggregation

  • Identity federation

organizations can build secure, compliant, and operationally efficient multi-account AWS environments with minimal manual intervention.

When combined with:

  • Account Factory for Terraform (AFT)

  • Customizations for Control Tower (CfCT)

  • Security Hub

  • GuardDuty

  • Config Aggregators

  • EventBridge automation

Control Tower becomes a powerful cloud governance platform capable of supporting environments ranging from small startups to global enterprises operating thousands of AWS accounts.

Graph View

Backlinks