2. 2
Agenda
01 | Quick introduction
02 | Why do you need a Landing Zone
03 | AWS Control Tower
04 | Pricing & Features
05 | Lessons Learnt
06 | Questions
3. 3
Gerald Bachlmayr
● Technical Principal - Contino
● AWS Ambassador
● Cloud Native Advocate
Lorem Ipsum
● Technical Principal - Contino
● Advocate - All things AWS/DevOps/Security
● Proud father of 2
Marwan Kansoh
Introduction
Intro Why LZ/AWS P&F Lessons Q&A
5. Landing Zone in AWS → Control Tower
5
Control Tower (CT) gives you all those common Landing Zone capabilities out-of-the-box and
AWS manages upgrades for you.
Intro Why LZ/AWS P&F Lessons Q&A
6. Control Tower - Overview
Those are the key features CT gives you:
Landing Zone
● Multi-account setup - with OUs (org. units)
● SSO enabled
● Centralised logging
Account Factory
● Standardised provisioning
● Pre-approved configurations
● Self-service
Guardrails
● Preventive
● Detective
● Mandatory & Optional
Dashboards
● Number of accounts and OUs
● Guardrails
● List of noncompliant resources
6
Intro Why LZ/AWS P&F Lessons Q&A
7. Setup steps
The setup process is simple and AWS gives you some guidance on what you shouldn’t do:
Steps:
● Master Account
○ First email address
● Logon & select region
● Two email addresses:
○ Log archive account
○ Audit account
● ~ 1 hour
7
AWS Guidance:
● Do not modify or delete:
○ Resources created by CT
○ IAM resources created by CT
● Managed with CT - not AWS Organizations
○ Create, invite, move accounts
○ Create, move OU (org units)
○ Delete OU:
→ you won’t be able to provision a new
account to this OU with CT Account
Factory
Intro Why LZ/AWS P&F Lessons Q&A
not managed by CT
8. Setup Process - CloudFormation Resources
There is not much to see during the setup process - one CloudFormation stack.
8
Intro Why LZ/AWS P&F Lessons Q&A
9. Setup Process - CloudFormation Stack Sets
There is not much to see during the setup process - one CloudFormation stack.
9
Intro Why LZ/AWS P&F Lessons Q&A
10. Setup Complete
After the setup you can see the Control Tower Dashboard:
10
Intro Why LZ/AWS P&F Lessons Q&A
11. Pricing
11
Intro Why LZ/AWS P&F Lessons Q&A
Guidelines:
● No additional charge to use AWS Control Tower
● You are charged for services setup by CT - e.g.:
○ Service Catalog
○ AWS Config Rules
● Included for free:
○ Mandatory preventive guardrails → global
○ 2 mandatory detective guardrails →
regions where CT is available
Price Example:
● 10 accounts, 15 resource per account in 4 regions
● 5 strongly recommended detective guardrails →
invoking 5,000 rule evaluations/m
● Each resource → 20 config. state changes/m
Feature Price (USD)
1 Account Factory portfolio $ 5/month
Mandatory preventive Guardrails $ 0 (free)
2 mandatory detective guardrails $ 0 (free)
AWS Config - 12,000 config items $36/month
AWS Config - 25,000 rule eval. $25/month
AWS Config - initial recording $12 - one off
$66/m
12. Features: Account Factory
12
Intro Why LZ/AWS P&F Lessons Q&A
Enables cloud administrators and AWS SSO end users to provision accounts in your landing zone.
Some features:
● Account life-cycle:
○ Open
○ Update → different OU
○ Close
● Modify CIDR ranges
● Provision CIDR range
● Internet access for
new accounts
13. Compliance Introduction
13
AWS Control Tower is well-architected by default and helps establish compliant
environments with OC, PCI, FedRAMP, HIPAA with ease.
Compliance is established at an OU.
Intro Why LZ/AWS P&F Lessons Q&A
14. Features: Guard Rails
14
There are 3 different levels of guard rails guidance.
● Mandatory (Enforced - cannot be turned off)
● Recommended (strongly)
● Optional (Elective)
Guard rails behaviours either prevent or detect actions. Example of mandatory guard rails are:
● Prevention guard rails offer an explicit denyallow to certain actions, example:
○ Disallow deletion of log archive
○ Enable encryption at rest for log archive
● Detective guard rails offer
○ Disallow public read access to log archive
Intro Why LZ/AWS P&F Lessons Q&A
15. Features: Dashboards
15
CT’s Dashboard is a high level single pane
offering compliance and governance visibility:
● Current environment summary
● Enabled controls
● Non-compliant resources
● Enrolled accounts in the organisation
● Guard rails available
Intro Why LZ/AWS P&F Lessons Q&A
16. Features: SSO
16
SSO is automatically enabled. Allows single touch login to accounts or
applications:
● Configurable identity source (such as Active Directory)
● Enforceable MFA
● Automatic provisioning
● AWS SSO integrated applications
● Customisable URL
Intro Why LZ/AWS P&F Lessons Q&A
17. Features: Audit & Logging
17
Intro Why LZ/AWS P&F Lessons Q&A
By default, 2 accounts are created (separate to the Master account). Those are Audit and Logging.
● Audit account
○ This account is used to audit all information made available by Control Tower in the
environment. This information is also accessible programmatically.
● Log archive account
○ This account is used to access all the logging information for all the managed accounts
within managed OUs in the landing zone.
We are looking at testing the ability to deploy Kinesis Firehose in the Logging account to push logs to a SIEM
solution.
18. Lessons Learnt
18
● Consider ‘nuking’ the account before attempting to uninstall Control Tower
● Account Factory provides only /16 CIDRs
● Control Tower does NOT provision:
○ Transit Gateway
○ Egress Gateway
○ NAT gateway
○ Shared account (networking)
● Integration with Security Hub and Network Manager not yet tested
● Nested OUs
○ Not displayed in console
○ Only available as code
● Updating account emails is difficult (random errors)
● Root user and IAM administrators can bypass guard rails (by design)
Intro Why LZ/AWS P&F Lessons Q&A