Set up multi-account management with AWS Control Tower

Set up a Landing Zone with AWS Control Tower

Using AWS Control Tower you can implement a multi-account scheme, as recommended by best practices, where you can centrally enforce policies (guardrails) while you centralize and protect AWS Cloudtrail logs in a designated logging account.

Multi-Account / Organizational Structure

Make sure your workloads are dividen into multiple accounts leaving a set of core accounts (logging, audit, backups, networking, etc.) that will provide support for all accounts, and a set of (dev-test-prod) per business unit, or workload. If you have “THE production account” start working towards moving workloads to separate accounts to reduce the blast radius on potential security incidents.

Delegated Administration - Services integrated to AWS Organizations

The following services are integrated to AWS Organizations (AWS Control Tower uses AWS Organizations) and support delegated administration, therefore, the security team can have visibility about the security and compliance of the whole organization from the security account:

  • AWS Security Hub
  • Amazon GuardDuty
  • Amazon Macie
  • Amazon Detective
  • AWS Firewall Manager
  • IAM Access Analyzer
  • Amazon Inspector
  • AWS Audit Manager

AWS Control Tower deployment in existing organization

If you have an existing organization you can still enable AWS Control Tower.

One account to an Organization with Control Tower

If you have all in one account, set up control tower in a new account, and add the account to the organization. It’s not advisable to configure AWS Control Tower on an account that has workloads, as the management account (org-root) is not affected by SCPs, and should not be accessed all the time.

Risk Mitigation

  • If the generation and storage of logs is not secure, an adversary may destroy them or turn them off, which complicates significantly the erradication task
  • If workloads are not separated into a multi-account structure the blast radius grows.
  • If you’re using a single account, you will not be able to use Service Control Policies, therefore there are no additional limits to what that credential allows. If you passed the experimentation phase, to having productive workloads, you definitely need an organization.

Guidance for assessments

  • Have you implemented AWS Control Tower ?
  • Are you isolating your workloads in multiple accounts ?
  • Is there a particular account in your organization that has most of the workloads of the organization ?

Pricing

https://aws.amazon.com/controltower/pricing

Note: if you can’t enable AWS Control Tower as you need additional Flexibility / Personaliation of the account, then you can leverage the following solution: Landing Zone Accelerator on AWS