Multi-Account Management using AWS Control Tower

Introduction

When an organization grows rapidly with time then the complexity of their cloud infrastructure, security concerns, and the need for better resource management also grows. Then there is a need for a more efficient and secure way to manage the workloads. To overcome these problems we can use multiple aws accounts in our aws environment. Some use cases where we can segregate AWS accounts are as follows:

We may have a dedicated production account that will protect the organization’s valuable data and minimize the risk of unauthorized access.

There may be a separate development and testing account that allowed their teams to work without impacting the stability of the production systems.

Similarly, we may have a separate AWS account dedicated to replicating critical data, to ensure business continuity in the face of unforeseen events.

In this way, if we use different AWS accounts then our infrastructure becomes more secure with a reduced blast radius. Resource management become easy, with better cost control and optimized resource allocation.

In this blog post, we will explore why we need an AWS control tower for managing multiple AWS accounts, how we can set up AWS Control Tower, and how it can be leveraged to efficiently manage and govern multiple accounts using an account factory, organization units, guardrails, and logging and monitoring.

Why do we need AWS Control Tower?

We have multiple aws accounts in our organization and managing these AWS accounts can become more complex and time-consuming without a centralized management solution. Multiple AWS accounts also require additional administrative effort and resources. Some tasks such as managing user access and permissions across accounts, secure access across accounts, limited resource sharing, tracking, and managing costs and billing need to be performed separately for each account which leads to increased complexity and administrative overhead.

To overcome these challenges we can use AWS Control Tower which offers a platform to establish and maintain a well-structured multi-account environment. This service offers centralized management, automated account provisioning, account grouping, consolidated billing, and enhanced governance capabilities to streamline the management of multiple AWS accounts.

Set up AWS Control Tower

First of all, we need to set up aws control tower so log in to the AWS Management Console of the AWS Account where you plan to deploy the AWS Control Tower. This account will be referred to as the Management account. Set up the AWS control tower by configuring and launching your landing zones on your Management account.

Step 1: Review Pricing and select Regions

On this page, we can see the services which are used with an AWS control tower and for those services, we need to pay based on our usage.

Now under Home Region, select your home Region, this will be the default region where the resources of your shared accounts will be provisioned.

Under the region deny setting, choose “Enabled” if you want to deny access to other regions and if you choose “Not Enabled” then aws control tower remove the guardrail on all registered OU that will allow you to deploy resources in regions outside of AWS control tower availability. By default, the setting for this control is “Not Enabled”.

Step 2: Configure Organizational Units

Under this step, we have the Foundational OU that is initially named the Security OU, we can change it or leave it as it is.

Under Additional OU we can also create a new OU that can be used for development projects. If you already have an existing OU in AWS Organizations, you may see the option to skip setting up an Additional OU in AWS Control Tower.

Step 3: Configure Shared accounts

Now we need to provide 2 AWS accounts one is for log archiving and the second for audit. We can create new accounts or can use existing accounts for this purpose. If you choose to create new shared accounts for yourself, the email addresses must not already have associated with other AWS accounts.

Step 4: Additional Configuration

Under this step, you can select whether AWS Control Tower sets up AWS account access with AWS Identity and Access Management (IAM), or whether to self-manage AWS account access—either with AWS IAM Identity Center users, roles, and permissions that you can set up and customize on your own.

By default, AWS Control Tower sets up AWS IAM Identity Center for your landing zone.

You can choose “Enabled” or “Not Enabled” in AWS Cloudtrail Configuration. By default, it’s “Enabled”.

You can also customize the log retention policy under Log Configuration for Amazon S3. By default, it’s one year for standard account logging and 10 years for access logging.

You can also click on the checkbox to enable and customize the encryption setting under KMS Encryption. By default, this box is unchecked.

Step 5: Review and setup the Landing Zone

Now take a review of all the configurations, acknowledge, and click on Set up a landing zone. It will take about 30 minutes to set up all of the resources in your landing zone.

Once the landing zone is created, we can see the dashboard with all the details, such as OU, shared accounts, and controls.

Account Creation

Once AWS Control Tower is set up, you can create, update, unmanaged, close, and move member accounts from one organizational unit to another using AWS Control Tower’s account factory. The account factory allows you to provision new AWS accounts. These accounts will automatically inherit all the policies defined by the management account.

Account grouping

AWS Control Tower allows you to group accounts into organizational units (OUs) based on your organization’s structure or requirements. OUs work as a container for AWS accounts that allows you to apply different policies and guardrails to specific groups of accounts. You can create, delete and register OUs in the organization panel of the AWS control tower.

If you are deploying AWS Control Tower into an existing organization, then you may also register existing organizational units and the accounts they hold.

Guardrails

AWS Control Tower provides a set of pre-defined guardrails that enforce best practices and compliance policies across all member accounts. By default, the Control tower applies 20 preventive controls and 3 detective controls that make sure of best practices. Guardrails are a set of predefined rules that help ensure governance and compliance. You can also customize these guardrails as per your organization’s specific requirements.

Centralize Billing and Cost Management

You can set up consolidated billing for all accounts in your AWS, which allows you to see a combined view of each account’s spending, making it easier to track and manage costs across multiple workloads. Centralized billing allows you to audit all expenses from one dashboard.

Logging and Monitoring

When you set up your landing zone, a shared account log archive is created that is dedicated to collecting all logs including logs for all of your member accounts and management account centrally. These log files allow administrators and auditors to review actions and events that have occurred. Management account actions and events are viewable on the Activities page in the console while you can view member account actions and events in the log archive files.

AWS provides several tools like Amazon CloudWatch and AWS CloudTrail for monitoring your resources and activity in your landing zone. You can see the status of your controls in the AWS Control Tower console and the health of the accounts you provisioned in Account Factory also is monitored constantly. It also provides a dashboard where we can see the environment summary, enable controlled summary, non-compliant resources, registered organizational units, and enrolled AWS accounts.

Conclusion

Overall, AWS Control Tower is a valuable service that provides a comprehensive set of tools and best practices for securely managing multi-account AWS environments. It simplifies the process of creating and managing multiple AWS accounts. By leveraging AWS Control Tower, organizations can achieve consistent governance, enhanced security by applying security-related guardrails, simplified resource management, and improved cost optimization across AWS accounts.