AWS Control Tower Offers Automated Multi-Account Management
Twistlock sponsored this article, which was written independently by The New Stack.
Automation was a key theme during the keynote at last week’s inaugural AWS re:Inforce conference in Boston, and while the idea of automation may immediately spark ideas of using Lambda to provide automated remediation, automation can also be helpful with the less flashy tasks, such as setting up multi-account AWS environments with AWS Control Tower.
While some users may have enjoyed early access to Control Tower, AWS chief information security officer Stephen Schmidt announced during the keynote that the tool would now be generally available to all AWS customers. According to a blog post detailing the release and its implementation, Control Tower “automates the process of setting up a new baseline multi-account AWS environment that is secure, well-architected, and ready to use.”
With Control Tower, security comes baked in to newly created multi-account AWS environments in the form of Landing Zones and Guardrails. Landing Zones are the overall multi-account environment setup by Control Tower, which include “a baseline environment to get started with a multi-account architecture, identity and access management, governance, data security, network design, and logging.” Guardrails, meanwhile, are “automated implementations of policy controls, with a focus on security, compliance, and cost management” that either prevent user activity according to certain rules or raise alerts when certain, non-conformant activities are detected. By using Control Tower, your baseline environment will include a multi-account environment using AWS Organizations, identity management using AWS Single Sign-On (SSO), federated access to accounts using AWS SSO, centralized logging from AWS CloudTrail, AWS Config stored in Amazon S3, and cross-account security audits using AWS IAM and AWS SSO.
In an interview with The New Stack, Dave McCann, vice president of the AWS Marketplace, explained that Control Tower brings a deep level of integration with other AWS services, such as AWS Organizations, AWS Identity and Access Management (IAM), AWS Config, AWS CloudTrail, and AWS Service Catalog. In addition, Control Tower comes with a number of preconfigured “Guardrails,” or rulesets, with more on the way.
The software has been natively integrated into 70 AWS services. “By integrating into our own services, we’ve been able to do deep integration into our culture,” said McCann. Version 1 comes with 25 standard Guardrails. A second wave is coming in August, and a third set coming in the fall. In the fall, the company will spin up am API so that other people can bring in their own rules.
Although Control Tower is ultimately targeted at enterprise customers, McCann explained that it’s currently best matched for greenfield customers that are not looking to import existing guidelines.
“It’s designed for scale and there’s no limit to the number of accounts that you could publish, so we don’t see it being limited by organizational size. From a maturity point of view, the first release of Control Tower is targeted for people who are early in their adoption of AWS,” said McCann. “As we add more capability in the short term, by the end of the year, we intend to be applicable to our most mature customers, but right now, there are a few things that our mature customers would want that we will not have for the year.”
AWS Control Tower is currently available for free to all AWS users in US East (N. Virginia), US East (Ohio), US West (Oregon), and Europe (Ireland) Regions, with more regions on the way.