📖 What is AWS Control Tower?
AWS Control Tower is a service that provides the easiest way to set up and govern a secure, multi-account AWS environment. It automates the creation of a 'Landing Zone' based on AWS best practices for security and compliance.
"Think of Control Tower as a layer on top of AWS Organizations that automates the governance and guardrail implementation process."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of AWS Control Tower?
- ▸ Landing Zone: Automates the setup of a secure multi-account environment, including networking, identity, and logging, following AWS best practices for enterprise scale.
- ▸ Guardrails: Implements preventive controls via Service Control Policies (SCPs) and detective controls via AWS Config to ensure continuous compliance across accounts.
- ▸ Account Factory: Provides a standardized, automated process for provisioning new AWS accounts with pre-configured security settings and baseline configurations.
- ▸ AWS Organizations Integration: Acts as an orchestration layer on top of Organizations, simplifying the management of Organizational Units (OUs) and account hierarchies.
- ▸ Centralized Governance: Offers a single dashboard to monitor the compliance status of all managed accounts against the established guardrails.
🎯 How does AWS Control Tower appear on the SAA-C03 Exam?
You may be asked to identify the best service for a company that needs to rapidly deploy a multi-account environment with a standardized 'Landing Zone' and built-in security baselines.
A scenario might describe a need to enforce specific security policies across dozens of accounts while automatically detecting when a resource drifts from compliance.
Expect questions where you must choose between AWS Organizations and Control Tower; look for keywords like 'automated setup' or 'governance guardrails' to identify Control Tower.
❓ Frequently Asked Questions
What is the primary difference between AWS Organizations and AWS Control Tower?
AWS Organizations provides the basic structure for account grouping and billing, while Control Tower adds a layer of automation for deploying landing zones and managing governance guardrails.
What is the difference between preventive and detective guardrails?
Preventive guardrails use SCPs to stop prohibited actions from occurring, whereas detective guardrails use AWS Config to alert administrators when a non-compliant resource is created.