☁️

AWS Policies and Control Tower Overview

Mar 17, 2025

Lecture Notes

Overview of AWS Policies

  • AWS offers several important policies:
    • Service Control Policies (SCPs): Preventive tools to restrict actions in an environment (e.g., prevent resource creation if not tagged properly).
    • Tag Policies: Standardize and enforce tagging strategy (e.g., cost center tags).
    • Backup Policies: Centralize backup across the environment.
    • Service Opt-in AI Policies: Not elaborated on in the transcript.

Service Control Policies (SCP)

  • Used as a preventive measure to enforce compliance and prevent unauthorized actions.
  • Example: Prevents resource creation if not tagged correctly.
  • Caution: Applying SCPs can disrupt existing automations in an environment.

Tag Policies

  • Helps standardize tags and enforce tagging strategies.
  • Example: Enforcing tag formats and values (e.g., cost center with capitalized 'C').

Backup Policies

  • Used for centralizing backups within the AWS environment.

AWS Governance

  • Governance becomes crucial as workloads increase and multi-account strategies are adopted.
  • AWS Organization: Facilitates management of multi-account implementations.
    • Benefits include centralized billing and cost allocation.

AWS Control Tower

  • Designed to balance agility and governance by setting up secure multi-account environments based on AWS best practices.
  • Key Features:
    1. Landing Zone Setup: Establishes a secure foundational environment for accounts, including guardrails and config rules.
    2. Centralized Identity and Access Management: Achieved through AWS Identity Center (formerly SSO).
    3. Automated Account Provisioning: Uses Service Catalog's Account Factory.
    4. Establishing Guardrails: Includes preventive, detective, and elective controls.

Control Tower Architecture

  • Involves setting up organizational units (OUs) and accounts such as the management account, log archive account, and audit account.
  • Security OU: Contains log archive and audit accounts.
  • Sandbox OU: Contains provisioned accounts for development and testing.

Customizations for Control Tower

  • Allows organizations to tailor settings to specific needs.
  • Tools for customization include:
    • Landing Zone Accelerator (LZA): Utilizes CloudFormation for deploying customizations.
    • Account Factory for Terraform: Supports infrastructure as code via Terraform.
    • CFCT: Customizations for Control Tower, though being phased out in favor of LZA.

Setting Up and Using AWS Control Tower

  • Involves setting up the landing zone, centralizing identity access, logging, and using Account Factory for account provisioning.
  • Users and permissions can be managed through AWS Identity Center, assigning roles and permissions to control access.
  • Control Tower simplifies the management of AWS environments by allowing for streamlined account creation and centralized governance.

Full transcript