☁️

Managing AWS Policies and Control Tower

Mar 17, 2025

Lecture on AWS Policies and Control Tower

Key AWS Policies

  • Service Control Policies (SCPs):

    • Preventive guardrails to restrict actions in an AWS environment.
    • Example: Prevent resource creation if not tagged properly.
    • Caution required when applying SCPs in environments with existing automations.
  • Tag Policies:

    • Standardize tags and enforce tagging strategy.
    • Example: Ensure cost center tags follow a specific format.
  • Backup Policies:

    • Used to centralize backup in AWS environments.

AWS Control Tower

  • Purpose: Provides balance between agility and governance in multi-account AWS environments.
  • Key Features:
    • Landing Zone Setup:
      • Creates a secure multi-account environment based on AWS best practices.
      • Includes guardrails, SCPs, and AWS Config rules.
    • Centralized Identity & Access Management:
      • Uses AWS IAM Identity Center for unified access management across accounts.
    • Centralized Logging:
      • Logs from all accounts centralized in a Log Archive Account.
      • Encompasses CloudTrail, AWS Config logs, etc.
    • Automated Account Provisioning:
      • Uses Service Catalog's Account Factory to set up compliant accounts automatically.
    • Establishes Guardrails:
      • Divided into mandatory, strongly recommended, and elective categories.

Challenges and Solutions

  • Challenges in Multi-Account Setups:

    • Ensuring compliance while maintaining developer agility.
    • Managing cost allocation and centralized billing efficiently.
  • Control Tower as a Solution:

    • Provides a structured way to implement policies and maintain compliance.
    • Offers pre-built setups for governance, reducing manual configuration.

Customizations for Control Tower

  • Customization Needs:

    • Companies may need to customize control tower settings to align with specific use cases.
    • Examples include removing default VPCs, applying specific policies, or pre-provisioning services.
  • Tools for Customization:

    • Landing Zone Accelerator (LZA): For YAML-based customization.
    • Account Factory for Terraform (AFT): For Terraform-based environments.

Control Tower Architecture

  • Components:
    • Management Account: Central control for the organization.
    • Security OU: Contains Log Archive and Audit accounts.
    • Sandbox OU: For experimentation and development.
    • Identity Center and Service Catalog: Key tools for identity management and account vending.

Setting Up and Using Control Tower

  • Setup Process:

    • Involves creating management and member accounts, enabling AWS organizations, and setting up Identity Center.
  • Account Factory Usage:

    • Simplifies the creation of new AWS accounts with preset configurations.
  • Creating Users and Permission Sets:

    • Users are managed via the IAM Identity Center, enabling centralized access across accounts.

Practical Application and Demonstrations

  • Creating Users & Groups:

    • Demonstrated setup of users in Identity Center and assignment to groups with specific permission sets.
  • Account Provisioning:

    • Use of Account Factory to quickly create compliant AWS accounts.
  • Security & Compliance Automation:

    • Implementation of guardrails and policies to ensure security across multi-account environments.

This lecture provides a comprehensive overview of AWS's tools for managing multi-account environments, focusing on governance, compliance, and automation to balance operational freedom with security.