Control Tower
💡 Definition
AWS Control Tower makes it easy to set up, govern, and secure a new, multi-account AWS environment (often called a "landing zone"). It provides a simplified way to create a secure, well-architected AWS environment based on best practices.
🔑 Key Concepts
- Landing Zone: A well-architected, multi-account AWS environment that is secure and scalable.
- Guardrails: Pre-defined rules that prevent deployment of non-compliant resources or detect when resources deviate from policies.
- Preventive Guardrails: Use SCPs to block actions.
- Detective Guardrails: Use AWS Config rules to detect non-compliance.
- Account Factory: Automates the provisioning of new accounts with pre-configured settings.
- Centralized Logging: Sets up logging to a dedicated audit account using CloudTrail and CloudWatch.
⚙️ How it Works
Control Tower automates the setup of a landing zone that includes AWS Organizations for account management, IAM for identity, CloudTrail for logging, and AWS Config for compliance.
🎯 Use Cases
- New AWS Users/Companies: Starting with a best-practice multi-account setup.
- Compliance: Enforcing security and operational best practices across many accounts.
- Large Enterprises: Managing a complex AWS environment with ease.
💰 Pricing Model
- AWS Control Tower itself is free. You pay only for the underlying AWS services (e.g., AWS Organizations, CloudTrail, AWS Config, S3) deployed by Control Tower.
📝 Exam Tips (CLF-C02)
- Focuses on setting up and governing multi-account AWS environments.
- Creates a "landing zone" based on best practices.
- Uses "Guardrails" for policy enforcement.
- Integrates heavily with AWS Organizations, CloudTrail, and AWS Config.
See Also: * AWS Organizations * SCP * AWS Config * CloudTrail