How to Set Up AWS Control Tower: A Step-by-Step Guide

Som Shanker PandeySom Shanker Pandey
4 min read

Table of contents

AWS Control Tower provides a centralized and automated way to set up and govern a multi-account AWS environment. Whether you're building a new organization or migrating to AWS, Control Tower's comprehensive setup and governance features can simplify your journey. In this guide, we’ll walk you through the process of setting up AWS Control Tower, step-by-step.

What is AWS Control Tower?

AWS Control Tower is a service that helps you set up and manage multiple AWS accounts in a way that’s secure and well-organized. It gives you tools to make sure each account follows important rules for security and compliance, so you don’t have to do it all manually.

Why Use AWS Control Tower?

AWS Control Tower is helpful because it:

  • Simplifies Multi-Account Management: It organizes multiple AWS accounts in one place.

  • Keeps Things Secure: It has built-in rules, called “guardrails,” that help you protect all your accounts.

  • Reduces Setup Time: Control Tower handles a lot of the setup work, saving you time.

  • Makes Scaling Easier: You get a dashboard to see and manage all accounts easily as your organization grows.

What is a Landing Zone in AWS Control Tower?

A Landing Zone is a ready-to-go AWS setup that Control Tower creates for you. It includes:

  • Groups of Accounts (OUs): For example, one group might be for testing and another for production.

  • Special Accounts: Like an Audit account (for security monitoring) and a Log Archive account (for storing logs from all accounts).

  • Guardrails: Built-in security and compliance rules to keep all accounts safe.

  • Single Sign-On (SSO): A way to access multiple accounts with one login.

Prerequisites

Before we start, make sure you have the following:

  • AWS Root Account Access: You'll need access to the root AWS account for your organization to set up AWS Control Tower.

  • Billing Permissions: Ensure that the AWS account you're using has billing permissions.

  • Supported Region: AWS Control Tower must be set up in a region that supports it (e.g., us-east-1 or us-west-2).

How to Set Up a Landing Zone

To set up a Landing Zone, follow these steps:

  1. Open AWS Control Tower: Go to the AWS Control Tower service in the AWS Console.

  2. Enable AWS Organizations: Control Tower needs AWS Organizations to group accounts and apply rules.

  3. Start the Setup: Click Set Up Landing Zone and follow the setup wizard.

  4. Choose Account Groups (OUs): Pick groups you need, like Core for important accounts.

    Use the same email from which you made your AWS Account, to Create account in OU use accountname+ouname@gmail.com

  5. Launch: Control Tower will set everything up, which takes about an hour.

After this, you’ll have a secure setup ready for managing your accounts.

What is SCP (Service Control Policy)?

An SCP is a rule that you can apply to groups of accounts in AWS. It controls what services or actions are allowed or blocked in those accounts. For example, you could use an SCP to block certain services that aren’t needed in some accounts, like stopping test accounts from using specific services.

How to Attach Policies to Accounts

To attach policies (like SCPs) to AWS accounts:

  1. Go to AWS Organizations in the AWS Console.

  2. Pick the group (OU) or account you want to apply a rule to.

  3. Click Policies and select Attach Policies.

  4. Pick the policy you want, like blocking certain services.

This way, you make sure each account in the group follows the same rules.

What is Single Sign-On (SSO) in AWS?

AWS Single Sign-On (SSO) is a tool that lets you log in once and access all your AWS accounts without needing separate passwords for each one. SSO can connect to your company’s existing login system, so it’s easier for users to access the accounts they need.

When your AWS Landing zone get setup you will get a invitation mail, accept the invitation, setup the password and you’ll get the link to access your SSO access portal.

Conclusion

AWS Control Tower makes managing a multi-account AWS environment far easier by enforcing best practices in security, compliance, and access management. This step-by-step guide provides the basics to set up Control Tower for your organization.

AWS Control Tower is a powerful tool, especially as your organization scales, so investing time in setting it up correctly now can save effort and improve governance in the long run.

2
Subscribe to my newsletter

Read articles from Som Shanker Pandey directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSAWSCommunityDevopsDevops articlesCloud

Written by

Som Shanker Pandey
Som Shanker Pandey

Hello, I’m Som, a DevOps Engineer passionate about streamlining operations through automation, continuous integration, and deployment. I am deeply passionate about exploring new technologies and continuously expanding my knowledge in the ever-evolving world of IT.