AWS Management Tools

AWS Control Tower

4 min read
Updated June 23, 2025
4,555 characters

AWS Control Tower Cheat Sheet

AWS Control Tower is a service designed to set up and govern a secure, compliant, and well-architected multi-account AWS environment, also known as a "landing zone." It automates the process of creating a baseline environment using best practices for security and management.

Core Concepts

Landing Zone

  • A landing zone is the overall well-architected, multi-account AWS environment that Control Tower creates and governs.

  • Each AWS Organization can have only one landing zone managed by Control Tower.

  • Structure: The landing zone is built upon AWS Organizations and includes:

    • Root: The parent container for all Organizational Units (OUs).

    • Security OU: A dedicated OU that contains shared accounts essential for governance:

      • Log Archive Account: A central repository for all logs from AWS CloudTrail and AWS Config.

      • Audit Account: A restricted account designed for security and compliance teams to gain read-only access to all accounts in the landing zone.

    • Sandbox OU (or Custom OUs): These OUs contain the AWS accounts where your users and teams run their workloads. New accounts provisioned via the Account Factory are placed here.

  • Identity Management: Control Tower sets up and uses AWS IAM Identity Center (formerly AWS SSO) to manage user access and permissions centrally.

Account Factory

  • The Account Factory is a built-in, automated mechanism for vending new AWS accounts.

  • It functions like a template, ensuring that every new account provisioned through it is baseline-compliant and adheres to the governance policies (guardrails) established by Control Tower.

Guardrails

  • A guardrail is a high-level governance rule that provides ongoing policy enforcement for your entire AWS environment. Guardrails apply to an entire OU, and all accounts within that OU inherit them.

  • There are three types of guardrails based on their behavior:

    • Preventive Guardrails: Proactively enforce policies to ensure compliance. They prevent actions that would lead to a policy violation.

      • Implementation: Enforced using Service Control Policies (SCPs) from AWS Organizations.

      • Example: Disallow changes to IAM policies or prevent the deletion of CloudTrail logs.

    • Detective Guardrails: Detect non-compliance of resources within your accounts and provide alerts through the Control Tower dashboard.

      • Implementation: Implemented using AWS Config rules.

      • Example: Detect if an S3 bucket is publicly accessible or if MFA is not enabled for the root user.

    • Proactive Guardrails: Scans resources before they are provisioned via AWS CloudFormation to ensure they comply with your policies.

      • Implementation: Implemented using AWS CloudFormation hooks.

      • Example: Check if an EC2 instance being created is of an allowed instance type.

Monitoring and Logging

  • Centralized Logging: All logs from AWS CloudTrail and AWS Config for all accounts in the landing zone are consolidated in the central Log Archive account.

  • Lifecycle Events: Control Tower generates lifecycle events for key actions (e.g., CreateManagedAccount, EnableGuardrail).

    • These events are recorded by AWS CloudTrail and are also sent to Amazon EventBridge. This allows you to build custom automation and workflows that trigger in response to Control Tower actions.

Key Features

  • Automated Setup: Simplifies the complex task of setting up a multi-account environment based on AWS best practices.

  • Centralized Governance: Enforces policies consistently across all accounts using guardrails.

  • Dashboard Visibility: Provides a single pane of glass to view the compliance status of your accounts, OUs, and enabled guardrails.

  • Region Deny Guardrail: A specific preventive guardrail that can be enabled to block API calls to AWS services in non-governed (unsupported) AWS Regions, helping to control your geographic footprint and costs.

Pricing

  • AWS Control Tower itself is available at no additional charge.

  • You are charged for the AWS services that are set up and used by Control Tower to operate your landing zone. This includes charges for:

    • AWS Config rules and conformance pack evaluations.

    • AWS CloudTrail trails (beyond the free tier).

    • S3 storage for logs.

    • Other services provisioned within the accounts.

📚 Recommended AWS Resources

AWS Certified Solutions Architect Study Guide
Complete preparation for AWS certification exams
AWS Cookbook
Practical recipes for AWS cloud solutions
As an Amazon Associate, we earn from qualifying purchases.
Back to All