AWS Config vs. AWS Control Tower

It's really good if your infrastructure services is all in AWS, that means everything could be audited and monitored using AWS config. You also can create alarms to notify you or your team about any changes on your AWS resources which is very useful to prevent abuse if you have a fairly large team. It's also very useful whenever some third party wants to audit your AWS resources, if you have a fairly comprehensive AWS config configured, the auditing process will be easy since they only need to look at your AWS config setup.

Incentivized

We were wanting to prove the concept of a low touch process for quickly spinning up boilerplate AWS environments. We were able to get started quickly and to ensure that the AWS Well-Architected Framework principles were followed - at least upfront - however, we found that for our use case and expertise level it ultimately wasn't a fit. We have the skills on our team to manage more of this on our own. My recommendation would be contingent on what skills are already available on your team: if you can "do it yourself" you might as well so that you don't pay for resources you don't need and you have finer grain control over what's created.

Incentivized

• The ability to track changes in AWS is paramount, AWS config allows you to do this
• Allows the auditing of an AWS account
• Can view history of an account that has AWS config enabled

Incentivized

• Easily create new AWS accounts.
• Easily secure and manage AWS accounts.
• Landing zone with SSO is a huge win for larger teams.

Incentivized

• It's only AWS, no third party.
• Not the most intuitive interface, but with a little getting used to it is OK.

Incentivized

• The AWS SSO GUI is not very intuitive and determining how to apply policies to users without creating redundant logins has been a challenge.
• The default guardrails do not fully encompass all the security checks that we needed.
• There does not appear to be any way to control roles at the IAM level from the control tower account through the GUI.
• Some features on AWS accounts still require logging into the individual account with the root user and cannot be done from AWS Control Tower.

Incentivized

There is no way to easily close an AWS account whether it was created manually or via the AWS Control Tower. It takes too many steps to close it vs to provision a new AWS account

Incentivized

Would rate lower for other workloads but for AWS workloads its simple to set up, cost effective and customisable. Primary use case is compliance from a governance perspective.

Incentivized

I do not know or have used any other product in AWS cloud space that matches what AWS Config provides. We have some custom built monitoring and governance, however that is there because AWS Config does not provide it currently.

Incentivized

Using AWS Systems Manager and other slightly lower level components has been helpful for us to manage parts of our AWS presence at a more granular level than AWS Control Tower was designed for. It's not at all an apples-to-apples comparison as they solve different use cases, but for us, the use case associated with AWS Systems Manager was a better fit for our specific needs and skillsets. We did not need everything that AWS Control Tower was doing for us.

Incentivized

• Enforcing audit requirements
• Easy to set up alerting when there are rule breaches
• Auto remediation reduces the manual policing of such breaches

Incentivized

• Less time manually deploying accounts which was error prone.
• Central logging allowed us to have 1 place to view logs.

Incentivized