AWS Control Tower in multi AWS account scenarios
- AWS Control Tower integrates with AWS Organizations
- AWS Control Tower provides Account Factory to provision preconfigured AWS accounts
- AWS Control Tower helps to isolate workloads and billing via AWS accounts separation
- AWS Control Tower supports data residency controls out of the box
- AWS Control Tower supports post provisioning actions to newly provisioned AWS accounts: for example it can trigger enabling VPC flow logs in the new account
Cons
- If possible it would be nice to see an automated option to close AWS accounts created with the Account Factory
- Multi account support
- Integration with various services - Cloud formation / stack/stackset concepts
- SSO integration
- Preconfiguration of newly created accounts
- Provisioning new AWS accounts without need to use credit card for each of the new accounts - all works on a credit card used to set up the master account.
- It helped to separate billing for dev/prod/uat workloads, making it easier to control how much developers are spending.
- Scalability
- Integration with Other Systems
- Ease of Use
- Provisioning of new AWS accounts that are preconfigured
- Applying data residency controls within a single click
- Managing user access
- Closing AWS accounts automatically is impossible
- The service catalog integration is little bit complex
- AWS SSO
- AWS Security Hub
- AWS GuardDuty
- Lots of AWS services integrates well with the Control Tower
- Single Signon