AWS Control Tower in multi AWS account scenarios
AWS Control Tower allows me to provision predefined compliant and secure AWS accounts in an automated fashion
Overview
What is AWS Control Tower?
The vendor presents AWS Control Tower as the easiest way to set up and govern a new, secure multi-account AWS environment. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while knowing new accounts conform…
Recent Reviews
Reviewer Pros & Cons
Pricing
N/A
Unavailable
What is AWS Control Tower?
The vendor presents AWS Control Tower as the easiest way to set up and govern a new, secure multi-account AWS environment. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while knowing new accounts conform to company-wide policies.
Entry-level set up fee?
- No setup fee
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Would you like us to let the vendor know that you want pricing?
3 people also want pricing
Alternatives Pricing
What is AlienVault USM?
AlienVault® Unified Security Management® (USM) delivers threat detection, incident response, and compliance management in one unified platform. It is designed to combine all the essential security capabilities needed for effective security monitoring across cloud and on-premises environments,…
What is Kaspersky Endpoint Security Cloud?
Kaspersky Endpoint Security Cloud provides a solution for organizations' IT security needs, blocking ransomware, file-less malware, zero-day attacks and other emerging threats. Kaspersky’s cloud-based approach helps users to work securely on any device, and collaborate safely online, at work or at…
Product Demos
AWS Control Tower set up demo (English).
YouTube
AWS Control Tower Account Factory (English)
YouTube
AWS Control Tower Tutorial / Deep Dive / Demo - Implement AWS Landing zone using AWS Control Tower
YouTube
Product Details
- About
- Tech Details
What is AWS Control Tower?
AWS Control Tower Technical Details
| Operating Systems | Unspecified |
|---|---|
| Mobile Application | No |
Comparisons
Compare with
Reviews and Ratings
(10)Attribute Ratings
Reviews
(1-3 of 3)Companies can't remove reviews or game the system. Here's why
September 25, 2023
AWS Control Tower in multi AWS account scenarios
AWS Control Tower allows me to provision predefined compliant and secure AWS accounts in an automated fashion
- AWS Control Tower integrates with AWS Organizations
- AWS Control Tower provides Account Factory to provision preconfigured AWS accounts
- AWS Control Tower helps to isolate workloads and billing via AWS accounts separation
- AWS Control Tower supports data residency controls out of the box
- AWS Control Tower supports post provisioning actions to newly provisioned AWS accounts: for example it can trigger enabling VPC flow logs in the new account
- If possible it would be nice to see an automated option to close AWS accounts created with the Account Factory
- Multi account support
- Integration with various services - Cloud formation / stack/stackset concepts
- SSO integration
- Preconfiguration of newly created accounts
- Provisioning new AWS accounts without need to use credit card for each of the new accounts - all works on a credit card used to set up the master account.
- It helped to separate billing for dev/prod/uat workloads, making it easier to control how much developers are spending.
AWS Control Tower is an extension of AWS Organizations - think of it like the Organiztions on steroids.
No
- Scalability
- Integration with Other Systems
- Ease of Use
This is a unique solution solving a particular problem : provisioning AWS accounts and preconfiguring them so they are ready to use and secure out of the box.
- Provisioning of new AWS accounts that are preconfigured
- Applying data residency controls within a single click
- Managing user access
- Closing AWS accounts automatically is impossible
- The service catalog integration is little bit complex
- AWS SSO
- AWS Security Hub
- AWS GuardDuty
- Lots of AWS services integrates well with the Control Tower
- Single Signon
We have multiple companies along with multiple clients that require separate AWS accounts. With AWS Control Tower it makes it simple and easy to have a central point to monitor and control all the AWS accounts.
- Guardrails make securing accounts easy and quick.
- AWS SSO allows us a central point for controlling users and groups across each account.
- Centralized logging serves as a single point to monitor each environment.
- Landing zones allow us to apply templates for each account and customize each one from a central point as well.
- The AWS SSO GUI is not very intuitive and determining how to apply policies to users without creating redundant logins has been a challenge.
- The default guardrails do not fully encompass all the security checks that we needed.
- There does not appear to be any way to control roles at the IAM level from the control tower account through the GUI.
- Some features on AWS accounts still require logging into the individual account with the root user and cannot be done from AWS Control Tower.
- SSO and Federated services
- Landing Zones and guardrails
- Central logging
- AWS Control tower allowed us to drop several third-party vendors for security appliances and logging, which saved us considerable funds.
- AWS Control tower reduced the amount of time we spend deploying AWS accounts.
- AWS Control tower reduced the amount of time we have to spend on quarterly security audits.
AWS Control Tower allows you to set up a baseline environment, in the parlance of Control Tower, this is called a landing zone. The value adds of this product is that the default baseline environment that is set up by AWS Control Tower includes AWS best practices by default. This includes best practices from AWS Well-Architected Framework. In our case, we were interested in experimenting with a lower overhead setup for an ancillary AWS account.
- I like being able to see policy-level summaries of my AWS environment.
- It is great for moving quickly with minimal risk of severe blunders.
- Provisioning a new account within the purview of the Control Tower is quick and easy.
- This level of abstraction leaves you vulnerable to not knowing exactly what's been created, and that can enable you to mess things up.
- Because it provisions things on your behalf, you might end up paying for resources you don't need.
- The import process of existing accounts, which we did not end up pursuing, is tedious and manual.
- Low barrier to entry
- AWS Well Architected Framework best practices built in.
- Easy to navigate account summary of resources.
- It was ultimately a neutral impact for us as we didn't pursue it very far.
- It would not be the right fit for us given that we have the skills to roll these things on our own.
- It would have been more expensive than strictly necessary because it provisions resources you don't necessarily need.
Using AWS Systems Manager and other slightly lower level components has been helpful for us to manage parts of our AWS presence at a more granular level than AWS Control Tower was designed for. It's not at all an apples-to-apples comparison as they solve different use cases, but for us, the use case associated with AWS Systems Manager was a better fit for our specific needs and skillsets. We did not need everything that AWS Control Tower was doing for us.