With the introduction of the public cloud, companies can now stand up environments quicker and have more control over all layers of their IT infrastructure. It has changed how everybody logs in to administer their piece of the environment. It has changed how companies allow their customers to access their products, and it has even changed how companies track this access and the cost associated with these new abilities.
However, with expandability comes increased responsibility. Granted, providing people access to anything within your environment is a breeze now. In minimal time, you can give several people access to everything. But this begs the question—do you want them to be able to access everything, do they need access to everything, and what happens if a misconfiguration occurs (whether it be malicious or not)?
Furthermore, if a user accessed a part of your environment they weren’t supposed to or didn’t understand where they were in your environment and unknowingly created a vulnerability, how would you track and notify this event? With regulations passed down in fields like healthcare, finance, government, or even oil and gas, this access must be regulated—limited to an as-needed basis and, most importantly, tracked.
What is AWS Control Tower?
With the creation of AWS Control Tower, AWS has taken the responsibilities that come with managing multi-account environments and has simplified it such that, when configured properly, new accounts can be created in a couple of clicks. Your new accounts are in line with company policies, and you have the required governance to exceed the requirements of most of today’s security certifications.
If you’re reading this, wishing you had heard of Control Tower before you built out your AWS environment, you’re in luck, as you can use this tool on new and existing environments. What does AWS Control Tower consist of? AWS brought together several existing tools and current cloud concepts to create Control Tower and make it as useful as possible.
It started with the cloud concept of a landing zone. You can think of a landing zone as a cloud environment template that’s packaged with industry best practices in all aspects of the cloud we have discussed in this article. Once applied to your new or existing environment, you will already be following baseline best practices in access, governance, security, networking, and logging.
From the landing zone, AWS created several other tools to complement the function of landing zones and AWS Control Tower as a whole.
From things like AWS Organizations and AWS Guardrails that allow you to centrally manage and govern your environment to centralized logging accounts and auditing accounts that let security teams collect and analyze AWS logs to AWS Single Sign-On (SSO) and AWS Account Factory that allows you centrally authenticate your current and newly created workforce identities.
When Should I Implement AWS Control Tower?
If you don’t have AWS Control Tower implemented in your environment, there’s never a poor time to implement it, and from a security perspective, you can’t do it soon enough. The structure that AWS Control Tower adds to your environment allows you to organize everything, making it easier to not only keep a better eye on everything going on but also allow you to add resources and track those resources with policies that you already put in place.
How Much Does AWS Control Tower Cost?
AWS Control Tower itself doesn’t cost anything. What you incur charges for are the base services that AWS uses to provide the underlying functionality of Control Tower. It includes things like AWS VPC for networking, AWS CloudTrail or CloudWatch to track metrics and user actions with S3 to store this data and Amazon Simple Notification Service (SNS) for notifications based on specific events.
There are more potential services you will use, but these would be your more commonly used services. Also, keep in mind that all of these services are consumption-based, meaning you only pay for what you use, as you use it, and nothing more.