AWS Control Tower Overview

AWS Control Tower

AWS Control Tower provides a centralized place to configure an organization’s multi-account setup. It goes beyond AWS organizations in that it integrates IAM Identity Center (formerly AWS SSO) and utilizes tools like CloudFormation, AWS Config, and more to govern and specify how accounts are created in the organization.

Landing Zone

The Landing Zone is the hub of the AWS Control Tower. When the Control Tower organization has been created, the account that initiated its creation becomes the management account of the landing zone. The process then establishes some default accounts in addition to the management account. These accounts are created in a foundational organizational unit called Security, the Audit Account, and the Log Archive Account.

The Audit Account is used for notifications from SNS or Cloudwatch Metrics based on the landing zone established governance and security policies set for the landing zone. Users who need access to this information can be granted access to the Audit Account. In addition, third-party auditing software might be installed in this account to monitor the entire landing zone.

The Log Account Archive Account is for users who need access to logging information for all accounts in the Landing zone. It stores AWS Config and Cloudtrail for the entire landing zone and serves as a read-only archive for the organization’s logs.

Beyond these two accounts, another organization unit, sandbox, is created, which can be used to develop additional accounts for testing, demos, or experimentation. Finally, the organization will create other organizational units or accounts.

Account Factory

The Account Factory is a set of rules and configurations that can be used the create, modify or delete AWS accounts on an as-needed basis. You can interact with this service through the Control Tower interface or the Service Catalog.

The accounts created with Account Factory are subject to the guard rails established in the Landing Zone policies. This service is a way to create account templates that can be used to instantiate instances of accounts. Behind the scenes, this service uses CloudFormation to do much of this work.

Account Factory can be configured, if needed, to provide a way for end users (with correct privileges) to create their own accounts for things like application testing, product demos, etc… The end user would be the full administrator of this account, but the account would be limited by the guardrails set up by Account Factory.

Guard Rail Types

The Guard Rails discussed in the previous section are designed to provide preventative and detective types of solutions. For preventative guard rails, Account Factory would associate the created accounts with service control policies that would enforce the required permission boundaries on the created accounts. For detective time guard rails, Account Factory would apply AWS config rules to the account that could be used to alarm specific actions.


Overall, Control Tower allows an organization to set up an automated structure around account creation, govern the created accounts, and automatically provide features like single sign-on. And one of the more compelling features I see in this product is the ability to provision, remove, or repurpose accounts with appropriate permissions. This is interesting because it allows the business to set up an environment where experiments, demos, and other activities can be encouraged in a controlled and fully automated way.