AWS Control Tower: Multi-Account Environments

Questions and Answers

In the context of AWS Control Tower, what is the most precise definition of the 'Landing Zone' concerning its functional role and scope within a multi-account AWS environment?

• A configuration management database (CMDB) ensuring compliance and standardization across all AWS resources.
• A network firewall perimeter that strictly isolates workloads to prevent lateral movement of threats between AWS accounts.
• An anomaly detection system that uses machine learning to identify unusual resource consumption patterns across AWS accounts.
• A pre-configured, foundational environment representing the multi-account architecture, integrated ID federation, and centralized logging and auditing. (correct)

How does AWS Control Tower's 'Account Factory' extend the native capabilities of AWS Organizations in the context of AWS account provisioning and lifecycle management?

• It leverages the AWS Marketplace to source pre-configured AMIs, ensuring consistency across all newly provisioned accounts.
• It automates the generation of IAM policies based on a least-privilege model, reducing the attack surface of new accounts.
• It delivers fully automated account provisioning with standardized configurations, integration with SDLC processes, and lifecycle management (close/repurpose) capabilities exceeding the scope of AWS Organizations. (correct)
• It utilizes a blockchain ledger to immutably record all account creation and modification events, enhancing auditability and compliance.

Which design principle provides the MOST significant advantage of implementing preventive guardrails within AWS Control Tower, particularly in mature AWS environments?

• Automating the remediation of non-compliant resources, ensuring immediate correction of security vulnerabilities.
• Enforcing mandatory resource tagging policies to improve cost allocation and resource governance.
• Proactively preventing actions that deviate from established governance standards, crucial for maintaining compliance and preventing configuration drift in complex environments. (correct)
• Providing real-time cost optimization recommendations to reduce unnecessary spending across all AWS accounts.

How does AWS Control Tower leverage existing AWS services to implement its features of multi-account management and governance?

It orchestrates services such as AWS Organizations, IAM Identity Center (successor to AWS SSO), AWS Config, CloudTrail, and Service Catalog to deliver a comprehensive multi-account environment. (C)

What is the MOST critical difference between 'detective' and 'preventive' guardrails within AWS Control Tower in the context of managing risks and ensuring compliance?

Detective guardrails identify non-compliant configurations and security issues, while preventive guardrails actively block actions that violate policies, thus preventing incidents. (D)

In the operational context of AWS Control Tower, what is the primary purpose of the 'Audit Account', particularly focusing on governance and compliance?

To provide a centralized repository for audit information, enabling access for compliance and security teams using third-party tools to ensure continuous auditing of the environment. (C)

When you initially set up AWS Control Tower, what organizational units are created by default and what is their purpose?

Two organizational units: a foundational organizational unit (Security) and a custom organizational unit (Sandbox). (D)

Within the context of AWS Control Tower, which of the following best articulates its capacity to handle the concept of 'drift'?

AWS Control Tower is designed with built-in mechanisms, primarily guardrails, to detect, report, and, in preventive mode, automatically correct deviations from established best practices and organizational policies, thus mitigating configuration drift. (B)

How does the concept of a 'home region' impact the deployment and operational boundaries within AWS Control Tower?

The 'home region' is the initial region where AWS Control Tower is deployed, serving as the mandatory control plane for multi-account governance, while also allowing the option to allow or deny the usage of other AWS regions. (D)

AWS Control Tower offers Single Sign-On capabilities through its integration with the IAM Identity Center. What are the implications related to the identity sources that you can integrate?

AWS Control Tower's SSO, now via IAM Identity Center, supports the integration of existing corporate identity stores, enabling users to access AWS accounts using their existing credentials. (C)

Flashcards

AWS Control Tower

A product that simplifies setting up and governing AWS multi-account environments, using prescriptive best practices.

Landing Zone

A foundational component of Control Tower that represents the multi-account environment.

Guardrails

Rules for multi-account governance that detect drifts from governance standards, implemented using AWS Config and Service Control Policies.

Account Factory

Automates AWS account provisioning with standardized configurations and integrates with a business's SDLC.

Dashboard (Control Tower)

A single-page view providing oversight of the entire organization managed by AWS Control Tower.

AWS Organizations

An AWS service that provides multi-account structure and is used by Control Tower.

Audit/Log Archive Accounts

Accounts created by Control Tower for security and auditing purposes within the foundational OU.

IAM Identity Center (AWS SSO)

An AWS service used to provide single sign-on (SSO) across multiple AWS accounts in the Landing Zone.

Guardrail Types

Rules categorize as mandatory, strongly recommended, or elective for multi-account governance.

Preventative Guardrails

Category of guardrails which stops you from doing things.

Study Notes

• AWS Control Tower is becoming required knowledge for using AWS in the real world
• It is featured in AWS exams
• The lesson is foundational

Functionality Overview

• Enables quick and easy setup of multi-account environments
• Orchestrates other AWS services
• Integrates with Organizations, IAM Identity Center, CloudFormation, and Config
• Implements a Landing Zone for multi-account environments
• Supports SSO/ID Federation, Centralized Logging, and Auditing
• Uses Guard Rails to detect/mandate rules/standards across accounts
• Provides Account Factory for automating and standardizing new account creation
• Offers a Dashboard for single-page environment oversight
• It allows quick and easy setup of multi-account environments
• It orchestrates other AWS services
• It adds features, intelligence and automation, expanding AWS organizations

Key Components

Landing Zone

• The Landing Zone is the multi-account environment of Control Tower
• It's what most people interact with when using Control Tower
• It is like AWS organizations but with enhanced capabilities
• It uses single sign-on and ID Federation
• It provides centralized logging and auditing, using CloudWatch, CloudTrail, AWS Config, and SNS

Guardrails

• Designed to detect or mandate rules and standards across AWS accounts, again within the Landing Zone

Account Factory

• Provides automation for account creation, standardizing the process

High-Level Architecture and Setup

• Control Tower is created from within an AWS account
• That account becomes the management account at the Landing Zone
• Within the management account, Control Tower orchestrates everything
• AWS Organizations provides the multi-account structure
• Organizational Units and Service Control Policies are supported
• Single Sign-On is provided by the IAM Identity Center

Organizational Units and Accounts

• When Control Tower is set up for the first time, it will create foundational Organizational Units
• These include Security which by default is called Security and the custom organizational unit which by default is called Sandbox
• Two AWS accounts: Audit and Log Archive, inside the foundational or security organizational unit
• Explicit access must be granted

Account Factory Details

• The Account Factory enables automated provisioning of accounts by admins or end users, and that includes the application of guardrails
• Accounts can be configured with standard account and network configurations
• These can be long-running or short-term
• The Account Factory allows accounts to be closed or repurposed, and it's tightly integrated with a software development life cycle.
• Automation is implemented with CloudFormation

Guardrails Explained

• Guardrails are multi-account governance rules
• Three types: mandatory, strongly recommended, or elective which are essentially optional
• Preventive guardrails are implemented using Service Control Policies (part of AWS Organizations) to stop actions
• Detective guardrails are compliance checks using AWS Config rules to verify configuration
• Standard account and network configuration through the Account Factory
• Integrated business SDLC

Landing Zone Additional Details

• Well Architected multi-account environment in a Home Region
• Built with AWS Organizations, AWS Config, CloudFormation
• Has Security OU including Log Archive & Audit Accounts, which includes CloudTrail & Config Logs
• Has Sandbox OU for test/less rigid security
• You can create other OU's and Accounts
• IAM Identity Center (AWS SSO) offers SSO, multiple-accounts, ID Federation
• Monitoring and Notifications - CloudWatch and SNS
• End User account provisioning via Service Catalog
• Security OU and Sandbox OU for testing and reduced security
• You can create other organizational units and accounts
• Landing zone utilizes IAM Identity Centre which was previously known as AWS SSO
• Multiple AWS accounts within a landing Zone are supported for SSO
• It has ID Federation capabilities
• You can use existing identity stores to access all of the AWS accounts
• Monitoring and notifications with CloudWatch and SNS

Guardrails Explained

• The guardrails enforce rules for multi-account governance
• The guardrails are mandatory, strongly recommended, or elective
• Enforced or not enabled
• They allow or restrict regions or bucket policy changes
• They can be clear in violation or not enabled
• Guardrails are important to security and governance
• Detective guardrails for compliance checks using AWS Config rules
• It checks that configuration aligns with best practice
• Validations are done for clear violations or not enabled
• Automate provisioning by appropriate Permissions

Account Factory Details

• The account factory is the ability to automate account provisioning with a few properties
• Cloud Admins or end users
• Has guardrails - automatically added
• Account admin given to a named user (IAM Identity Center)
• The accounts can be closed or repurposed
• Fully integrated with a businesses SDLC
• AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices
• AWS controls the capabilities of several other services
• AWS Single Sign-On builds a landing zone in less than an hour
• AWS control tower extends the capabilities of AWS organizations
• Accounts are kept from drift, divergence from best practices by preventive and detective controls which are also known as guardrails