Everyone who has worked with AWS is well aware of the existence of accounts - accounts in which, in fact, the work takes place - allocation of resources, differentiation of access rights, and so on. It is often necessary to create several accounts - whether they are separate accounts for different departments of the company or separate accounts for projects or even for different environments of one project (development, testing, operation). For account management, AWS provides AWS Organizations, which allows you to create new accounts, allocate resources, optimize bill payment by setting a single payment method for all accounts, create account groups and apply policies to them to efficiently manage workflows.
However, AWS Organizations alone is not enough to manage accounts. There is a desire not only to create accounts, but to create them so that they meet the norms and policies accepted in the company, be able to track the status of created accounts, manage policies without editing a JSON document, but in a more convenient way. Also, as the number of accounts in an organization grows, the understanding that the capabilities of the AWS Organizations service are lacking comes quickly enough. And for those who have embarked on this path, there are two options - either use a tool from AWS - Control Tower or develop their own control scripts. The rest of the article explains why we chose the second option.
What is AWS Control Tower?
Start by defining the AWS Landing Zone, a solution that helps users quickly set up a secure multi-account AWS environment based on best practices. This is what lies at the heart of the AWS Control Tower. As it follows from the official information, this solution continues to exist, but without future improvements and new users are strongly encouraged to use the AWS Control Tower to manage an AWS environment with multiple accounts.
What is AWS Control Tower? It is an AWS Managed Service that automates the creation and management of an AWS multi-account environment. It automatically configures AWS Organizations as the primary AWS service for account control and implements preventive measures and restrictions using Service Control Policies (SCPs). The AWS Control Tower can be used for a variety of scenarios: to create a new AWS environment or project in the cloud, or to work in an existing AWS environment with multiple accounts.
The main features of the service include
- Landing Zone. AWS Organization , SSO ;
- . , ;
- Account Factory. , – VPC, . .;
- . . – , , .
?
To get started, you need to have an AWS account and a user with administrator rights. This account will then be used as a master account when creating an AWS organization. It should also be mentioned that AWS Control Tower is not supported in all regions, for example, the California region is not supported in the USA, Milan and Paris in Europe, and in Asia, of the seven available regions, only two are supported - Singapore and Sydney (information at the time of this writing) ...
The service is based on a set of AWS CloudFormation templates, with the help of which a landing zone is created with the following resources:
- three groups of accounts (organization unit) - Root, Core and Custom;
- two accounts in the Core organization unit - a log archive account for storing all the organization's logs and an audit account for auditing;
- AWS SSO - ;
- 20 6 . , -. AWS CloudTrail, .
The constraints mentioned are out-of-the-box service control policies and AWS Config rules that help you manage security, workflow, and compliance. Preventive restrictions prohibit actions that violate security policies. An example of such restrictions may be the impossibility of deleting log archives or stopping the logging process for users of accounts that are part of the organization. Detective restrictions check the compliance of the account with the security rules and, in case of non-compliance, send notifications to the audit account. An example would be no disk encryption or unused disks in an account.
Also integration with some AWS services to facilitate the process of creating and managing accounts in the organization. For example, the integration with AWS Firewall Manager allows you to create additional policies that operate at the organization level, while the integration with AWS Service Catalog makes it easy to create accounts with predefined properties and a set of resources.
Benefits of using
Fast, simple and safe. You can quickly create a full-fledged organization with a few clicks in the management console. As a result, we get an organization that meets the recommended security standards and a system for notification about the state of the organization. All actions for creating and configuring organization resources are hidden from the user, and there are indeed quite a few of them. The procedure for managing an organization is also quite simplified, you do not need to think about which policy to prescribe to which service so that it works as intended. Also, a set of existing restrictions makes life quite a lot easier, reducing the configuration of an organization to choosing restrictions from a list, which is much faster than own development.
Why aren't we using AWS Control Tower?
One of the main reasons why AWS Control Tower was not used by us is the lack of integration of the service with Terraform, which was adopted as a de facto standard for working with cloud providers. Perhaps in the future, this integration will appear and it will be possible to reconsider the decision. And it's not even about creating the organization itself using Terraform, you could first create an organization in the console, and then fill it with resources through Terraform. But I wanted to manage the created resources in the future - change policies, have access to created resources such as VPC, Security groups, SNS Topics for their further customization and expansion.
The second reason was the presence of an already existing organization with a set of accounts and some specific logic of work. I will say right away that AWS Control Tower allows you to transfer the current organization under your control. However, some points emerged that were not exactly stopping, but causing some concern. Namely:
- SCP . AWS Control Tower SCP . . SCP , — . , AWS Control Tower .
- SSO -. AWS Control Tower , . , – ;
Well, as a small addition, I wanted to move away from generally accepted standards and organize work with the organization's logs in one account, which would include storage, processing, a notification system and a dashboard. Let me remind you that in AWS Control Tower this is divided into two accounts - logging and audit.
The third reason was the desire to customize the aforementioned AWS Control Tower restrictions. First, expand the list of policies, for example, prohibiting the deletion / modification of certain resources (certain roles related to account management or critical resources). Secondly, to use roles at the level of one specific account, and not a group of accounts, as is now implemented in the AWS Control Tower. And thirdly, to manage all this on the fly, for example, for a while, disconnect a certain set of restrictions for a specific account, then connect back.
However, it cannot be said that we do not use the AWS Control Tower at all. Of course, there is a lot that is needed in the implementation of this service, and in the process of building our own solution, we used the knowledge that we gained from studying the AWS Control Tower.
Conclusion
AWS Control Tower or custom scripts, off-the-shelf product or custom development. As always, the finished product gives speed in the implementation of the solution, reduced development costs and bug fixes, but in return we lose flexibility.
AWS Control Tower is a convenient service for managing the organization of accounts. If you just came to the conclusion that one account is not enough for you and you need to build an organization, then start with the AWS Control Tower. If you do not know how to create policies, how to configure log processing and notification services, and at the same time security is an essential prerequisite for the existence of your organization, then start with the AWS Control Tower. If you are using the AWS console to manage your cloud infrastructure, you will probably find the AWS Control Tower attractive enough.
However, if your organization requires a certain level of customization that goes beyond the standard, or your accounts must live by rules that change frequently, then you may need some other solution.