AWS Control Tower

AWS Control Tower

This is where AWS control tower and all its related solutions come together with centrally managed policies, governance and standards with options for account specific or consolidated billing.


Let us consider this scenario. You are a cloud architect/Devops infra person at your organization. You have customers telling you the infrastructure that they need (Or at least their basic requirements) and you start building it.

Next thing you know, the customer is running the entire production workload in your account. From a managerial and accounting standpoint, that is going to be really difficult. You will have your own workloads, for which your company has to pay and you have your customer’s workload for which the customer has to pay.

Or there could be another situation where you have multiple teams working on different projects and they all need their own AWS environments with which they can test out their application. This means giving those teams total control over the AWS environments and they are new to it and cannot be trusted to keep the security standards.

This is where AWS control tower and all its related solutions come together with centrally managed policies, governance and standards with options for account specific or consolidated billing.

What is AWS Control Tower?

If you’re an organization with multiple AWS accounts and teams, cloud setup and governance can be complex and time consuming, slowing down the very innovation you’re trying to speed up. AWS Control Tower provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud.

AWS Control Tower gives a single space to streamline AWS account setup, infrastructure setup, governance, standardisation, policies, permissions and account access especially when a single AWS does not cut it for the organization and it’s team to function and innovate at the speed the world demands.

AWS Organization, Guardrail, AWS Config, AWS SSO and all their complementary services come together unde AWS Control Tower.

Why should it be used?

AWS Control Tower brings a host of features under the fingertip of the people incharge of the infrastructure standards and auditing. This ensures that the policies and configuration rules setup by the root AWS account of the organisation will be applied to all the child accounts in the organization.

Thus, any person in the organization who does not even have a proper experience in AWS resource management can set up services with the right standards and best practices. This reduces the overhead for the infrastructure team in audits, maintenance and governance.

AWS Control Tower also gives proper auditing dashboards which can be used to check for discrepancies in the child accounts where security or any other set policies have not been met.

It also gives a single login to all the child accounts and hence the permission can be centrally managed from the parent account for each user.

How does it work?

AWS Control tower uses the same policy and permission system used by IAM, AWS config etc but extends it to the child accounts. This ensures that any rules defined by the parent account cannot be overidden by the child account.

Thus any user who is a part of the SSO of the parent account can be given just the required precise permissions to the child account(s). This kind of a centralised management makes the governance over a multiple accounts which might belong to the internal teams or external customers very easy.

How to get started?

1. Enable STS

Enabled STS in all the Regions. If this is not done, the landing zone creation will fail.

2. Go to AWS Control Tower console

Search AWS Control Tower and open the console

3. Start landing zone setup

Click the button to start the landing zone setup

4. Fill in required details

To start the setup, AWS required two core accounts for logging and audit. Some resources are created in these accounts and the future custom accounts which allows the parent account to manage the child accounts.

For logging and audit, two emails are required to be used as the root IAM account of these AWS accounts. The email IDs should not be used as a root account in any of the AWS accounts.

5. Wait for the setup to complete

The landing zone setup takes around 1 hour to finish. Once that is done, further configurations can be done to set up the policies and rules.

That’s it, AWS Control Tower setup is complete.

What does it cost?

AWS Control Tower as is, is a solution and does not cost anything. There is a 5$ cost per month that comes, but it is from the resources like AWS config, Guardrail, Lambda functions etc. that are set up during the creation of the Landing zone for the communication and management of the child accounts.


AWS Control Tower is a powerful tool for a modern organization which is growing at a very fast pace. It streamlines all the processes, setup, deployments, account creations, permission management etc. This reduces the management overhead and ensures that the organization can spend more time pushing forward instead of spiralling down the management rabbit hole.