AWS Control Tower is a recently announced, console-based service that allows you to govern, secure, and maintain multiple AWS accounts based on best practices established AWS.
What resources do I need to Implement AWS Control Tower?
The core resources you need to implement Control Tower will be allocated by AWS, but you’ll still need to set up AWS Organizations, an account factory to create accounts per line of business, and Single Sign On (SSO). The total number of accounts, organizational structure, and AWS services used in your implementation will all impact the total operational cost, so customers with more complex or larger-scale environments should consider their long-term strategies as their cloud footprint grows.
If you’re a part of an organization that has multiple accounts in different lines of business, this service is for you.
What choices do I need to make to manage Control Tower?
In order to establish a Cloud Enablement Team to manage Control Tower, you need to incorporate multiple stakeholders. In a large organization, that might entail different people for roles such as:
1. Platform Owner
2. Product Owner
3. AWS Solution Architect
4. Cloud Engineer (Automation)
5. Developer
6. DevOps
7. Cloud Security
You want to be as inclusive as possible in order to get the most breadth of knowledge. These are the people that will be making the decisions you need to migrate to the cloud and then most importantly, thrive once present and remain engaged. We have the team, so now what can we do to make Control Tower work the best for us?
Decisions for the Team
1. Develop a RACI
This is one of the most crucial aspects of Operations. If you do not have accountability or responsibility, then you don’t have management. Everyone must be able to delineate their tasks from the rest of the team. Finalizing everyone’s role in the workflow then will solve a lot of issues before they happen.
In the shared services model, we need to understand what resources are going to the cloud and what will stay. Anything from Active Directory to DNS to one-off internal applications will have to be figured out in a way to accommodate functionality and keep the charge back model healthy. One of Control Tower’s most redeeming and worthy qualities is knowing what each LOB is costing and how they are helping the organization overall.
3. Charge Backs
Since the account factory (previously called Account Vending Machine) is established, each LOB will have its own account. In order to see what the LOB costs are, you must have an account. AWS does not do pricing based on VPC, but by account. Leveraging Control Tower, tagging, and third-party cost management resources all can combine to give an accurate depiction of the costs incurred by a specific line of business.
4. Security
Security will have all logs dumped from each account into a centralized log bucket that can be pointed to the tool of choice to analyze those logs. Other parties may perform audits to read your logs using ready only functions in an account that has nothing else, another feature of Control Tower. The multi-account strategy not only allows for better governance but also now helps in case of compromise. If one account has been compromised, then the blast radius for all the other accounts is minimal. Person X may have accessed a bucket in a specific account, but they did not access it anywhere else. The most important thing to remember is that you cannot treat cloud security like data center security.
There are plenty of choices to make as it relates to Control Tower moving forward for an organization, but if you plan correctly and make wise decisions, then you can secure your environment and keep your billing department happy. Hopefully, this has helped you see what it takes in the real world to prepare. Good luck out there!
