AWS Monitoring & Management
Control Tower
Automated landing zone setup for a secure, well-governed multi-account environment
AWS Control Tower automates the creation of a secure, well-governed multi-account AWS environment (called a landing zone) by orchestrating Organizations, SSO/IAM Identity Center, Config, CloudTrail, and guardrails into a consistent baseline. It is the recommended starting point for enterprises adopting AWS at scale, eliminating the months of manual setup required to build equivalent governance from scratch.
Landing Zone Architecture - What Control Tower Creates
When you set up Control Tower, it creates a landing zone: a baseline multi-account environment with pre-configured governance. Understanding what it provisions is essential for troubleshooting and extending it.
| Component Created | Description |
|---|---|
| Management OU | Contains the management account; restricted by SCPs |
| Security OU | Contains Log Archive account (centralized CloudTrail + Config logs) and Audit account (cross-account security access) |
| Sandbox OU | Default OU for new accounts; less restrictive for experimentation |
| IAM Identity Center | Configured for SSO across all accounts using permission sets |
| AWS Config (all accounts) | Enabled in all accounts, aggregated to Audit account |
| CloudTrail (all accounts) | Organization-level trail writing to Log Archive account S3 bucket |
| Guardrails (SCPs + Config rules) | Preventive guardrails as SCPs; Detective guardrails as Config rules |
The Log Archive account receives CloudTrail logs and Config snapshots from all accounts, stored in S3 with S3 Object Lock to prevent tampering. Even account root users cannot delete these logs. The Audit account has read-only cross-account access to all other accounts for security review.
Control Tower is region-specific for its guardrails but operates globally for account management. The home region (where you set up Control Tower) is where the IAM Identity Center and Control Tower API live. You can enable additional governed regions to extend Config and CloudTrail coverage.
Guardrails - Preventive vs Detective and Mandatory vs Elective
Guardrails are governance rules in Control Tower. They come in two behavioral types and two mandate levels:
| Preventive Guardrail | Detective Guardrail | |
|---|---|---|
| Mechanism | SCP attached to OUs | AWS Config rule deployed to accounts |
| Effect | Blocks the non-compliant action before it happens | Detects non-compliance after it occurs and reports it |
| Example | Disallow creation of internet gateways in VPCs | Detect EC2 instances without IMDSv2 enforced |
| Response | API call returns error | Resource shows as non-compliant in Control Tower dashboard |
| Mandate Level | Description | Can Be Disabled? |
|---|---|---|
| Mandatory | Always enabled; required for Control Tower integrity (e.g., disallow changes to Log Archive S3 bucket) | No |
| Strongly Recommended | AWS best practice guardrails enabled by default | Yes |
| Elective | Optional guardrails for specific compliance frameworks or stricter control | Yes (opt-in) |
# List all guardrails and their status
aws controltower list-controls
# Enable a guardrail on a specific OU
aws controltower enable-control \
--control-identifier arn:aws:controltower:us-east-1::control/AWS-GR_DISALLOW_VPC_INTERNET_CONNECTION \
--target-identifier arn:aws:organizations::123456789012:ou/o-xxxx/ou-xxxx-xxxx
# Check compliance status of guardrails across accounts
aws controltower list-control-operationsAccount Factory - Vending Machine for New AWS Accounts
Account Factory is the self-service portal for creating new AWS accounts within the landing zone. When a new account is vended, Control Tower automatically applies the appropriate OU guardrails, configures SSO access, enables Config and CloudTrail, and applies baseline network settings.
| Feature | Description |
|---|---|
| Account Factory for Terraform (AFT) | Manage account vending as code using Terraform; accounts defined in a Git repo, provisioned via pipeline |
| Account customizations | Lambda hooks and Terraform customizations run after account creation to install additional resources |
| Account enrollment | Bring existing accounts under Control Tower governance without recreating them |
| VPC baseline | Optionally create a default VPC (or no VPC) in each new account with consistent CIDR ranges |
Account Factory for Terraform (AFT) is now the recommended pattern for enterprise landing zones. It stores account definitions as Terraform HCL in a Git repository, making account provisioning auditable, reviewable via pull requests, and integrated with existing IaC workflows.
Do not manually enroll accounts that have conflicting Config recorders or CloudTrail trails. Control Tower's enrollment process will fail. You must delete the existing Config recorder and consolidate trails before enrollment.
Customizations for Control Tower (CfCT) and Extending the Landing Zone
Customizations for AWS Control Tower (CfCT) is an AWS solution that lets you add custom CloudFormation templates and SCPs to your landing zone, applied to OUs and accounts via a pipeline triggered by code commits.
| Extension Method | Use Case |
|---|---|
| CfCT (CloudFormation-based) | Deploy custom resources to accounts at enrollment time or on schedule - IAM roles, VPC configurations, security tooling |
| Account Factory for Terraform (AFT) | Full Terraform-based vending; supports account customizations as Terraform modules |
| Lifecycle event hooks (EventBridge) | Trigger Lambda when Control Tower events occur (CreateManagedAccount, UpdateManagedAccount) for custom automation |
A common pattern is using CfCT or AFT lifecycle hooks to automatically: enable GuardDuty in the new account (delegate to Security account), add the account to a centralized SIEM, create required IAM cross-account roles, and set up account-level budget alerts.
Control Tower updates its own guardrails and components periodically. Running "Update landing zone" from the Control Tower console applies the latest Control Tower version. In large organizations, test updates in a non-production OU first - guardrail updates can change SCP behavior.
Interview Focus Points
- 1What is a Control Tower landing zone and what AWS accounts and resources does it create automatically?
- 2Explain the difference between preventive and detective guardrails in Control Tower with examples.
- 3What are the Log Archive and Audit accounts used for in the Control Tower Security OU?
- 4How does Account Factory work and what is Account Factory for Terraform (AFT)?
- 5How would you bring 50 existing AWS accounts under Control Tower governance?
- 6What is the relationship between Control Tower and AWS Organizations - does Control Tower replace Organizations?
- 7How does Control Tower handle guardrail updates and what are the risks of running "Update landing zone"?
- 8How would you automate post-account-creation setup (GuardDuty, SIEM integration) in a Control Tower environment?