Control Tower
- Control Tower creates a well-architected multi-account baseline based on best practices: Landing Zone
- Root user in the management account can perfom actions that guardrails would disallow
Landing Zone
LZ is a well-architected multi-account baseline
- Root OU contains:
- Management Account
- Security OU with:
- Audit account
- Log Archive Account
- Sandbox OU with:
- Dev/Test Accounts
- Production OU with:
- Production Accounts
Directory source
- SSO (single Sign-On)
- SAML 2.0 IdP
- Microsoft AD
Guardrails – for governance & compliance
Preventive Guardrails
- Disallow API actions using SCPs (Service Control Policies)
Detective Guardrails
- Are implemented using AWS Config rules and Lambda functions
- Monitor and govern compliance
WAF (Well Architected Framework) & Multi-account env ORGANIZATION
- Organization Units
- Account structure
- Governance
- Network
- Security configurations
- AWS Organization & Accounts Structure
- Automated Delivery Pipeline
- Identity & Access Management
- Logging & Monitoring
- Infrastructure Security
- Data Protection
- Incident Response
- Cost Governance & Control