Control Tower 1 Flashcards
Control Tower
Control Tower basic value prop?
Set up and govern multi-account environment following best practices.
Control Tower
Four basic parts of Control Tower set up?
Landing Zone, Controls, Account Factory, Dashboard
Control Tower
Why have multiple accounts?
Highest level of isolation
Control Tower
Major AWS services orchestrated by Control Tower?
Organizations, IAM (SCPs), IAM Identity Center, Service Catalog, Config
Control Tower
How much does Control Tower cost?
Nothing (but services it configures have charges)
Control Tower
Example of security bad thing without Control Tower?
No central place to control identity and access across all accounts
Control Tower
Example of cost bad thing without Control Tower?
Untagged resources aren’t costed correctly to workloads
Control Tower
Example of operational excellence bad thing without Control Tower?
No off-account, central place with comprehensive logging and auditing across accounts.
Control Tower
Example of management bad thing without Control Tower?
No central place to monitor and understand metrics across all accounts
Control Tower
What is a Landing Zone?
Multi-account environment based on security and compliance best practice.
Control Tower
What is IN a Landing Zone?
OUs, accounts, users, anything you want to be subject to compliance regulation.
Control Tower
AWS service that does LZs?
ControlTower, Landing Zone Accelerator
Control Tower
How does Control Tower create all these resources in all the accounts?
Mostly just CloudFormation
Control Tower Accounts
What is the top-level account and what does it do?
Management account – root of Org, roll-up billing goes here, owns the LZ
Control Tower Accounts
How does the Management account manage accounts?
Assumes the AWS ControlTowerExecution in each account, assumes it. Role created by Control Tower.
Control Tower Accounts
Can you add existing accounts to Control Tower?
Yes, it’s called Enrollment.
Control Tower Accounts
What accounts does Control Tower create?
Audit account and Log Archive account
Control Tower Accounts
What is in the Audit account?
Whatever your apps want to stream for 3rd party systems to audit all accounts under Control Tower
Control Tower Accounts
Examples of systems that might stream to the Audit account?
SNS alert messages and CloudWatch logs
Control Tower Accounts
What is in the Log Archive account?
AWS Config logs, CloudTrail logs, other stuff
Control Tower Accounts
Where do the Audit and Log Archive accounts live in Organizations?
They get their own OU named “Security”
Control Tower Accounts
Two ways to create accounts via Control Tower?
Account Factory console, Service Catalog console, special Lambda function in Mgmt acct
Control Tower Accounts
CT workflow when creating a new account?
Call Organizations CreateAccount > apply blueprints and controls (CF)
Control Tower Accounts
What is Account Factory?
Console thing that’s part of Service Catalog…creates accounts.
Control Tower Accounts
Does Account Factory have an automated way to invoke?
No, console / human only
Control Tower Accounts
Major things provisioned in a new account?
CF stacks, turns on CloudTrail, create IAM Roles, SNS+Lambda notification forwarder
Control Tower Accounts
What do you click on to unenroll an account?
Service Catalog > “Terminate” (it unenrolls it, doesn’t close it)
Control Tower Accounts
What happens if you unenroll an account from your LZ?
Moved out of its OU into the Root area of Organizations, removes all the stuff it provisioned in the account.
Control Tower Accounts
How do you login to an unenrolled account?
Identity Center still has admin access
Account Factory
Who can run Account Factory?
Admins and anyone with permissions
Account Factory
Are guardrails applied to new accounts via Account Factory?
Yes
Account Factory
Can new accounts via Account Factory have standard networking setups?
Yes
