Control Tower 1

Question 1

Control Tower

Control Tower basic value prop?

Answer 1

Set up and govern multi-account environment following best practices.

Question 2

Control Tower

Four basic parts of Control Tower set up?

Answer 2

Landing Zone, Controls, Account Factory, Dashboard

Question 3

Control Tower

Why have multiple accounts?

Answer 3

Highest level of isolation

Question 4

Control Tower

Major AWS services orchestrated by Control Tower?

Answer 4

Organizations, IAM (SCPs), IAM Identity Center, Service Catalog, Config

Question 5

Control Tower

How much does Control Tower cost?

Answer 5

Nothing (but services it configures have charges)

Question 6

Control Tower

Example of security bad thing without Control Tower?

Answer 6

No central place to control identity and access across all accounts

Question 7

Control Tower

Example of cost bad thing without Control Tower?

Answer 7

Untagged resources aren’t costed correctly to workloads

Question 8

Control Tower

Example of operational excellence bad thing without Control Tower?

Answer 8

No off-account, central place with comprehensive logging and auditing across accounts.

Question 9

Control Tower

Example of management bad thing without Control Tower?

Answer 9

No central place to monitor and understand metrics across all accounts

Question 10

Control Tower

What is a Landing Zone?

Answer 10

Multi-account environment based on security and compliance best practice.

Question 11

Control Tower

What is IN a Landing Zone?

Answer 11

OUs, accounts, users, anything you want to be subject to compliance regulation.

Question 12

Control Tower

AWS service that does LZs?

Answer 12

ControlTower, Landing Zone Accelerator

Question 13

Control Tower

How does Control Tower create all these resources in all the accounts?

Answer 13

Mostly just CloudFormation

Question 14

Control Tower Accounts

What is the top-level account and what does it do?

Answer 14

Management account – root of Org, roll-up billing goes here, owns the LZ

Question 15

Control Tower Accounts

How does the Management account manage accounts?

Answer 15

Assumes the AWS ControlTowerExecution in each account, assumes it. Role created by Control Tower.

Question 16

Control Tower Accounts

Can you add existing accounts to Control Tower?

Answer 16

Yes, it’s called Enrollment.

Question 17

Control Tower Accounts

What accounts does Control Tower create?

Answer 17

Audit account and Log Archive account

Question 18

Control Tower Accounts

What is in the Audit account?

Answer 18

Whatever your apps want to stream for 3rd party systems to audit all accounts under Control Tower

Question 19

Control Tower Accounts

Examples of systems that might stream to the Audit account?

Answer 19

SNS alert messages and CloudWatch logs

Question 20

Control Tower Accounts

What is in the Log Archive account?

Answer 20

AWS Config logs, CloudTrail logs, other stuff

Question 21

Control Tower Accounts

Where do the Audit and Log Archive accounts live in Organizations?

Answer 21

They get their own OU named “Security”

Question 22

Control Tower Accounts

Two ways to create accounts via Control Tower?

Answer 22

Account Factory console, Service Catalog console, special Lambda function in Mgmt acct

Question 23

Control Tower Accounts

CT workflow when creating a new account?

Answer 23

Call Organizations CreateAccount > apply blueprints and controls (CF)

Question 24

Control Tower Accounts

What is Account Factory?

Answer 24

Console thing that’s part of Service Catalog…creates accounts.

Question 25

Control Tower Accounts

Does Account Factory have an automated way to invoke?

Answer 25

No, console / human only

Question 26

Control Tower Accounts

Major things provisioned in a new account?

Answer 26

CF stacks, turns on CloudTrail, create IAM Roles, SNS+Lambda notification forwarder

Question 27

Control Tower Accounts

What do you click on to unenroll an account?

Answer 27

Service Catalog > “Terminate” (it unenrolls it, doesn’t close it)

Question 28

Control Tower Accounts

What happens if you unenroll an account from your LZ?

Answer 28

Moved out of its OU into the Root area of Organizations, removes all the stuff it provisioned in the account.

Question 29

Control Tower Accounts

How do you login to an unenrolled account?

Answer 29

Identity Center still has admin access

Question 30

Account Factory

Who can run Account Factory?

Answer 30

Admins and anyone with permissions

Question 31

Account Factory

Are guardrails applied to new accounts via Account Factory?

Answer 31

Yes

Question 32

Account Factory

Can new accounts via Account Factory have standard networking setups?

Answer 32

Yes