Control Tower 3

Question 1

Baselines and Blueprints

What is Baselining?

Answer 1

Load all the stuff into a newly-created or newly-enrolled “blank” AWS Account.

Question 2

Baselines and Blueprints

What is an account Baseline?

Answer 2

The resources that you just set up in a new account

Question 3

Baselines and Blueprints

At it’s core, what is a Blueprint?

Answer 3

Just a CloudFormation Template

Question 4

Baselines and Blueprints

Where are Blueprints kept?

Answer 4

In a hub account (just a Blueprints term) as a Service Catalog item

Question 5

Baselines and Blueprints

What is a good candidate to be your hub account?

Answer 5

Not the CT Management account! Any other works

Question 6

Baselines and Blueprints

Where are Blueprints used?

Answer 6

Customization to a default Account Factory set up or update existing account

Question 7

Baselines and Blueprints

Where can you get Blueprints?

Answer 7

Go to Service Catalog, choose CT Blueprints for pre-built Blueprints from AWS Partners

Question 8

Identity

How does Control Tower help with login and identity?

Answer 8

Uses IAM Identity Center to federate and manage all logins to all accounts

Question 9

Identity

How does Control Tower control logins across all accounts?

Answer 9

Sets up federation with IAM Identity Center (né SSO)

Question 10

Drift

What does Compliance mean in CT?

Answer 10

“In compliance” means resource has zero drift.

Question 11

Drift

How is CT Compliance related to government compliance frameworks?

Answer 11

It isn’t. Name clash.

Question 12

Drift

How does Drift work?

Answer 12

Happens automatically – detects when things change.

Question 13

Drift

How is Drift surfaced?

Answer 13

CT in Member accounts posts to local SNS. Lambda pushes to audit account.

Question 14

Drift

Why this two-stage drift notification?

Answer 14

So member account admins can get alerts for their account.

Question 15

Drift

How does Control Tower automatically fix Drift?

Answer 15

It doesn’t.

Question 16

Drift

How can you correct some types of Drift in an account?

Answer 16

Click “Repair” button on LZ Settings web page.

Question 17

Drift

How can you wholesale try to repair drift across many accounts?

Answer 17

Re-register an OU: all accounts get re-registered, re-applies account factory stuff.

Question 18

Drift

What things are detected by Drift scanning?

Answer 18

Controls set up by CT when the LZ/Account was created

Question 19

Landing Zone Accelerator

LZ Accelerator in a nutshell?

Answer 19

Extend Control Tower: set up MANY more AWS services, best practices for mulit-account + security

Question 20

Landing Zone Accelerator

How do you set up LZ Accelerator?

Answer 20

It’s a CloudFormation template, deploy it

Question 21

Landing Zone Accelerator

What’s the technical difference between LZA and Control Tower?

Answer 21

Control Tower is AWS service. LZA is open-source CF Template you deploy.

Question 22

Landing Zone Accelerator

What does LZA deploy into Organizations Management account?

Answer 22

CodeCommit, CodePipeline, CodeBuild, Lambda functions, DDB tables

Question 23

Landing Zone Accelerator

How do you use LZA to change things in your accounts?

Answer 23

Edit config files, commit to CodeCommit, pipeline CI/CD deploys the configuration across accounts.

Question 24

Landing Zone Accelerator

Does LZA need Control Tower?

Answer 24

No, can deploy LZA stand-alone. LZA complements CT.

Question 25

Landing Zone Accelerator

What’s the long-term plan for Control Tower vs. LZA?

Answer 25

Over time, an deprecate LZA features in favor of native AWS services

Question 26

Landing Zone Accelerator

Major feature of LZA for workload accounts?

Answer 26

Sets up streaming of CloudWatch Log Groups to Kineiss Data Stream in Log Archive account, store centrally in S3.