Governance at Scale: AWS Organizations and Control Tower
Governance tools (for example, AWS Control Tower, AWS Organizations)
Governance at Scale: AWS Organizations and Control Tower
Learning Objectives
After studying this guide, you should be able to:
- Explain the relationship between AWS Organizations and AWS Control Tower.
- Define the structure of a standard AWS Landing Zone.
- Differentiate between preventive and detective guardrails and their implementation methods.
- Identify the quotas and constraints of an AWS Organization hierarchy.
- Design a multi-account strategy using Organizational Units (OUs) for security and workload isolation.
Key Terms & Glossary
- Landing Zone: A well-architected, multi-account AWS environment that is a starting point from which you can deploy workloads and applications.
- Organizational Unit (OU): A container for accounts within a root. An OU can also contain other OUs, creating a hierarchy.
- Service Control Policy (SCP): A type of organization policy used to manage permissions in your organization, acting as a guardrail rather than granting permissions.
- Guardrail: High-level rules that provide ongoing governance for your overall AWS environment (Categorized as Mandatory, Elective, or Strongly Recommended).
- SCIM (System for Cross-domain Identity Management): An open standard that allows for the automation of user provisioning between an Identity Provider (IdP) and AWS IAM Identity Center.
The "Big Idea"
Governance in AWS is not about restricting developers, but about creating a secure sandbox where innovation can happen safely. As organizations scale, managing accounts individually becomes impossible. AWS Organizations provides the underlying plumbing (the hierarchy and billing), while AWS Control Tower provides the "opinionated" blueprints (the Landing Zone) to automate best practices for security, operations, and compliance across those accounts.
Formula / Concept Box
| Feature | Configuration Detail / Rule |
|---|---|
| Organization Quotas | 1 Root only; Max Depth: 5 Levels; Default 10 accounts (Soft limit). |
| Preventive Guardrails | Implemented via SCPs. Blocks actions (Deny-list). Apply globally. |
| Detective Guardrails | Implemented via AWS Config Rules & Lambda. Identifies violations. |
| Core OUs | Security OU (Log Archive & Audit accounts) and Sandbox OU (Optional). |
Hierarchical Outline
- AWS Organizations (The Foundation)
- Account Management: Create and invite accounts centrally.
- Policy Management: Apply SCPs, Tag policies, and Backup policies.
- Integration: Central management for Config, Security Hub, GuardDuty, and CloudTrail.
- AWS Control Tower (The Orchestrator)
- Landing Zone: Automated setup of a baseline environment.
- Account Factory: Standardized account provisioning via Service Catalog.
- Guardrails:
- Mandatory: Enabled by default (e.g., Disallow changes to CloudTrail).
- Elective/Strongly Recommended: User-activated based on needs.
- Dashboard: Centralized visibility into non-compliant accounts.
Visual Anchors
Multi-Account Hierarchy Logic
Control Tower Setup Flow
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, fill=white, text centered, minimum width=3cm, minimum height=1cm}] \node (start) {Set up Landing Zone}; \node (org) [below of=start] {AWS Organizations Root}; \node (ous) [below of=org] {Create OUs (Security, Sandbox)}; \node (shared) [below of=ous] {Provision Shared Accounts}; \node (guard) [below of=shared] {Apply Guardrails (SCPs/Config)};
\draw [->, thick] (start) -- (org);
\draw [->, thick] (org) -- (ous);
\draw [->, thick] (ous) -- (shared);
\draw [->, thick] (shared) -- (guard);
\node [right of=shared, xshift=3cm, fill=yellow!20] (audit) {Audit \& Log Archive};
\draw [dashed] (shared) -- (audit);\end{tikzpicture}
Definition-Example Pairs
- Preventive Guardrail: A policy that stops a user from doing something they shouldn't.
- Example: An SCP that prevents any user (including Root) in a member account from deleting the S3 bucket containing CloudTrail logs.
- Detective Guardrail: A mechanism that alerts you when a configuration is out of compliance.
- Example: An AWS Config rule that triggers an alert if an EBS volume is created without encryption enabled.
- Landing Zone: A multi-account starting point.
- Example: A new company AWS setup that automatically creates separate accounts for Billing, Logs, Security, and Development using Control Tower.
Worked Examples
Scenario: Securing CloudTrail Settings
Goal: Ensure no member account can stop logging or delete the organization-wide CloudTrail.
Step 1: Implementation Control Tower applies a mandatory preventive guardrail (SCP) to all accounts under its management.
Step 2: The Policy Document
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "GRCLOUDTRAILENABLED",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"cloudtrail:UpdateTrail"
],
"Resource": "*"
}
]
}Outcome: Even if a user has AdministratorAccess within a member account, the SCP acts as a filter, and the Deny overrides any Allow, preventing the deletion of governance trails.
Checkpoint Questions
- What are the two specific accounts created within the Security OU by AWS Control Tower?
- What is the maximum nesting depth for Organizational Units in AWS Organizations?
- Which AWS service is used to implement Detective Guardrails?
- Does a Preventive Guardrail apply to the Management (Root) account of the Organization?
Muddy Points & Cross-Refs
- SCP Inheritance: Remember that SCPs are inherited down the OU tree. If you apply a Deny at the Root, it affects every account in the organization. If you apply it at an OU, it only affects accounts within that OU.
- Region Support: Detective guardrails (Config) only apply in regions supported by Control Tower, whereas Preventive guardrails (SCPs) are global.
- Existing Organizations: While easier to start fresh, Control Tower can be invited into an existing Organization, but you must ensure pre-existing Config rules or OUs don't conflict with Control Tower's drift detection.
Comparison Tables
AWS Organizations vs. AWS Control Tower
| Feature | AWS Organizations | AWS Control Tower |
|---|---|---|
| Core Purpose | Centralized account & policy management. | Opinionated orchestration & automation. |
| Implementation | Manual or API-driven configuration. | Automated "Landing Zone" setup. |
| Guardrail Type | Raw SCPs (Preventive only). | Preventive (SCPs) + Detective (Config). |
| Account Creation | Manual through the console/CLI. | Automated via "Account Factory". |
| Target Audience | Custom-built management needs. | Best-practice standard implementation. |