Study Guide1,150 words
Study Guide: AWS Organizations and AWS Control Tower
AWS Organizations and AWS Control Tower
AWS Organizations and AWS Control Tower: Multi-Account Governance
This study guide covers the architectural patterns and tools used to manage multi-account AWS environments at scale, focusing on the distinction between the foundational AWS Organizations service and the prescriptive orchestration provided by AWS Control Tower.
Learning Objectives
By the end of this module, you should be able to:
- Distinguish between AWS Organizations and AWS Control Tower roles in governance.
- Design a multi-account structure using Organizational Units (OUs).
- Explain the types of Control Tower guardrails (Preventive vs. Detective).
- Identify the prerequisites for enrolling existing accounts into a managed Landing Zone.
- Understand the core components of an AWS Landing Zone (Account Factory, Dashboard, Guardrails).
Key Terms & Glossary
- Landing Zone: A well-architected, multi-account AWS environment that is a starting point from which you can deploy workloads and applications.
- Organizational Unit (OU): A container for accounts within a root. An OU can also contain other OUs, enabling a hierarchy.
- Service Control Policy (SCP): A type of organization policy used to manage permissions in your organization, acting as a "guardrail" to restrict what actions can be performed.
- Guardrails: High-level rules for ongoing governance of your AWS environment (e.g., "Disallow public access to S3 buckets").
- Account Factory: A configurable template in Control Tower that automates the provisioning of new accounts with pre-approved configurations.
The "Big Idea"
As organizations grow, a single AWS account becomes a bottleneck for security, billing, and blast radius management. The Big Idea is to move from "Account Management" to "Organizational Governance." AWS Organizations provides the infrastructure (the hierarchy and the pipes), while Control Tower provides the opinionated orchestration (the automated setup and best-practice rules) to ensure that every account adheres to corporate standards without manual intervention.
Formula / Concept Box
| Feature/Limit | Specification | Detail |
|---|---|---|
| Organization Hierarchy Depth | 5 Levels | Maximum nesting of OUs under the Root. |
| Root Count | 1 | Each AWS Organization has exactly one root. |
| Account Soft Limit | 10 Accounts | Default starting limit; can be increased via support ticket. |
| Guardrail Types | Preventive / Detective | Preventive (SCP-based) vs. Detective (Config-based). |
| Guardrail Categories | Mandatory / Recommended / Elective | Levels of enforcement importance. |
Hierarchical Outline
- I. AWS Organizations Foundation
- Management Account: The central hub for billing and organizational management.
- Member Accounts: Resource-owning accounts governed by the management account.
- SCPs (Service Control Policies): Define the maximum available permissions; do not grant permissions on their own.
- II. AWS Control Tower Orchestration
- Landing Zone Deployment: Automated creation of the environment using CloudFormation StackSets.
- Security & Log Archive Accounts: Centralized logging and auditing established by default.
- Guardrails Implementation:
- Preventive: Uses SCPs to block actions (e.g., "Stop users from deleting CloudTrail").
- Detective: Uses AWS Config to monitor and alert on non-compliance (e.g., "Alert if S3 is public").
- III. Scaling Operations
- Account Factory: Standardizes account creation for DevOps teams.
- Dashboard: Provides a single pane of glass for compliance status across the organization.
Visual Anchors
Multi-Account Organization Structure
Loading Diagram...
Control Tower Architectural Components
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
Definition-Example Pairs
- Preventive Guardrail: A policy that stops an action from happening.
- Example: Using an SCP to prevent any user in a Production OU from disabling AWS CloudTrail logging.
- Detective Guardrail: A policy that allows an action but flags it for remediation if it violates a rule.
- Example: An AWS Config rule that identifies an S3 bucket that has been made public and sends an alert to the Security team.
- Landing Zone: A pre-configured multi-account environment.
- Example: A financial services company using Control Tower to instantly create separate accounts for Dev, Test, and Prod, each with VPCs, logging, and IAM roles pre-installed.
Worked Examples
Scenario 1: Provisioning a New Project
Problem: A development team needs a new sandbox account that complies with company security policies. Solution:
- Access Account Factory: The administrator logs into the Control Tower management account.
- Input Parameters: Provide the email for the account owner and select the "Sandbox" OU.
- Automation: Control Tower uses Service Catalog to trigger CloudFormation. It creates the account, attaches it to the OU, applies the "Mandatory" guardrails, and sets up VPC peering (if configured).
- Verification: The admin checks the dashboard to see the new account listed as "Compliant."
Scenario 2: Enrolling an Existing Account
Problem: An older account created before the organization existed needs to be brought under Control Tower governance. Solution:
- Prerequisites Check: Ensure the account has the necessary IAM roles and isn't exceeding quota limits.
- Manual Enrollment: The account is moved into an OU managed by Control Tower.
- Baseling: The administrator chooses to "Enroll" the account in the Control Tower console.
- Outcome: Control Tower deploys StackSets to install AWS Config rules and applies the OU-level SCPs to the legacy account.
Checkpoint Questions
- What is the maximum depth allowed for nesting OUs within AWS Organizations?
- Which type of guardrail uses Service Control Policies (SCPs)?
- True or False: Control Tower automatically enrolls all existing accounts when it is enabled in an existing organization.
- Which AWS service does the Account Factory use to provide its templated account creation?
- What is the primary difference between a Mandatory and an Elective guardrail?
▶Click to reveal answers
- 5 levels deep.
- Preventive guardrails.
- False (existing accounts must be manually enrolled or automated via a separate script).
- AWS Service Catalog.
- Mandatory guardrails are enabled by default and cannot be disabled; Elective guardrails are optional and selected by the administrator.
Muddy Points & Cross-Refs
- SCPs vs. IAM: Remember that SCPs define the boundary. Even if an IAM user has
AdministratorAccess, they cannot perform an action if an SCP explicitly denies it. - Control Tower vs. Organizations: Control Tower uses Organizations. You can use Organizations without Control Tower, but you cannot use Control Tower without Organizations.
- Soft vs. Hard Limits: The 10-account limit is a soft limit (request an increase). The 5-level OU depth is a hard limit.
- Cross-Reference: For deeper security integration, see the AWS Security Hub and Amazon GuardDuty documentation, as these are frequently enabled alongside Control Tower.
Comparison Tables
AWS Organizations vs. AWS Control Tower
| Feature | AWS Organizations | AWS Control Tower |
|---|---|---|
| Nature | Foundation / Infrastructure Service | Orchestration / Governance Service |
| Setup | Manual or via API | Automated Landing Zone setup |
| Enforcement | Service Control Policies (SCPs) | Preventive (SCPs) & Detective (Config) |
| Visibility | Policy-level view | Visual Dashboard for compliance |
| Ease of Use | High flexibility, manual effort | Opinionated, automated best practices |
| Target Audience | Advanced users / custom automation | Users wanting a standard "Landing Zone" |
[!IMPORTANT] When taking the SAP-C02 exam, look for keywords like "Landing Zone," "prescriptive," or "automated account provisioning" to identify when Control Tower is the preferred answer over manual AWS Organizations management.