One of the first things you need to do when migrating to AWS is setup a strong foundational layer that will ensure you have the basics right before you let your developers free to build applications or migrate your old applications. Basics such as security, automated account provisioning, centralised billing, over arching policy creation etc, the list goes on.

It isn't easy to get everything setup and you need to be a specialist cloud engineer to understand how it all fits together. Over time firms have created their own frameworks and tools to help speed the creation of this foundational layer and ensure consistency. But there is still a lack of standardisation and art to these approaches. And at the end of the day, there is a still risk you missed something.

Luckily AWS has also been on a mission to ensure environments are setup correctly according to a base level of standards. After all, it benefits them. The less security issues a customer has and the easier it is for customers to operate, the more usage will occur and the more $ AWS will get.

AWS released a framework a few years ago called the 'Landing Zone Solution'.  It was a framework that specified the best practice on how to setup your accounts and linkages and was accompanied by scripts that helped set it up. While that was a great step forward, you still need some serious cloud engineering skills to understand how it all worked and then configure and maintain it.

More recently, AWS has gone a step further and developed 'AWS Control Tower' which provides a UI with a more user friendly way of setting up your foundational layer. It gets you 50% there and also provides a more intuitive means to get the remaining 50% completed. While this makes it significantly easier, you still need a specialist to understand what is happening under the covers to finish it off and maintain it going forward. A summary of its key features are:

• Automated Landing Zone with best practice blueprints
• Guardrails for policy management
• Account factory for account provisioning
• Built-in identity and access management
• Pre-configured log archive and audit access to accounts
• Built-in monitoring and notifications
• Dashboard for visibility and actions
• Automatic updates

So in a way, it helps with consistency and speed.

There is a caveat though. Currently it can only be used for greenfield setups as it creates a new set of accounts, policies and a new organisation structure. Given the majority of enterprise organisations have already commenced the AWS journey and already have at least basic configuration setup, this will mostly be used by those that are just starting their cloud journey. Namely traditional SMBs and smaller companies. Future updates are promised that will enable AWS Control Tower to integrate and sit over the top of your existing setups.

Getting Started

Having completed partner training on control tower, getting started is actually quite easy. Firstly will need to establish 3 enterprise email addresses (master, audit and log) and then you commence the 'AWS Control Tower' service from the console. Approx. 60-90mins later, you will have a baseline setup that you can build on.

A great starting point to understand landing zones and control tower better is to check out Sam Elmalak's presentation at reinvent - https://www.youtube.com/watch?v=zVJnenaD3U8

Summary

While AWS Control Tower has been around for a couple of years, it has slowly been rolling out around the world. It finally reached Australia last month in March, 2020.

The presentation above also provides some pointers to when you might want to use Control Tower or use the Landing Zone solution. In essence, Landing Zone is suited to organisations with bigger and more complicated requirements as it will provide the flexibility to cater. If you are a new greenfield customer then you should definitely check out the Control Tower solution as well.