Learn about AWS Control Tower's features and capabilities, uses cases where it can maximize value and updates announced at AWS re:Invent 2021.
A global education publisher partnered with Caylent to strengthen security controls for sensitive data and achieve compliance with StateRAMP Moderate requirements, enabling them to better serve university clients with increased confidence and trust.
Discover how we helped a public health data provider migrate to AWS to drive sales growth and strengthen regulatory compliance.
Explore the difference between AWS certifications and competencies, why competencies are a more rigorous, experience-based validation of a partner’s ability to deliver real-world cloud solutions, and why they matter when choosing the right AWS Partner.
Zach Tuttle is a Principal Customer Solutions Architect with over 25 years of IT experience, including a decade focused on on-premise VMware-based data centers. For the past nine years, he has been working with AWS partners, empowering customers to successfully build and innovate on AWS. Zach is particularly passionate about guiding customers through their initial steps into cloud computing and DevOps. He enjoys being involved with his two kids sports activities, cooking and home DIY renovation.
View Zach's articles
For the last decade William Kray has been everything from SysAdmin, Cloud Engineer, Solution Architect, Writer-of-documentation-about-how-to-write-documentation, and is currently Director of Architecture and Engineering at Caylent. He spends his spare time driving around in his 1966 Mini Cooper with his wife and their wiener dog.
View William's articlesAround the time AWS Control Tower was first released, I was actually working on a project with a company where we were building an account provisioning and management system from scratch. They had the need to create several hundred accounts frequently. And so we were building a lot of automation to enable this functionality using AWS Lambda functions and AWS Step Functions and other services within AWS. It took a lot of engineers many months of time to build a very robust solution.
Right around when we finished building our system, AWS Control Tower was released, which provided a lot of the same functionality. And so we started to use it and started to see how it was using stack sets and other things like that to manage all the different AWS accounts. It was really very good in the beginning.
It was still maybe limited in a few ways, around AWS Organizations or regions and other capabilities. But over the last couple of years, AWS has really improved the service and taken away any objection that we may have had on using it. I would say that in a solid 90% of use cases, AWS Control Tower is a very good service to use as your baseline to get your accounts in place.
One of the main advantages of AWS Control Tower is it saves so many working hours that you would otherwise have to spend building these same tools yourself. In order to consistently get an account deployed with the exact same infrastructure, with the same SCPs, with the same config rules and any custom config rules you have, it can take a lot of hours to build the automation that will then facilitate your account setup. With AWS Control Tower, the whole process of setting up accounts can be completed within a matter of hours. Just a few clicks, and you can have accounts set up with a solid baseline.
The announcement of AWS Control Tower Account Factory for Terraform at re:Invent 2021, also takes away any hesitations people may have had when they were Terraform shops and weren’t using AWS CloudFormation. And then the other integrations that they’re building in with all the other AWS services, pulling them into the AWS Control Tower console and visualizing them with a single pane of glass view, makes it much easier for customers to get their foundational account provisioning completed. AWS Control Tower also works in Canada now, which is a huge win.
It can be very easy to have rules in place that work in all the regions that you deploy to, but then someone decides to go put something in a new region because you didn’t have rules in place to prevent them from doing so. With AWS Control Tower, users are able to select regions that they don’t want to deploy AWS Control Tower resources to, to help add another layer of control over deployment as well as to optimize costs.
AWS Control Tower uses AWS Organizations, and it provides a limited subset of the features that come with AWS Organizations. Recently, support for nested OUs was also added to AWS Control Tower and that is very helpful for companies that utilize them. Sometimes a company may have something like a Production database OU versus a Prod Application Server OU and some nested OUs under, that some people found useful for organization. But in reality, you should be able to use your OUs in such a way where a single layer is just fine. You can just have it broad. You can have an OU with a single set of SEPs against it. This is one example of the use cases AWS Control Tower leverages AWS Organizations for – to manage the accounts that you build out through Account Factory.
A Caylent Catalyst is essentially a pre-packaged starter-kit that we can offer at a low cost to help our clients accelerate their cloud initiatives. Caylent Catalysts have a lot of materials internally as well, so that our architects and our engineers that run them have a very consistent way of deploying them.
The AWS Control Tower Caylent Catalyst is a series of deployment steps, in addition to some workshops and some extra information for the customer so that they can really understand each aspect of AWS Control Tower. It also covers some of the customization options that enable capabilities like deploying custom alerts or billing alerts or cost control – things a customer may be concerned about as they’re building out their foundation. For example, maybe a customer wants to use CIS config rules, or AWS SSO, or integrations with their identity provider. We can help them deploy that and get that set up.
We have a lot of internal materials, workflows and code that help us deliver such projects very quickly for a customer. Our AWS Control Tower Caylent Catalyst typically takes about one to two weeks – so it’s very fast and it’s very affordable.
For customers that already have multiple AWS accounts but aren’t leveraging AWS Control Tower, our Caylent Catalyst is not limited to just greenfield deployments. We can work with current accounts as well, since AWS Control Tower has the ability to pull existing accounts into it. What we would do essentially, is set up a new AWS Control Tower baseline and then start importing their accounts into it and we can definitely do that as part of the Caylent Catalyst.
If you’re curious about AWS Control Tower, and want to learn about its capabilities and features in detail, watch our on-demand webinar where we discuss account provisioning, multi-account management, security & governance guardrails, and more!
If you’re ready to utilize AWS Control Tower for your AWS account deployment initiative, get in touch with our experts and we can help you determine the best solution for your use case.
Caylent Catalysts™
Establish a Landing Zone tailored to your requirements through a series of interactive workshops and accelerators, creating a production-ready AWS foundation.
Caylent Services
From rehosting to replatforming to rearchitecting, Caylent will help you leverage AWS to its fullest potential to meet your business objectives.
Caylent Catalysts™
Accelerate the adoption of a production ready AWS foundation, and establish automated security guardrails to keep existing and new accounts in compliance with your desired security posture.
Zach Tuttle
William Kray