Benefits of AWS Control Tower

AWS Foundations

Learn about AWS Control Tower's features and capabilities, uses cases where it can maximize value and updates announced at AWS re:Invent 2021.


Around the time AWS Control Tower was first released, I was actually working on a project with a company where we were building an account provisioning and management system from scratch. They had the need to create several hundred accounts frequently. And so we were building a lot of automation to enable this functionality using AWS Lambda functions and AWS Step Functions and other services within AWS. It took a lot of engineers many months of time to build a very robust solution.

Right around when we finished building our system, AWS Control Tower was released, which provided a lot of the same functionality. And so we started to use it and started to see how it was using stack sets and other things like that to manage all the different AWS accounts. It was really very good in the beginning.

It was still maybe limited in a few ways, around AWS Organizations or regions and other capabilities. But over the last couple of years, AWS has really improved the service and taken away any objection that we may have had on using it. I would say that in a solid 90% of use cases, AWS Control Tower is a very good service to use as your baseline to get your accounts in place.

One of the main advantages of AWS Control Tower is it saves so many working hours that you would otherwise have to spend building these same tools yourself. In order to consistently get an account deployed with the exact same infrastructure, with the same SEPs, with the same config rules and any custom config rules you have, it can take a lot of hours to build the automation that will then facilitate your account setup. With AWS Control Tower, the whole process of setting up accounts can be completed within a matter of hours. Just a few clicks, and you can have accounts set up with a solid baseline.

The announcement of AWS Control Tower Account Factory for Terraform at re:Invent 2021, also takes away any hesitations people may have had when they were Terraform shops and weren’t using AWS CloudFormation. And then the other integrations that they’re building in with all the other AWS services, pulling them into the AWS Control Tower console and visualizing them with a single pane of glass view, makes it much easier for customers to get their foundational account provisioning completed. AWS Control Tower also works in Canada now, which is a huge win.

It can be very easy to have rules in place that work in all the regions that you deploy to, but then someone decides to go put something in a new region because you didn’t have rules in place to prevent them from doing so. With AWS Control Tower, users are able to select regions that they don’t want to deploy AWS Control Tower resources to, to help add another layer of control over deployment as well as to optimize costs.

How does AWS Control Tower use organizational units?

AWS Control Tower uses AWS Organizations, and it provides a limited subset of the features that come with AWS Organizations. Recently, support for nested OUs was also added to AWS Control Tower and that is very helpful for companies that utilize them. Sometimes a company may have something like a Production database OU versus a Prod Application Server OU and some nested OUs under, that some people found useful for organization. But in reality, you should be able to use your OUs in such a way where a single layer is just fine. You can just have it broad. You can have an OU with a single set of SEPs against it. This is one example of the use cases AWS Control Tower leverages AWS Organizations for – to manage the accounts that you build out through Account Factory.

AWS Control Tower Caylent Catalyst

Caylent Catalyst is essentially a pre-packaged starter-kit that we can offer at a low cost to help our clients accelerate their cloud initiatives. Caylent Catalysts have a lot of materials internally as well, so that our architects and our engineers that run them have a very consistent way of deploying them.

The AWS Control Tower Caylent Catalyst is a series of deployment steps, in addition to some workshops and some extra information for the customer so that they can really understand each aspect of AWS Control Tower. It also covers some of the customization options that enable capabilities like deploying custom alerts or billing alerts or cost control – things a customer may be concerned about as they’re building out their foundation. For example, maybe a customer wants to use CIS config roles, or AWS SSO, or integrations with their identity provider. We can help them deploy that and get that set up. 

We have a lot of internal materials, workflows and code that help us deliver such projects very quickly for a customer. Our AWS Control Tower Caylent Catalyst typically takes about one to two weeks – so it’s very fast and it’s very affordable.

For customers that already have multiple AWS accounts but aren’t leveraging AWS Control Tower, our Caylent Catalyst is not limited to just greenfield deployments. We can work with current accounts as well, since AWS Control Tower has the ability to pull existing accounts into it. What we would do essentially, is set up a new AWS Control Tower baseline and then start importing their accounts into it and we can definitely do that as part of the Caylent Catalyst.

If you’re curious about AWS Control Tower, and want to learn about its capabilities and features in detail, watch our on-demand webinar where we discuss account provisioning, multi-account management, security & governance guardrails, and more! 

If you’re ready to utilize AWS Control Tower for your AWS account deployment initiative, get in touch with our experts and we can help you determine the best solution for your use case.

AWS Foundations
William Kray

William Kray

For the last decade William Kray has been everything from SysAdmin, Cloud Engineer, Solution Architect, Writer-of-documentation-about-how-to-write-documentation, and is currently Director of Architecture and Engineering at Caylent. He spends his spare time driving around in his 1966 Mini Cooper with his wife and their wiener dog.

View William's articles

Learn more about the services mentioned

Caylent Catalysts™

AWS Control Tower

Establish a Landing Zone tailored to your requirements through a series of interactive workshops and accelerators, creating a production-ready AWS foundation.

Caylent Services

AWS Foundations & Migrations

From rehosting to replatforming to rearchitecting, Caylent will help you leverage AWS to its fullest potential to meet your business objectives.

Caylent Catalysts™

Enhanced AWS Control Tower

Accelerate the adoption of a production ready AWS foundation, and establish automated security guardrails to keep existing and new accounts in compliance with your desired security posture.

Accelerate your cloud native journey

Leveraging our deep experience and patterns

Get in touch

Related Blog Posts

Mythbusting GenAI

Generative AI has become a popular buzz-word, but there is still a lot of confusion around what GenAI actually is and what it is capable of. Join Caylent’s Randall Hunt and Mark Olson as they debunk common myths and misconceptions surrounding GenAI, along with some hot takes.

Generative AI & LLMOps

AI Ethics

As companies race to take advantage of the innovative potential that Generative AI has to offer, it’s important to remember the responsibility of upholding ethical and fair practices, preventing the generation of harmful, biased, or misleading content. Join Caylent’s Brian Tarbox as he explores some key ethical considerations that organizations should be aware of.

Analytical AI & MLOps
Generative AI & LLMOps

Prompt Engineering

Learn from Caylent’s Randall Hunt and Mark Olson as they discuss prompt engineering and how to use it effectively to improve response relevance and accuracy.

Generative AI & LLMOps