Benefits of AWS Control Tower

Around the time AWS Control Tower was first released, I was actually working on a project with a company where we were building an account provisioning and management system from scratch. They had the need to create several hundred accounts frequently. And so we were building a lot of automation to enable this functionality using AWS Lambda functions and AWS Step Functions and other services within AWS. It took a lot of engineers many months of time to build a very robust solution.

Right around when we finished building our system, AWS Control Tower was released, which provided a lot of the same functionality. And so we started to use it and started to see how it was using stack sets and other things like that to manage all the different AWS accounts. It was really very good in the beginning.

It was still maybe limited in a few ways, around AWS Organizations or regions and other capabilities. But over the last couple of years, AWS has really improved the service and taken away any objection that we may have had on using it. I would say that in a solid 90% of use cases, AWS Control Tower is a very good service to use as your baseline to get your accounts in place.

One of the main advantages of AWS Control Tower is it saves so many working hours that you would otherwise have to spend building these same tools yourself. In order to consistently get an account deployed with the exact same infrastructure, with the same SEPs, with the same config rules and any custom config rules you have, it can take a lot of hours to build the automation that will then facilitate your account setup. With AWS Control Tower, the whole process of setting up accounts can be completed within a matter of hours. Just a few clicks, and you can have accounts set up with a solid baseline.

The announcement of AWS Control Tower Account Factory for Terraform at re:Invent 2021, also takes away any hesitations people may have had when they were Terraform shops and weren’t using AWS CloudFormation. And then the other integrations that they’re building in with all the other AWS services, pulling them into the AWS Control Tower console and visualizing them with a single pane of glass view, makes it much easier for customers to get their foundational account provisioning completed. AWS Control Tower also works in Canada now, which is a huge win.

It can be very easy to have rules in place that work in all the regions that you deploy to, but then someone decides to go put something in a new region because you didn’t have rules in place to prevent them from doing so. With AWS Control Tower, users are able to select regions that they don’t want to deploy AWS Control Tower resources to, to help add another layer of control over deployment as well as to optimize costs.

How does AWS Control Tower use organizational units?

AWS Control Tower uses AWS Organizations, and it provides a limited subset of the features that come with AWS Organizations. Recently, support for nested OUs was also added to AWS Control Tower and that is very helpful for companies that utilize them. Sometimes a company may have something like a Production database OU versus a Prod Application Server OU and some nested OUs under, that some people found useful for organization. But in reality, you should be able to use your OUs in such a way where a single layer is just fine. You can just have it broad. You can have an OU with a single set of SEPs against it. This is one example of the use cases AWS Control Tower leverages AWS Organizations for – to manage the accounts that you build out through Account Factory.

AWS Control Tower Caylent Catalyst

A Caylent Catalyst is essentially a pre-packaged starter-kit that we can offer at a low cost to help our clients accelerate their cloud initiatives. Caylent Catalysts have a lot of materials internally as well, so that our architects and our engineers that run them have a very consistent way of deploying them.

The AWS Control Tower Caylent Catalyst is a series of deployment steps, in addition to some workshops and some extra information for the customer so that they can really understand each aspect of AWS Control Tower. It also covers some of the customization options that enable capabilities like deploying custom alerts or billing alerts or cost control – things a customer may be concerned about as they’re building out their foundation. For example, maybe a customer wants to use CIS config roles, or AWS SSO, or integrations with their identity provider. We can help them deploy that and get that set up. 

We have a lot of internal materials, workflows and code that help us deliver such projects very quickly for a customer. Our AWS Control Tower Caylent Catalyst typically takes about one to two weeks – so it’s very fast and it’s very affordable.

For customers that already have multiple AWS accounts but aren’t leveraging AWS Control Tower, our Caylent Catalyst is not limited to just greenfield deployments. We can work with current accounts as well, since AWS Control Tower has the ability to pull existing accounts into it. What we would do essentially, is set up a new AWS Control Tower baseline and then start importing their accounts into it and we can definitely do that as part of the Caylent Catalyst.

If you’re curious about AWS Control Tower, and want to learn about its capabilities and features in detail, watch our on-demand webinar where we discuss account provisioning, multi-account management, security & governance guardrails, and more! 

If you’re ready to utilize AWS Control Tower for your AWS account deployment initiative, get in touch with our experts and we can help you determine the best solution for your use case.