【Design Guideline】Considerations for Introducing AWS Control Tower to Corporate Structure/Systems

Created date: 2023/06/19, Update date: 2025/06/20

One approach is to use AWS Control Tower, which enables rapid deployment of environments following AWS best practices.
This article provides an overview of AWS Control Tower and describes key points to check when considering its introduction." media="(max-width: 767.98px)" srcset="https://storage.googleapis.com/moderniser-repo-images-en/samneil-Guidelines-AWS-Control-Tower-6wzhc_mobile.webp" width="360" height="187.3" layout="intrinsic">

One approach is to use AWS Control Tower, which enables rapid deployment of environments following AWS best practices.
This article provides an overview of AWS Control Tower and describes key points to check when considering its introduction." media="(min-width: 768px)" srcset="https://storage.googleapis.com/moderniser-repo-images-en/samneil-Guidelines-AWS-Control-Tower-75ph4.webp" width="786" height="409" layout="intrinsic">

As part of security measures for AWS environments in organizations, it has become common to establish "Guidelines" that define standard practices for system development and operation.
One approach is to use AWS Control Tower, which enables rapid deployment of environments following AWS best practices.
This article provides an overview of AWS Control Tower and describes key points to check when considering its introduction.

Table of Contents

What is AWS Control Tower?
Considerations for Implementation
Design Considerations
Related Documents

What is AWS Control Tower?

AWS Control Tower (CT) is a service for setting up and managing multi-account AWS environments.
Managing multiple accounts at scale while ensuring security, compliance, and operational efficiency requires extensive knowledge of various AWS services.
CT is designed to address these challenges.

CT implements preventive controls, such as “AWS Organizations” and “AWS IAM Identity Center Management,” as well as detective controls, including “AWS CloudTrail,” “AWS Config,” and “Amazon EventBridge + AWS Lambda + Amazon SNS.”

Preventive Controls
- Controls designed to prevent unauthorized actions or security breaches.
- These measures mitigate risks before issues occur, such as restricting or prohibiting certain operations.
Detective Controls
- Controls designed to detect issues after they occur and enable appropriate responses.
- Issues here refer not only to failures but also to design errors or prohibited operations.
The AWS resources created are summarized in the table below.
- Since the official list of AWS resources created does not clarify which resources can be optionally created by the user, the “Required/Optional” column indicates resources that can be optionally created as “Optional.”

List of AWS Resources Created by CT

No	AWS Account Name	Region	AWS Service Name	AWS Resource Type Name	Required/Optional	AWS Resource Name
1	Management Account	Global	AWS Organizations	Account	Required	audit *Can be changed during setup
2	〃	〃	〃	〃	Required	log archive *Can be changed during setup
3	〃	〃	〃	OU	Required	Security *Can be changed during setup
4	〃	〃	〃	〃	Optional	(Specified OU Name)
5	〃	〃	〃	Service Control Policy	Required	aws-guardrails-* *Created based on selected guardrails
6	〃	〃	AWS IAM	Role	Required	AWSControlTowerAdmin
7	〃	〃	〃	〃	Required	AWSControlTowerStackSetRole
8	〃	〃	〃	〃	Required	AWSControlTowerConfigAggregatorRoleForOrganizations
9	〃	〃	〃	〃	Optional	AWSControlTowerCloudTrailRole
10	〃	〃	〃	Customer Managed Policy	Required	AWSControlTowerServiceRolePolicy
11	〃	〃	〃	〃	Required	AWSControlTowerAdminPolicy
12	〃	〃	〃	〃	Optional	AWSControlTowerCloudTrailRolePolicy
13	〃	〃	〃	〃	Required	AWSControlTowerStackSetRolePolicy
14	〃	(Home Region)	AWS IAM Identity Center Management	Directory Group	Required	AWSAccountFactory
15	〃	〃	〃	〃	Required	AWSAuditAccountAdmins
16	〃	〃	〃	〃	Required	AWSControlTowerAdmins
17	〃	〃	〃	〃	Required	AWSLogArchiveAdmins
18	〃	〃	〃	〃	Required	AWSLogArchiveViewers
19	〃	〃	〃	〃	Required	AWSSecurityAuditors
20	〃	〃	〃	〃	Required	AWSSecurityAuditPowerUsers
21	〃	〃	〃	〃	Required	AWSServiceCatalogAdmins
22	〃	〃	〃	Permission Set	Required	AWSAdministratorAccess
23	〃	〃	〃	〃	Required	AWSPowerUserAccess
24	〃	〃	〃	〃	Required	AWSServiceCatalogAdminFullAccess
25	〃	〃	〃	〃	Required	AWSServiceCatalogEndUserAccess
26	〃	〃	〃	〃	Required	AWSReadOnlyAccess
27	〃	〃	〃	〃	Required	AWSOrganizationsFullAccess
28	〃	〃	AWS CloudTrail	Trail (Multi-Region Trail)	Required *1	aws-controltower-BaselineCloudTrail
29	〃	〃	AWS Service Catalog	Product	Required	AWS Control Tower Account Factory
30	〃	〃	Amazon CloudWatch	Log Group	Optional	aws-controltower/CloudTrailLogs
31	〃	〃	AWS CloudFormation	Stack	Optional	AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER
32	〃	〃	〃	〃	Required	AWSControlTowerBP-BASELINE-CONFIG-MASTER
33	〃	〃	〃	StackSets	Required	AWSControlTowerBP-BASELINE-CLOUDWATCH
34	〃	〃	〃	〃	Required	AWSControlTowerBP-BASELINE-CONFIG
35	〃	〃	〃	〃	Required	AWSControlTowerBP-BASELINE-ROLES
36	〃	〃	〃	〃	Required	AWSControlTowerBP-BASELINE-SERVICE-ROLES
37	〃	〃	〃	〃	Required	AWSControlTowerBP-SECURITY-TOPICS
38	〃	〃	〃	〃	Required	AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1
39	〃	〃	〃	〃	Required	AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED
40	〃	〃	〃	〃	Required	AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED
41	〃	〃	〃	〃	Required	AWSControlTowerGuardrailAWS-GR-DETECT-CLOUDTRAIL-ENABLED-ON-SHARED-ACCOUNTS
42	〃	〃	〃	〃	Required	AWSControlTowerLoggingResources
43	〃	〃	〃	〃	Required	AWSControlTowerSecurityResources
44	〃	〃	〃	〃	Required	AWSControlTowerExecutionRole
45	Log Archive Account	Global	AWS	Role	Required	aws-controltower-AdministratorExecutionRole
46	〃	〃	〃	〃	Optional	aws-controltower-CloudWatchLogsRole
47	〃	〃	〃	〃	Required	aws-controltower-ConfigRecorderRole
48	〃	〃	〃	〃	Required	aws-controltower-ForwardSnsNotificationRole
49	〃	〃	〃	〃	Required	aws-controltower-ReadOnlyExecutionRole
50	〃	〃	〃	〃	Required	AWSControlTowerExecution
51	〃	〃	〃	Customer Managed Policy	Required	AWSControlTowerServiceRolePolicy
52	〃	All managed regions	AWS Config	Rule	Optional	AWSControlTower_AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS
53	〃	〃	〃	〃	Required	AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED
54	〃	〃	〃	〃	Required	AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED
55	〃	〃	Amazon EventBridge	Event Rule	Required	aws-controltower-ConfigComplianceChangeEventRule
56	〃	〃	Amazon CloudWatch	Log Group	Optional	aws-controltower/CloudTrailLogs
57	〃	〃	〃	〃	Required	/aws/lambda/aws-controltower-NotificationForwarder
58	〃	〃	Amazon SNS	Topic	Required	aws-controltower-SecurityNotifications
59	〃	〃	〃	Topic Policy	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWAT-SNSNotificationPolicy-*
60	〃	〃	〃	Subscription	Required	*
61	〃	〃	AWS Lambda	Application	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
62	〃	〃	〃	Function	Required	aws-controltower-NotificationForwarder
63	〃	〃	AWS CloudFormation	Stack	Required	StackSet-AWSControlTowerGuardrailAWS-GR-DETECT-CLOUDTRAIL-ENABLED-ON-SHARED-ACCOUNTS-*
64	〃	〃	〃	〃	Required	StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED-*
65	〃	〃	〃	〃	Required	StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED-*
66	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
67	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-CONFIG-*
68	〃	(Home Region)	AWS CloudTrail	Trail (Multi-Region Trail)	Optional	aws-controltower-BaselineCloudTrail
69	〃	〃	Amazon S3	Bucket	Required	aws-controltower-logs-*
70	〃	〃	〃	〃	Required	aws-controltower-s3-access-logs-*
71	〃	〃	AWS CloudFormation	Stack	Optional	StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-*
72	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-*
73	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-ROLES-*
74	〃	〃	〃	〃	Required	StackSet-AWSControlTowerLoggingResources-*
75	Audit Account	Global	AWS IAM	Role	Required	aws-controltower-AdministratorExecutionRole
76	〃	〃	〃	〃	Optional	aws-controltower-CloudWatchLogsRole
77	〃	〃	〃	〃	Required	aws-controltower-ConfigRecorderRole
78	〃	〃	〃	〃	Required	aws-controltower-ForwardSnsNotificationRole
79	〃	〃	〃	〃	Required	aws-controltower-ReadOnlyExecutionRole
80	〃	〃	〃	〃	Required	aws-controltower-AuditAdministratorRole
81	〃	〃	〃	〃	Required	aws-controltower-AuditReadOnlyRole
82	〃	〃	〃	〃	Required	AWSControlTowerExecution
83	〃	〃	〃	Policy	Required	AWSControlTowerServiceRolePolicy
84	〃	All managed regions	AWS Config	Rule	Optional	AWSControlTower_AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS
85	〃	〃	〃	〃	Required	AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED
86	〃	〃	〃	〃	Required	AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED
87	〃	〃	Amazon SNS	Topic	Required	aws-controltower-AggregateSecurityNotifications
88	〃	〃	〃	〃	Required	aws-controltower-AllConfigNotifications
89	〃	〃	〃	〃	Required	aws-controltower-SecurityNotifications
90	〃	〃	〃	Topic Policy	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWAT-SNSNotificationPolicy-*
91	〃	〃	〃	Topic Policy	Required	StackSet-AWSControlTowerBP-SECURITY-SNSAllConfigurationTopicPolicy-*
92	〃	〃	〃	Topic Policy	Required	StackSet-AWSControlTowerBP-SECURITY-SNSAllConfigurationTopicPolicy–*
93	〃	〃	〃	Subscription	Required	*
94	〃	〃	〃	〃	Required	*
95	〃	〃	〃	〃	Required	*
96	〃	〃	AWS Lambda	Function	Required	aws-controltower-NotificationForwarder
97	〃	〃	Amazon EventBridge	Event Rule	Required	aws-controltower-ConfigComplianceChangeEventRule
98	〃	〃	Amazon CloudWatch	Log Group	Optional	aws-controltower/CloudTrailLogs
99	〃	〃	〃	〃	Required	/aws/lambda/aws-controltower-NotificationForwarder
100	〃	〃	AWS CloudFormation	Stack	Required	StackSet-AWSControlTowerGuardrailAWS-GR-DETECT-CLOUDTRAIL-ENABLED-ON-SHARED-ACCOUNTS-*
101	〃	〃	〃	〃	Required	StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED-*
102	〃	〃	〃	〃	Required	StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED-*
103	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
104	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-CONFIG-*
105	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-SECURITY-TOPICS-*
106	〃	(Home Region)	AWS CloudTrail	Trail (Multi-Region Trail)	Optional	aws-controltower-BaselineCloudTrail
107	〃	〃	AWS Config	Aggregator	Required	aws-controltower-GuardrailsComplianceAggregator
108	〃	〃	AWS CloudFormation	Stack	Optional	StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-*
109	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-*
110	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-ROLES-*
111	〃	〃	〃	〃	Required	StackSet-AWSControlTowerSecurityResources-*
112	Production Account	Global	AWS IAM	Role	Required	aws-controltower-ConfigRecorderRole
113	〃	〃	〃	〃	Required	aws-controltower-ForwardSnsNotificationRole
114	〃	〃	〃	〃	Required	aws-controltower-AdministratorExecutionRole
115	〃	〃	〃	〃	Required	aws-controltower-ReadOnlyExecutionRole
116	〃	All managed regions	AWS Config	Configuration Recorder	Required	aws-controltower-BaselineConfigRecorder
117	〃	〃	〃	Delivery Channel	Required	aws-controltower-BaselineConfigDeliveryChannel
118	〃	〃	Amazon VPC	VPC Flow Logs	Optional	*
119	〃	〃	〃	Route Table	Optional	aws-controltower-PrivateSubnet1ARouteTable
120	〃	〃	〃	〃	Optional	aws-controltower-PrivateSubnet2ARouteTable
121	〃	〃	〃	〃	Optional	aws-controltower-PrivateSubnet3ARouteTable
122	〃	〃	〃	Subnet	Optional	aws-controltower-PrivateSubnet1A
123	〃	〃	〃	〃	Optional	aws-controltower-PrivateSubnet2A
124	〃	〃	〃	〃	Optional	aws-controltower-PrivateSubnet3A
125	〃	〃	〃	DHCP Options Set	Optional	aws-controltower-DHCPOptionsSet
126	〃	〃	〃	VPC	Optional	aws-controltower-VPC
127	〃	〃	〃	VPC Endpoint	Optional	com.amazonaws.${region_name}.s3
128	〃	〃	Amazon EventBridge	Event Rule	Required	aws-controltower-ConfigComplianceChangeEventRule
129	〃	〃	AWS Lambda	Function	Required	aws-controltower-NotificationForwarder
130	〃	〃	〃	Permission	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH--SNSInvokeLambdaPermission-
131	〃	〃	Amazon CloudWatch	Log Group	Required	/aws/lambda/aws-controltower-NotificationForwarder
132	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1--VPCFlowLogsLogGroup-
133	〃	〃	Amazon SNS	Topic	Required	aws-controltower-SecurityNotifications
134	〃	〃	〃	Topic Policy	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWAT-SNSNotificationPolicy-*
135	〃	〃	〃	Subscription	Required	*
136	〃	〃	AWS CloudFormation	Stack	Optional	StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-*
137	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
138	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-CONFIG-*
139	〃	(Home Region)	AWS CloudTrail	Trail (Multi-Region Trail)	Optional	aws-controltower-BaselineCloudTrail
140	〃	〃	AWS CloudFormation	Stack	Required	StackSet-AWSControlTowerBP-BASELINE-ROLES-*
141	〃	〃	〃	〃	Required	StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-*

*1: In Landing Zone version 3.0, the organizational unit AWS CloudTrail trail can now be optionally selected. However, even if it is disabled, the trail will still be created.

Related Materials
- How AWS Control Tower Works - AWS Control Tower

Considerations for Implementation

1. What is the AWS account contract type?

CT is enabled from the management account.
Since CT uses AWS Organizations, it is important to check the contract type and ensure that management account features are available.
For more details, refer to Guidelines: AWS Organizations | Moderniser.repo .

2. Are you using a custom Landing Zone?

Before using CT, check if you have already set up a custom Landing Zone.
“Landing Zone” is not an AWS service but a mechanism for multi-account setup according to your organization’s policies.

If you are already operating a custom Landing Zone using AWS Organizations or StackSets, assess the impact of migrating to CT and consider whether to adopt CT.
If your custom Landing Zone is well-established and migration would have a significant impact, the benefits of adopting CT may be limited. Since CT’s design is constantly updated, you may consider updating your custom Landing Zone as needed based on CT updates.

Related Resources
- Building Landing Zones - AWS Prescriptive Guidance
- StackSets Concepts - AWS CloudFormation

3. Are the regions you use supported by AWS Control Tower?

If you only use the Tokyo region, you generally don’t need to worry.
However, if you use other regions for cost savings or global expansion, check if CT supports those regions.
As of May 14, 2023, only three regions are unsupported, with seven additional regions (including Osaka) added in April 2023.

Region Name	Region Code	Opt-in Required	CT Supported
US East (N. Virginia)	us-east-1	-	○
US East (Ohio)	us-east-2	-	○
US West (N. California)	us-west-1	-	○
US West (Oregon)	us-west-2	-	○
Asia Pacific (Mumbai)	ap-south-1	-	○
Asia Pacific (Osaka)	ap-northeast-3	-	○
Asia Pacific (Seoul)	ap-northeast-2	-	○
Asia Pacific (Singapore)	ap-southeast-1	-	○
Asia Pacific (Sydney)	ap-southeast-2	-	○
Asia Pacific (Tokyo)	ap-northeast-1	-	○
Canada (Central)	ca-central-1	-	○
Europe (Frankfurt)	eu-central-1	-	○
Europe (Ireland)	eu-west-1	-	○
Europe (London)	eu-west-2	-	○
Europe (Paris)	eu-west-3	-	○
Europe (Stockholm)	eu-north-1	-	○
South America (São Paulo)	sa-east-1	-	○
Africa (Cape Town)	af-south-1	○	○
Asia Pacific (Hong Kong)	ap-east-1	○	○
Asia Pacific (Hyderabad)	ap-south-2	○	-
Asia Pacific (Jakarta)	ap-southeast-3	○	○
Asia Pacific (Melbourne)	ap-southeast-4	○	-
Europe (Milan)	eu-south-1	○	-

4. Assess the impact of AWS resources deployed by Control Tower

Check the following five points regarding the impact of AWS resources deployed by CT:

Is a CloudTrail trail for management events enabled? (Most important)
- CT creates a trail for management events across all AWS accounts.
- This happens regardless of whether the account is managed by CT, so if you already have a trail, it will be duplicated. Since additional trails for management events incur extra charges, this can increase costs.
- If a trail already exists, consider deleting or disabling it before deployment, or temporarily disabling the organization trail created by CT and switching over gradually.
- Note: In the latter case, new accounts will not have a valid management event trail, so you may need to create a temporary trail for audit purposes.
Are you using IAM Identity Center (IIC)?
- If IIC is already set up, you must enable CT in the same region as IIC.
Is AWS Config enabled?
- If existing AWS accounts to be registered with CT have Config recorders, delivery channels, or aggregators, you must delete them beforehand.
- Unlike CloudTrail, Config is only created for accounts managed by CT, so you do not need to delete them when setting up CT.
Are you using regions other than those selected for CT?
- If you use regions not managed by CT, decide how to control those regions.
- If not, you can prohibit usage with CT’s region deny controls, so you don’t need to worry about resource deployment in those regions.
Are you using actions prohibited by SCP?
- If you enable controls that implement preventive controls via SCP, check if the relevant APIs are used in existing accounts.
- Mandatory Controls generally only affect resources and accounts managed by CT, so you usually don’t need to worry.
- Optional Controls may prohibit specific actions, so be careful.

Reference:
- Prerequisites: Pre-Launch Checks for Management Account - AWS Control Tower

Design Considerations

1. Landing Zone Settings

CT allows you to build a customized landing zone through its settings.
The following table shows the integrated services defined in CT documentation and the design items that can be customized for each. These items are customizable in the CT landing zone settings.
For example, as described in Customize AWS Config Resource Tracking in AWS Control Tower Environment | AWS Blog , there are OSS and tools for customizing CT, but they are not included in the table below. Customization methods are described later.

Integrated Service	Overview	Design Items
AWS Organizations	Deploys OUs and AWS accounts managed by Control Tower into Organizations	None
AWS Identity and Access Management	Deploys IAM Identity Center resources (permission sets, users, groups) into the management account	Enable/disable automatic creation of IAM Identity Center resources
CloudTrail	Deploys an organization trail to capture management events	Enable/disable organization trail
Security Hub	Enables Security Hub controls for AWS accounts managed by CT	Enable/disable controls
AWS Config	Deploys AWS Config resources (recorders, delivery channels) to AWS accounts managed by CT	None
AWS Lambda	Deploys Lambda functions to send drift and compliance notifications for the landing zone	None
Amazon VPC *1	Deploys VPC resources (VPC, subnets, route tables, DHCP options sets, NAT gateways, EIPs) to AWS accounts managed by CT	Enable/disable automatic VPC creation, VPC configuration to deploy
Step Functions	(Listed as an integrated service, but no specific deployed AWS resources were found)	None
Amazon SNS	Deploys SNS topics to send drift and compliance notifications for the landing zone	SNS topic subscription settings
Amazon S3	Deploys S3 buckets in the log archive account to store AWS Config and CloudTrail logs	S3 bucket lifecycle policy
AWS Key Management Service	Encrypts AWS Config and CloudTrail logs stored in S3 buckets	Enable/disable encryption
CloudWatch	Deploys monitoring tools to execute CT’s automated actions	None
AWS Backup	Deploys AWS Backup resources (backup vaults, plans, service roles) to all AWS accounts in the organization (including those not managed by CT)	Enable/disable automatic creation of AWS Backup resources
AWS CloudFormation	Creates stacks to manage CT’s AWS resources	None
AWS Service Catalog	Deploys AWS accounts to CT’s Account Factory	None

*1: Not listed as an integrated service in the reference materials below, but automatic VPC creation can be configured in Account Factory.

Reference
- Integrated Services - AWS Control Tower

2. Enabling/Disabling Controls

In preparation

3. Customizing Control Tower

In preparation

4. Operational Items

In preparation

What is AWS Control Tower? - AWS Control Tower User Guide