Moderniser.repo
  • 日本語
  • English✔️
  • 日本語
  • English✔️
[AWS]
What is a Design Guideline?
AWS Organizations AWS Control Tower
AWS IAM / AWS IAM Identity Center
AWS CloudTrail AWS Config Amazon GuardDuty
aws:executeScript action for SSM Automation
How to create custom checks with Prowler How to scrape the reference of Security Hub control and convert it to data CIS AWS Foundations Benchmark v3.0.0 How to use the latest Boto3 with SSM Automation (or Lambda) How to write a CommaDelimitedList in List (array) format in samconfig.yml How to specify a local file using the Script property of AWS::SSM::Document How to get information on multiple AWS resources in Terraforms Data Source
CloudFormation template / SAM template coding rules
Amazon S3
Amazon Athena (Glue Database)
[Visual Studio Code]
How to use the latest AWS icon in Draw.io of Visual Studio Code
Recommended plug-in summary of Visual Studio Code for cloud engineers
[Others]
How to switch accounts for GitHub CLI commands using commands
Privacy Policy
Profile
...

Kanji

・ Cloud engineer / freelance
・ Born in 1993
・ Born in Ehime Prefecture / Lives in Shibuya-ku, Tokyo
・ AWS history 5 years

Profile details

Contact
Twitter(@kanji_aws_fl) Instagram(kanji_aws_freelance) Mail(kanji@cont-aid.com)


【Design Guideline】Considerations for Introducing AWS Control Tower to Corporate Structure/Systems


Created date: 2023/06/19, Update date: 2023/10/10


As part of security measures for AWS environments in organizations, it has become common to establish "Guidelines" that define standard practices for system development and operation.
One approach is to use AWS Control Tower, which enables rapid deployment of environments following AWS best practices.
This article provides an overview of AWS Control Tower and describes key points to check when considering its introduction.

Table of Contents


  1. What is AWS Control Tower?
  2. Considerations for Implementation
    1. ① What is the contract type of the AWS account?
    2. ② Are you using a custom landing zone?
    3. ③ Is the region you are using supported by AWS Control Tower?
    4. ④ Confirm the impact of AWS resources deployed by Control Tower
  3. Related Documents

What is AWS Control Tower?

  • AWS Control Tower (hereafter referred to as CT) is a service for setting up and managing multi-account AWS environments.

  • When operating a large-scale AWS environment, extensive knowledge of AWS services is required to manage multi-accounts while ensuring security, compliance, and operational efficiency.

  • CT is provided to address these challenges.

  • CT deploys “AWS Organizations” and “AWS IAM Identity Center Management” as preventive controls, and “AWS CloudTrail,” “AWS Config,” and “Amazon EventBridge + AWS Lambda + Amazon SNS” as detective controls.

    • Preventive Controls
      • These are measures to prevent unauthorized actions or security breaches.
      • They are designed to mitigate risks before issues occur by restricting or prohibiting certain operations.
    • Detective Controls
      • These are measures to detect and respond appropriately to issues after they occur.
      • Issues here refer not only to failures but also to design errors or prohibited operations.

  • Related Materials

    • How AWS Control Tower Works - AWS Control Tower

Considerations for Implementation

① What is the contract type of the AWS account?

  • CT is enabled through the management account.
  • Since CT utilizes the features of AWS Organizations, it is important to confirm the contract type of the AWS account and whether the management account features can be used.
  • For details on contract types, refer to Guidelines: AWS Organizations | Moderniser.repo .

② Are you using a custom landing zone?

  • Before using CT, it is necessary to confirm whether a custom landing zone has been configured.
    • A landing zone is not an AWS service name but rather a mechanism for multi-account configuration tailored to organizational policies.
  • If AWS Organizations or StackSets have already been used to configure a custom landing zone, assess the impact of migrating to CT and consider whether to adopt CT.
  • If a custom landing zone operation is well-established and the migration impact is significant, the benefits of adopting CT may be low.
    • Since CT’s design is constantly updated, it may be worth incorporating updates from CT into the custom landing zone as needed.
  • The AWS resources created are summarized in the table below.
    • Since the official list of AWS resources created does not clarify which AWS resources can be optionally created by the user, the “Required/Optional” column indicates resources that can be optionally created as “Optional.”
List of AWS Resources Created by CT
No
➖➖ 		AWS Account Name
➖➖➖➖➖➖➖➖➖➖➖➖ 		Region
➖➖➖➖➖➖➖➖➖➖➖➖ 		AWS Service Name
➖➖➖➖➖➖➖➖➖➖ 		AWS Resource Type Name
➖➖➖➖➖➖➖➖➖➖➖➖ 		Required/Optional
➖➖➖➖➖➖➖➖ 		AWS Resource Name
➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖➖
1 Management Account Global AWS Organizations Account Required audit *Can be changed during setup
2 〃 〃 〃 〃 Required log archive *Can be changed during setup
3 〃 〃 〃 OU Required Security *Can be changed during setup
4 〃 〃 〃 〃 Optional (Specified OU Name)
5 〃 〃 〃 Service Control Policy Required aws-guardrails-* *Created based on selected guardrails
6 〃 〃 AWS IAM Role Required AWSControlTowerAdmin
7 〃 〃 〃 〃 Required AWSControlTowerStackSetRole
8 〃 〃 〃 〃 Required AWSControlTowerConfigAggregatorRoleForOrganizations
9 〃 〃 〃 〃 Optional AWSControlTowerCloudTrailRole
10 〃 〃 〃 Customer Managed Policy Required AWSControlTowerServiceRolePolicy
11 〃 〃 〃 〃 Required AWSControlTowerAdminPolicy
12 〃 〃 〃 〃 Optional AWSControlTowerCloudTrailRolePolicy
13 〃 〃 〃 〃 Required AWSControlTowerStackSetRolePolicy
14 〃 (Home Region) AWS IAM Identity Center Management Directory Group Required AWSAccountFactory
15 〃 〃 〃 〃 Required AWSAuditAccountAdmins
16 〃 〃 〃 〃 Required AWSControlTowerAdmins
17 〃 〃 〃 〃 Required AWSLogArchiveAdmins
18 〃 〃 〃 〃 Required AWSLogArchiveViewers
19 〃 〃 〃 〃 Required AWSSecurityAuditors
20 〃 〃 〃 〃 Required AWSSecurityAuditPowerUsers
21 〃 〃 〃 〃 Required AWSServiceCatalogAdmins
22 〃 〃 〃 Permission Set Required AWSAdministratorAccess
23 〃 〃 〃 〃 Required AWSPowerUserAccess
24 〃 〃 〃 〃 Required AWSServiceCatalogAdminFullAccess
25 〃 〃 〃 〃 Required AWSServiceCatalogEndUserAccess
26 〃 〃 〃 〃 Required AWSReadOnlyAccess
27 〃 〃 〃 〃 Required AWSOrganizationsFullAccess
28 〃 〃 AWS CloudTrail Trail (Multi-Region Trail) Required *1 aws-controltower-BaselineCloudTrail
29 〃 〃 AWS Service Catalog Product Required AWS Control Tower Account Factory
30 〃 〃 Amazon CloudWatch Log Group Optional aws-controltower/CloudTrailLogs
31 〃 〃 AWS CloudFormation Stack Optional AWSControlTowerBP-BASELINE-CLOUDTRAIL-MASTER
32 〃 〃 〃 〃 Required AWSControlTowerBP-BASELINE-CONFIG-MASTER
33 〃 〃 〃 StackSets Required AWSControlTowerBP-BASELINE-CLOUDWATCH
34 〃 〃 〃 〃 Required AWSControlTowerBP-BASELINE-CONFIG
35 〃 〃 〃 〃 Required AWSControlTowerBP-BASELINE-ROLES
36 〃 〃 〃 〃 Required AWSControlTowerBP-BASELINE-SERVICE-ROLES
37 〃 〃 〃 〃 Required AWSControlTowerBP-SECURITY-TOPICS
38 〃 〃 〃 〃 Required AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1
39 〃 〃 〃 〃 Required AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED
40 〃 〃 〃 〃 Required AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED
41 〃 〃 〃 〃 Required AWSControlTowerGuardrailAWS-GR-DETECT-CLOUDTRAIL-ENABLED-ON-SHARED-ACCOUNTS
42 〃 〃 〃 〃 Required AWSControlTowerLoggingResources
43 〃 〃 〃 〃 Required AWSControlTowerSecurityResources
44 〃 〃 〃 〃 Required AWSControlTowerExecutionRole
45 Log Archive Account Global AWS Role Required aws-controltower-AdministratorExecutionRole
46 〃 〃 〃 〃 Optional aws-controltower-CloudWatchLogsRole
47 〃 〃 〃 〃 Required aws-controltower-ConfigRecorderRole
48 〃 〃 〃 〃 Required aws-controltower-ForwardSnsNotificationRole
49 〃 〃 〃 〃 Required aws-controltower-ReadOnlyExecutionRole
50 〃 〃 〃 〃 Required AWSControlTowerExecution
51 〃 〃 〃 Customer Managed Policy Required AWSControlTowerServiceRolePolicy
52 〃 All managed regions AWS Config Rule Optional AWSControlTower_AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS
53 〃 〃 〃 〃 Required AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED
54 〃 〃 〃 〃 Required AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED
55 〃 〃 Amazon EventBridge Event Rule Required aws-controltower-ConfigComplianceChangeEventRule
56 〃 〃 Amazon CloudWatch Log Group Optional aws-controltower/CloudTrailLogs
57 〃 〃 〃 〃 Required /aws/lambda/aws-controltower-NotificationForwarder
58 〃 〃 Amazon SNS Topic Required aws-controltower-SecurityNotifications
59 〃 〃 〃 Topic Policy Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWAT-SNSNotificationPolicy-*
60 〃 〃 〃 Subscription Required *
61 〃 〃 AWS Lambda Application Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
62 〃 〃 〃 Function Required aws-controltower-NotificationForwarder
63 〃 〃 AWS CloudFormation Stack Required StackSet-AWSControlTowerGuardrailAWS-GR-DETECT-CLOUDTRAIL-ENABLED-ON-SHARED-ACCOUNTS-*
64 〃 〃 〃 〃 Required StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED-*
65 〃 〃 〃 〃 Required StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED-*
66 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
67 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-CONFIG-*
68 〃 (Home Region) AWS CloudTrail Trail (Multi-Region Trail) Optional aws-controltower-BaselineCloudTrail
69 〃 〃 Amazon S3 Bucket Required aws-controltower-logs-*
70 〃 〃 〃 〃 Required aws-controltower-s3-access-logs-*
71 〃 〃 AWS CloudFormation Stack Optional StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-*
72 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-*
73 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-ROLES-*
74 〃 〃 〃 〃 Required StackSet-AWSControlTowerLoggingResources-*
75 Audit Account Global AWS IAM Role Required aws-controltower-AdministratorExecutionRole
76 〃 〃 〃 〃 Optional aws-controltower-CloudWatchLogsRole
77 〃 〃 〃 〃 Required aws-controltower-ConfigRecorderRole
78 〃 〃 〃 〃 Required aws-controltower-ForwardSnsNotificationRole
79 〃 〃 〃 〃 Required aws-controltower-ReadOnlyExecutionRole
80 〃 〃 〃 〃 Required aws-controltower-AuditAdministratorRole
81 〃 〃 〃 〃 Required aws-controltower-AuditReadOnlyRole
82 〃 〃 〃 〃 Required AWSControlTowerExecution
83 〃 〃 〃 Policy Required AWSControlTowerServiceRolePolicy
84 〃 All managed regions AWS Config Rule Optional AWSControlTower_AWS-GR_DETECT_CLOUDTRAIL_ENABLED_ON_SHARED_ACCOUNTS
85 〃 〃 〃 〃 Required AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_READ_PROHIBITED
86 〃 〃 〃 〃 Required AWSControlTower_AWS-GR_AUDIT_BUCKET_PUBLIC_WRITE_PROHIBITED
87 〃 〃 Amazon SNS Topic Required aws-controltower-AggregateSecurityNotifications
88 〃 〃 〃 〃 Required aws-controltower-AllConfigNotifications
89 〃 〃 〃 〃 Required aws-controltower-SecurityNotifications
90 〃 〃 〃 Topic Policy Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWAT-SNSNotificationPolicy-*
91 〃 〃 〃 Topic Policy Required StackSet-AWSControlTowerBP-SECURITY-SNSAllConfigurationTopicPolicy-*
92 〃 〃 〃 Topic Policy Required StackSet-AWSControlTowerBP-SECURITY-SNSAllConfigurationTopicPolicy–*
93 〃 〃 〃 Subscription Required *
94 〃 〃 〃 〃 Required *
95 〃 〃 〃 〃 Required *
96 〃 〃 AWS Lambda Function Required aws-controltower-NotificationForwarder
97 〃 〃 Amazon EventBridge Event Rule Required aws-controltower-ConfigComplianceChangeEventRule
98 〃 〃 Amazon CloudWatch Log Group Optional aws-controltower/CloudTrailLogs
99 〃 〃 〃 〃 Required /aws/lambda/aws-controltower-NotificationForwarder
100 〃 〃 AWS CloudFormation Stack Required StackSet-AWSControlTowerGuardrailAWS-GR-DETECT-CLOUDTRAIL-ENABLED-ON-SHARED-ACCOUNTS-*
101 〃 〃 〃 〃 Required StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-READ-PROHIBITED-*
102 〃 〃 〃 〃 Required StackSet-AWSControlTowerGuardrailAWS-GR-AUDIT-BUCKET-PUBLIC-WRITE-PROHIBITED-*
103 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
104 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-CONFIG-*
105 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-SECURITY-TOPICS-*
106 〃 (Home Region) AWS CloudTrail Trail (Multi-Region Trail) Optional aws-controltower-BaselineCloudTrail
107 〃 〃 AWS Config Aggregator Required aws-controltower-GuardrailsComplianceAggregator
108 〃 〃 AWS CloudFormation Stack Optional StackSet-AWSControlTowerBP-BASELINE-CLOUDTRAIL-*
109 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-*
110 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-ROLES-*
111 〃 〃 〃 〃 Required StackSet-AWSControlTowerSecurityResources-*
112 Production Account Global AWS IAM Role Required aws-controltower-ConfigRecorderRole
113 〃 〃 〃 〃 Required aws-controltower-ForwardSnsNotificationRole
114 〃 〃 〃 〃 Required aws-controltower-AdministratorExecutionRole
115 〃 〃 〃 〃 Required aws-controltower-ReadOnlyExecutionRole
116 〃 All managed regions AWS Config Configuration Recorder Required aws-controltower-BaselineConfigRecorder
117 〃 〃 〃 Delivery Channel Required aws-controltower-BaselineConfigDeliveryChannel
118 〃 〃 Amazon VPC VPC Flow Logs Optional *
119 〃 〃 〃 Route Table Optional aws-controltower-PrivateSubnet1ARouteTable
120 〃 〃 〃 〃 Optional aws-controltower-PrivateSubnet2ARouteTable
121 〃 〃 〃 〃 Optional aws-controltower-PrivateSubnet3ARouteTable
122 〃 〃 〃 Subnet Optional aws-controltower-PrivateSubnet1A
123 〃 〃 〃 〃 Optional aws-controltower-PrivateSubnet2A
124 〃 〃 〃 〃 Optional aws-controltower-PrivateSubnet3A
125 〃 〃 〃 DHCP Options Set Optional aws-controltower-DHCPOptionsSet
126 〃 〃 〃 VPC Optional aws-controltower-VPC
127 〃 〃 〃 VPC Endpoint Optional com.amazonaws.${region_name}.s3
128 〃 〃 Amazon EventBridge Event Rule Required aws-controltower-ConfigComplianceChangeEventRule
129 〃 〃 AWS Lambda Function Required aws-controltower-NotificationForwarder
130 〃 〃 〃 Permission Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*-SNSInvokeLambdaPermission-*
131 〃 〃 Amazon CloudWatch Log Group Required /aws/lambda/aws-controltower-NotificationForwarder
132 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-*-VPCFlowLogsLogGroup-*
133 〃 〃 Amazon SNS Topic Required aws-controltower-SecurityNotifications
134 〃 〃 〃 Topic Policy Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWAT-SNSNotificationPolicy-*
135 〃 〃 〃 Subscription Required *
136 〃 〃 AWS CloudFormation Stack Optional StackSet-AWSControlTowerBP-VPC-ACCOUNT-FACTORY-V1-*
137 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-CLOUDWATCH-*
138 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-CONFIG-*
139 〃 (Home Region) AWS CloudTrail Trail (Multi-Region Trail) Optional aws-controltower-BaselineCloudTrail
140 〃 〃 AWS CloudFormation Stack Required StackSet-AWSControlTowerBP-BASELINE-ROLES-*
141 〃 〃 〃 〃 Required StackSet-AWSControlTowerBP-BASELINE-SERVICE-ROLES-*

*1: In Landing Zone version 3.0, the organizational unit AWS CloudTrail trail can now be optionally selected. However, even if it is disabled, the trail will still be created.

  • Related Materials
    • Building a Landing Zone - AWS Prescriptive Guidance
    • StackSets Concepts - AWS CloudFormation

③ Is the region you are using supported by AWS Control Tower?

  • If you are only using the Tokyo region, there is no need to worry. However, if you are using regions other than Tokyo for reasons such as cost reduction or global expansion, it is necessary to confirm whether CT supports those regions.
  • As of the April 2023 update, seven additional regions, including the Osaka region, are supported. As of May 14, 2023, only three regions remain unsupported.
Region Name Region Code Opt-in Required CT Supported
US East (N. Virginia) us-east-1 - ○
US East (Ohio) us-east-2 - ○
US West (N. California) us-west-1 - ○
US West (Oregon) us-west-2 - ○
Asia Pacific (Mumbai) ap-south-1 - ○
Asia Pacific (Osaka) ap-northeast-3 - ○
Asia Pacific (Seoul) ap-northeast-2 - ○
Asia Pacific (Singapore) ap-southeast-1 - ○
Asia Pacific (Sydney) ap-southeast-2 - ○
Asia Pacific (Tokyo) ap-northeast-1 - ○
Canada (Central) ca-central-1 - ○
Europe (Frankfurt) eu-central-1 - ○
Europe (Ireland) eu-west-1 - ○
Europe (London) eu-west-2 - ○
Europe (Paris) eu-west-3 - ○
Europe (Stockholm) eu-north-1 - ○
South America (São Paulo) sa-east-1 - ○
Africa (Cape Town) af-south-1 ○ ○
Asia Pacific (Hong Kong) ap-east-1 ○ ○
Asia Pacific (Hyderabad) ap-south-2 ○ -
Asia Pacific (Jakarta) ap-southeast-3 ○ ○
Asia Pacific (Melbourne) ap-southeast-4 ○ -
Europe (Milan) eu-south-1 ○ -

④ Confirm the impact of AWS resources deployed by Control Tower

  • The impact of AWS resources deployed by CT can be summarized into the following five points:
    • Reference: Prerequisites: Automatic Checks Before Launching the Management Account - AWS Control Tower
  1. Is the trail for capturing CloudTrail management events enabled? (Most Important)
    • CT creates a trail for capturing CloudTrail management events for all AWS accounts.
    • Regardless of whether the account is managed by CT, a trail will be created, potentially leading to duplicate trails if one already exists. Since charges apply from the second trail onwards, duplicate trails can increase costs.
    • If a trail for capturing management events already exists, consider deleting or stopping it before deployment, or temporarily disabling the organizational trail deployed by CT and gradually switching over. However, in the latter case, create a temporary trail for audit purposes as there will be no valid management event trail for newly created accounts.
  2. Are you using IIC (IAM Identity Center)?
    • If IIC is already set up, CT must be enabled in the same region as IIC.
  3. Is Config enabled?
    • If Config recorders, delivery channels, or aggregators are created in existing AWS accounts to be registered with CT, they must be deleted beforehand.
    • Unlike CloudTrail, Config is only created for AWS accounts managed by CT, so there is no need to delete them when setting up CT.
  4. Are regions other than those selected for CT being used?
    • If regions outside CT’s management scope are being used, decide how to control those regions.
    • If not used, prohibit their use with CT’s region deny control to prevent AWS resources from being deployed, eliminating the need for control.
  5. Are actions prohibited by SCP being used?
    • If controls implementing SCP as preventive measures are enabled, confirm whether the relevant APIs are being used in existing accounts.
    • Mandatory Controls govern AWS resources and accounts deployed by CT, so they generally do not require attention.
    • Optional Controls may prohibit specific actions, so caution is required.

Related Documents

  • What is AWS Control Tower - AWS Control Tower User Guide


©2025 ContAID