Skip to main content

AWS Landing Zone

Getting Started with AWS Control Tower for Your Landing Zone

A practical guide to implementing AWS Control Tower, the managed service that simplifies Landing Zone setup and ongoing governance for Australian organisations.

CloudPoint

CloudPoint Team

AWS Control Tower is a managed service that automates the setup of a secure, compliant, multi-account AWS environment based on best practices. If you’re building an AWS Landing Zone, Control Tower can significantly accelerate your implementation while ensuring ongoing governance.

What is AWS Control Tower?

AWS Control Tower orchestrates multiple AWS services to set up and govern your Landing Zone:

  • AWS Organizations: Multi-account management
  • AWS IAM Identity Center: Centralised access management
  • AWS CloudTrail: Audit logging
  • AWS Config: Configuration compliance
  • AWS Service Catalog: Account provisioning
  • Amazon S3: Log storage
  • Amazon SNS: Notifications

Instead of manually configuring each service, Control Tower provides a guided setup and ongoing management.

Key Components

Landing Zone

The foundational multi-account environment including:

  • Management account
  • Log Archive account
  • Audit account
  • Organisational Units (OUs)

Guardrails

Preventive and detective controls that enforce governance:

Preventive Guardrails: Service Control Policies (SCPs) that prevent actions

  • Disallow public read/write S3 buckets
  • Prevent changes to logging configurations
  • Restrict region usage

Detective Guardrails: AWS Config rules that detect non-compliance

  • Check for MFA on root account
  • Detect unrestricted SSH access
  • Monitor for unencrypted EBS volumes

Account Factory

Self-service account provisioning through Service Catalog:

  • Standardised account configuration
  • Automated baseline setup
  • Integrated with IAM Identity Center
  • Consistent security controls

Dashboard

Centralised view of:

  • OU and account structure
  • Guardrail compliance status
  • Drift detection
  • Provisioned accounts

When to Use Control Tower

Control Tower is ideal when:

  • Starting fresh with AWS
  • You have 10+ accounts to manage
  • Standard compliance requirements
  • Limited AWS expertise in-house
  • Need rapid deployment
  • Want managed governance

Consider a custom Landing Zone if you need:

  • Highly customised network architectures
  • Integration with existing complex infrastructure
  • Specific compliance frameworks beyond standard guardrails
  • Granular control over every configuration

Implementation Steps

Pre-Implementation Checklist

Before deploying Control Tower:

  1. Email Addresses: Prepare unique email addresses for new accounts
  2. Existing Workloads: Plan migration strategy if you have existing accounts
  3. Compliance Requirements: Document any specific regulatory needs
  4. Network Design: Plan your VPC and connectivity architecture
  5. Team Access: Identify who needs access to which accounts

Step 1: Initial Setup

  1. Log into your AWS Management account
  2. Navigate to AWS Control Tower console
  3. Select your home region (ap-southeast-2 for Australian businesses)
  4. Choose additional governed regions
  5. Configure log retention settings

Setup takes approximately 60 minutes.

Step 2: Configure IAM Identity Center

Set up centralised access management:

  1. Define permission sets (groups of permissions)
  2. Create user groups
  3. Add users or connect to your identity provider
  4. Assign permissions to groups

Example permission sets:

  • AWSAdministratorAccess: Full admin rights
  • AWSPowerUserAccess: Developer access without IAM changes
  • AWSReadOnlyAccess: View-only access
  • Custom permission sets: Tailored to your needs

Step 3: Customize Guardrails

Review and enable guardrails:

Mandatory Guardrails (always enabled):

  • Disallow changes to CloudTrail
  • Disallow changes to CloudWatch Logs
  • Detect public write access to S3 buckets

Strongly Recommended Guardrails:

  • Enable MFA for root user
  • Disallow public read access to S3 buckets
  • Detect CloudTrail configuration changes

Elective Guardrails:

  • Restrict EC2 instance types
  • Require encryption for EBS volumes
  • Limit regions where resources can be created

Enable guardrails that align with your compliance requirements.

Step 4: Configure Account Factory

Set up the account provisioning process:

  1. Define your account naming convention
  2. Set default network configuration (VPC, subnets)
  3. Configure email distribution lists
  4. Set up any baseline CloudFormation templates

Step 5: Create Additional OUs

Organise accounts with Organisational Units:

Common OU structure:

Root
├── Security OU (pre-created)
├── Sandbox OU
├── Workloads OU
│   ├── Production
│   └── Non-Production
└── Suspended OU

Apply specific guardrails to each OU as needed.

Step 6: Provision Accounts

Use Account Factory to create new accounts:

  1. Navigate to Service Catalog in the management account
  2. Select “AWS Control Tower Account Factory”
  3. Fill in account details:
    • Account email
    • Account name
    • Organizational Unit
    • IAM Identity Center user
  4. Launch the product

Accounts are ready in 20-30 minutes.

Post-Implementation Configuration

Network Setup

Control Tower creates basic VPCs, but you’ll likely need:

  • Transit Gateway: Hub-and-spoke networking
  • VPN or Direct Connect: On-premises connectivity
  • VPC Peering: Account-to-account connectivity
  • Route 53 Resolver: DNS management

Security Enhancements

Beyond default guardrails, consider:

  • AWS GuardDuty: Threat detection
  • AWS Security Hub: Centralised security findings
  • AWS Firewall Manager: Centralised firewall management
  • Amazon Inspector: Vulnerability management

Monitoring and Logging

Enhance observability:

  • CloudWatch Dashboards: Centralised monitoring
  • CloudWatch Alarms: Proactive alerting
  • EventBridge Rules: Automated responses
  • Cost and Usage Reports: Detailed billing data

Backup and DR

Implement data protection:

  • AWS Backup: Centralised backup management
  • Cross-region replication: S3 and RDS
  • DR runbooks: Documented recovery procedures

Ongoing Management

Account Lifecycle

  • Repurposing accounts: Move between OUs as needs change
  • Decommissioning: Close unused accounts
  • Expanding: Provision new accounts as teams grow

Compliance Monitoring

Regular review of:

  • Guardrail compliance status
  • Drift detection results
  • AWS Config compliance
  • Security Hub findings

Updates and Maintenance

Control Tower receives regular updates:

  • New guardrails
  • Enhanced features
  • Security improvements

Stay current by reviewing AWS What’s New for Control Tower announcements.

Cost Considerations

Control Tower itself is free, but you pay for underlying services:

  • AWS Config: ~$2 per rule per region per account per month
  • CloudTrail: ~$2 per 100,000 events
  • S3 storage: For logs (minimal cost)
  • VPCs: Free tier, then minimal costs

For a typical 10-account setup: ~$50-150/month for Control Tower-related services.

Common Challenges and Solutions

Challenge: Existing AWS accounts Solution: Enroll existing accounts into Control Tower (may require remediation)

Challenge: Custom network requirements Solution: Customize Account Factory network configuration or deploy manually

Challenge: Specific compliance needs Solution: Create custom guardrails using AWS Config or SCPs

Challenge: Multi-region requirements Solution: Plan carefully as some Control Tower features are region-specific

Best Practices for Australian Businesses

  1. Choose Sydney region (ap-southeast-2) as home region for data sovereignty
  2. Limit additional regions to reduce costs and complexity
  3. Enable all strongly recommended guardrails at a minimum
  4. Document custom configurations outside Control Tower
  5. Implement additional security tools beyond default guardrails
  6. Regular compliance reviews aligned with ISM or industry requirements
  7. Plan for growth but start with essential accounts

Conclusion

AWS Control Tower provides an excellent foundation for organisations building their AWS Landing Zone. It automates best practices, enforces governance, and simplifies multi-account management.

For Australian startups and regulated industries, Control Tower offers a fast path to a compliant, secure AWS environment. However, it’s important to understand its capabilities and limitations to ensure it meets your specific requirements.

Ready to implement AWS Control Tower? CloudPoint can assess your requirements, deploy Control Tower, and customize it for your business needs. Contact us for a consultation.

Need Help with AWS Control Tower?

CloudPoint helps Australian businesses implement AWS Control Tower and landing zones that meet compliance requirements from day one. Get in touch to discuss your multi-account strategy.

Learn more about our Landing Zone service →