AWS Control Tower

# AWS Control Tower ![](https://i.imgur.com/Kd4AQhB.png) ## **Official Documentation** https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html * **Here is the URL for the self-paced labs:** https://controltower.aws-management.tools/ ## **Useful Links:** [Control Tower Getting Started Guide](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) [AWS Secure Account Setup](https://aws.amazon.com/answers/security/aws-secure-account-setup/) [Getting Started: Follow Security Best Practices as You Configure Your AWS Resources](https://aws.amazon.com/blogs/security/getting-started-follow-security-best-practices-as-you-configure-your-aws-resources/) [Building a Scalable and Secure Multi-VPC AWS Network Infrastructure](https://d1.awsstatic.com/whitepapers/building-a-scalable-and-secure-multi-vpc-aws-network-infrastructure.pdf) [AWS Service Catalog Connector for ServiceNow](https://aws.amazon.com/blogs/aws/new-aws-service-catalog-connector-for-servicenow/) [Automating AWS Security Hub Alerts wiht AWS Control Tower lifecycle events](https://aws.amazon.com/blogs/mt/automating-aws-security-hub-alerts-with-aws-control-tower-lifecycle-events/) ## **Control Tower Lifecycle** https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html ## **IMPORTANT: AWS Control Tower can be deployed in Existing Organizations:** https://aws.amazon.com/pt/blogs/architecture/field-notes-enroll-existing-aws-accounts-into-aws-control-tower/ **Youtube:** https://www.youtube.com/watch?v=-n65I4M8cas ## **IMPORTANT: Customizations for AWS Control Tower** https://aws.amazon.com/pt/solutions/implementations/customizations-for-aws-control-tower/ ![](https://i.imgur.com/9MmbxBy.png) **Doc:** https://docs.aws.amazon.com/solutions/latest/customizations-for-aws-control-tower/welcome.html ## **Field Notes: Customizing the AWS Control Tower Account Factory with AWS Service Catalog** https://aws.amazon.com/pt/blogs/architecture/field-notes-customizing-the-aws-control-tower-account-factory-with-aws-service-catalog/ ## **Manage Control Tower life cycle actions intelligently using AWS Service Catalog, AWS Config, Amazon DynamoDB and AWS CloudFormation** https://aws.amazon.com/pt/blogs/mt/manage-control-tower-life-cycle-actions-aws-service-catalog-aws-config-amazon-dynamodb-aws-cloudformation/ ## **Customizing account configuration with AWS Control Tower lifecycle events** https://aws.amazon.com/blogs/mt/customizing-account-configuration-aws-control-tower-lifecycle-events/ ## **Enabling guardrails in new AWS Regions the AWS Control Tower supports** https://aws.amazon.com/blogs/field-notes/enabling-guardrails-in-new-aws-regions-the-aws-control-tower-supports/ ## **Contas de Experimentação – Como implantar uma solução sem servidor para recursos efêmero** - in Portuguese Este blog post apresenta uma solução para gerenciar o ciclo de vida de uma conta AWS separada que fica dedicada para experimentação: https://aws.amazon.com/pt/blogs/aws-brasil/contas-de-experimentacao-como-implantar-uma-solucao-sem-servidor-para-recursos-efemeros/ ## **How to automate the creation of multiple accounts in AWS Control Tower** https://aws.amazon.com/pt/blogs/mt/how-to-automate-the-creation-of-multiple-accounts-in-aws-control-tower/ ## **Enabling Amazon GuardDuty in AWS Control Tower using Delegated Administrator** https://aws.amazon.com/blogs/mt/automating-amazon-guardduty-deployment-in-aws-control-tower/ ## **AWS Control Tower with Firewall Manager** https://www.youtube.com/watch?v=wocz0drq8-8 ## **How to Detect and Mitigate Guardrail Violations with AWS Control Tower** https://www.youtube.com/watch?v=HuVZqx8IHd4 ## **Automating Service Limit Increases and Enterprise Support with AWS Control Tower** https://aws.amazon.com/pt/blogs/mt/automating-service-limit-increases-enterprise-support-aws-control-tower/ ## **Self-service VPCs in AWS Control Tower using AWS Service Catalog** https://aws.amazon.com/pt/blogs/mt/self-service-vpcs-in-aws-control-tower-using-aws-service-catalog/ ## **Field Notes: Cross-account deployments in an AWS Control Tower environment** https://aws.amazon.com/pt/blogs/mt/cross-account-deployments-aws-control-tower-environment/ # AWS Control Tower Partners Solutions https://aws.amazon.com/marketplace/solutions/control-tower/ ## **Monitoring resources in an AWS Control Tower environment using Splunk from AWS Marketplace** https://aws.amazon.com/pt/blogs/awsmarketplace/monitoring-resources-in-an-aws-control-tower-environment-using-splunk-from-aws-marketplace/ ## **Automate your network setup in AWS Control Tower using Aviatrix** https://aws.amazon.com/pt/blogs/awsmarketplace/automate-your-network-setup-in-aws-control-tower-using-aviatrix/ ## **Log analysis with AWS Control Tower and Logz.io** https://aws.amazon.com/pt/blogs/awsmarketplace/log-analysis-with-aws-control-tower-and-logz-io/ ## **Enhance AWS Control Tower multi-account observability with Sumo Logic** https://aws.amazon.com/pt/blogs/awsmarketplace/enhance-aws-control-tower-multi-account-observability-with-sumo-logic/ ## **Integrating Alert Logic Managed Detection and Response with AWS Control Tower** https://aws.amazon.com/pt/blogs/awsmarketplace/integrating-alert-logic-managed-detection-and-response-with-aws-control-tower/ ## **Solutions integrated with AWS Control Tower are now available in AWS Marketplace** https://aws.amazon.com/pt/blogs/awsmarketplace/solutions-integrated-with-aws-control-tower-are-now-available-in-aws-marketplace/ ## **Full-stack observability of your AWS Control Tower landing zone with New Relic** https://aws.amazon.com/pt/blogs/awsmarketplace/full-stack-observability-of-your-aws-control-tower-landing-zone-with-new-relic/ ## **Increasing observability in your AWS Control Tower landing zone with Dynatrace** https://aws.amazon.com/pt/blogs/awsmarketplace/increasing-observability-in-your-aws-control-tower-landing-zone-with-dynatrace/ # **AWS SSO** ## **AWS SSO allows automatic provisioning through SCIM** Evolution of Single Sign-on - Integrate with Azure AD with automatic user provisioning: https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/ ## **AWS SSO with AWS CLI 2.0:** With AWS CLI 2.0 you can easily configure one or more of your AWS CLI named profiles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) to use a role from AWS SSO https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html ## **Provisioning Users in AWS Control Tower Using AWS SSO** https://www.youtube.com/watch?v=y_n9xN5mg1g # Other Topics ## **Serverless Transit Network Orchestrator (STNO)** The Serverless Transit Network Orchestrator (STNO) solution adds automation to AWS Transit Gateway. This solution provides the tools necessary to automate the process of setting up and managing transit networks in distributed AWS environments. A web interface is created to help control, audit, and approve (transit) network changes. STNO supports both AWS Organizations (https://aws.amazon.com/organizations/) and standalone AWS account types. https://aws.amazon.com/solutions/implementations/serverless-transit-network-orchestrator/ ![](https://i.imgur.com/pPvcouT.png) # AWS Config ## **AWS Config Conformance Packs:** You can prepare accounts to get enrolled in Control Tower, with Conformance Packs: https://docs.aws.amazon.com/config/latest/developerguide/aws-control-tower-detective-guardrails.html https://www.youtube.com/watch?v=YCUNNQuGZfg Remediate Non-Compliance Using AWS Config Rules and a Custom SSM Document https://www.youtube.com/watch?v=CyyNlyAHs0A AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack https://aws.amazon.com/pt/blogs/mt/aws-control-tower-detective-guardrails-as-an-aws-config-conformance-pack/ ## **Extend AWS Control Tower governance using AWS Config Conformance Packs** https://aws.amazon.com/pt/blogs/mt/extend-aws-control-tower-governance-using-aws-config-conformance-packs/ ## **AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack** https://aws.amazon.com/pt/blogs/mt/aws-control-tower-detective-guardrails-as-an-aws-config-conformance-pack/ # AWS Organizations ## **Best Practices for Organizations** https://aws.amazon.com/pt/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/ ## **Building a Shared Account Structure Using AWS Organizations** https://aws.amazon.com/pt/blogs/architecture/field-notes-building-a-shared-account-structure-using-aws-organizations/ ## Documentation for Multiple Accounts Strategic https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/introduction.html ## AWS Prescriptive Guidance https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html # Partners ## **Best Practices for Partners** https://aws.amazon.com/pt/blogs/apn/aws-control-tower-best-practices-for-aws-solution-providers/