AWS Control Tower

Official Documentation

https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html

• Here is the URL for the self-paced labs:
  https://controltower.aws-management.tools/

Useful Links:

Control Tower Getting Started Guide
AWS Secure Account Setup
Getting Started: Follow Security Best Practices as You Configure Your AWS Resources
Building a Scalable and Secure Multi-VPC AWS Network Infrastructure
AWS Service Catalog Connector for ServiceNow
Automating AWS Security Hub Alerts wiht AWS Control Tower lifecycle events

Control Tower Lifecycle

https://docs.aws.amazon.com/controltower/latest/userguide/lifecycle-events.html

IMPORTANT: AWS Control Tower can be deployed in Existing Organizations:

https://aws.amazon.com/pt/blogs/architecture/field-notes-enroll-existing-aws-accounts-into-aws-control-tower/

Youtube: https://www.youtube.com/watch?v=-n65I4M8cas

IMPORTANT: Customizations for AWS Control Tower

https://aws.amazon.com/pt/solutions/implementations/customizations-for-aws-control-tower/

Doc: https://docs.aws.amazon.com/solutions/latest/customizations-for-aws-control-tower/welcome.html

Field Notes: Customizing the AWS Control Tower Account Factory with AWS Service Catalog

https://aws.amazon.com/pt/blogs/architecture/field-notes-customizing-the-aws-control-tower-account-factory-with-aws-service-catalog/

Manage Control Tower life cycle actions intelligently using AWS Service Catalog, AWS Config, Amazon DynamoDB and AWS CloudFormation

https://aws.amazon.com/pt/blogs/mt/manage-control-tower-life-cycle-actions-aws-service-catalog-aws-config-amazon-dynamodb-aws-cloudformation/

Customizing account configuration with AWS Control Tower lifecycle events

https://aws.amazon.com/blogs/mt/customizing-account-configuration-aws-control-tower-lifecycle-events/

Enabling guardrails in new AWS Regions the AWS Control Tower supports

https://aws.amazon.com/blogs/field-notes/enabling-guardrails-in-new-aws-regions-the-aws-control-tower-supports/

Contas de Experimentação – Como implantar uma solução sem servidor para recursos efêmero - in Portuguese

Este blog post apresenta uma solução para gerenciar o ciclo de vida de uma conta AWS separada que fica dedicada para experimentação:
https://aws.amazon.com/pt/blogs/aws-brasil/contas-de-experimentacao-como-implantar-uma-solucao-sem-servidor-para-recursos-efemeros/

How to automate the creation of multiple accounts in AWS Control Tower

https://aws.amazon.com/pt/blogs/mt/how-to-automate-the-creation-of-multiple-accounts-in-aws-control-tower/

Enabling Amazon GuardDuty in AWS Control Tower using Delegated Administrator

https://aws.amazon.com/blogs/mt/automating-amazon-guardduty-deployment-in-aws-control-tower/

AWS Control Tower with Firewall Manager

https://www.youtube.com/watch?v=wocz0drq8-8

How to Detect and Mitigate Guardrail Violations with AWS Control Tower

https://www.youtube.com/watch?v=HuVZqx8IHd4

Automating Service Limit Increases and Enterprise Support with AWS Control Tower

https://aws.amazon.com/pt/blogs/mt/automating-service-limit-increases-enterprise-support-aws-control-tower/

Self-service VPCs in AWS Control Tower using AWS Service Catalog

https://aws.amazon.com/pt/blogs/mt/self-service-vpcs-in-aws-control-tower-using-aws-service-catalog/

Field Notes: Cross-account deployments in an AWS Control Tower environment

https://aws.amazon.com/pt/blogs/mt/cross-account-deployments-aws-control-tower-environment/

AWS Control Tower Partners Solutions

https://aws.amazon.com/marketplace/solutions/control-tower/

Monitoring resources in an AWS Control Tower environment using Splunk from AWS Marketplace

https://aws.amazon.com/pt/blogs/awsmarketplace/monitoring-resources-in-an-aws-control-tower-environment-using-splunk-from-aws-marketplace/

Automate your network setup in AWS Control Tower using Aviatrix

https://aws.amazon.com/pt/blogs/awsmarketplace/automate-your-network-setup-in-aws-control-tower-using-aviatrix/

Log analysis with AWS Control Tower and Logz.io

https://aws.amazon.com/pt/blogs/awsmarketplace/log-analysis-with-aws-control-tower-and-logz-io/

Enhance AWS Control Tower multi-account observability with Sumo Logic

https://aws.amazon.com/pt/blogs/awsmarketplace/enhance-aws-control-tower-multi-account-observability-with-sumo-logic/

Integrating Alert Logic Managed Detection and Response with AWS Control Tower

https://aws.amazon.com/pt/blogs/awsmarketplace/integrating-alert-logic-managed-detection-and-response-with-aws-control-tower/

Solutions integrated with AWS Control Tower are now available in AWS Marketplace

https://aws.amazon.com/pt/blogs/awsmarketplace/solutions-integrated-with-aws-control-tower-are-now-available-in-aws-marketplace/

Full-stack observability of your AWS Control Tower landing zone with New Relic

https://aws.amazon.com/pt/blogs/awsmarketplace/full-stack-observability-of-your-aws-control-tower-landing-zone-with-new-relic/

Increasing observability in your AWS Control Tower landing zone with Dynatrace

https://aws.amazon.com/pt/blogs/awsmarketplace/increasing-observability-in-your-aws-control-tower-landing-zone-with-dynatrace/

AWS SSO

AWS SSO allows automatic provisioning through SCIM

Evolution of Single Sign-on - Integrate with Azure AD with automatic user provisioning:
https://aws.amazon.com/blogs/aws/the-next-evolution-in-aws-single-sign-on/

AWS SSO with AWS CLI 2.0:

With AWS CLI 2.0 you can easily configure one or more of your AWS CLI named profiles (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) to use a role from AWS SSO
https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Provisioning Users in AWS Control Tower Using AWS SSO

https://www.youtube.com/watch?v=y_n9xN5mg1g

Other Topics

Serverless Transit Network Orchestrator (STNO)

The Serverless Transit Network Orchestrator (STNO) solution adds automation to AWS Transit Gateway. This solution provides the tools necessary to automate the process of setting up and managing transit networks in distributed AWS environments. A web interface is created to help control, audit, and approve (transit) network changes. STNO supports both AWS Organizations (https://aws.amazon.com/organizations/) and standalone AWS account types.
https://aws.amazon.com/solutions/implementations/serverless-transit-network-orchestrator/

AWS Config

AWS Config Conformance Packs:

You can prepare accounts to get enrolled in Control Tower, with Conformance Packs:
https://docs.aws.amazon.com/config/latest/developerguide/aws-control-tower-detective-guardrails.html

https://www.youtube.com/watch?v=YCUNNQuGZfg

Remediate Non-Compliance Using AWS Config Rules and a Custom SSM Document
https://www.youtube.com/watch?v=CyyNlyAHs0A

AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack
https://aws.amazon.com/pt/blogs/mt/aws-control-tower-detective-guardrails-as-an-aws-config-conformance-pack/

Extend AWS Control Tower governance using AWS Config Conformance Packs

https://aws.amazon.com/pt/blogs/mt/extend-aws-control-tower-governance-using-aws-config-conformance-packs/

AWS Control Tower Detective Guardrails as an AWS Config Conformance Pack

https://aws.amazon.com/pt/blogs/mt/aws-control-tower-detective-guardrails-as-an-aws-config-conformance-pack/

AWS Organizations

Best Practices for Organizations

https://aws.amazon.com/pt/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/

Building a Shared Account Structure Using AWS Organizations

https://aws.amazon.com/pt/blogs/architecture/field-notes-building-a-shared-account-structure-using-aws-organizations/

Documentation for Multiple Accounts Strategic

https://docs.aws.amazon.com/whitepapers/latest/organizing-your-aws-environment/introduction.html

AWS Prescriptive Guidance

https://docs.aws.amazon.com/prescriptive-guidance/latest/security-reference-architecture/architecture.html

Partners

Best Practices for Partners

https://aws.amazon.com/pt/blogs/apn/aws-control-tower-best-practices-for-aws-solution-providers/