--- title: AWS Control Tower description: Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls. url: https://www.factualminds.com/glossary/aws-control-tower/ publishDate: 2026-06-13 updateDate: 2026-06-13 --- # AWS Control Tower > Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls. ## Definition AWS Control Tower is a managed service that sets up and governs a multi-account AWS environment on top of AWS Organizations, Service Control Policies (SCPs), and AWS Config. It automates landing zone provisioning, enforces **controls** (AWS renamed “guardrails” to “controls” in 2023), and provides a compliance dashboard across accounts. **Account Factory** provisions new accounts with baseline settings; **Account Factory for Terraform (AFT)** is the GitOps-oriented path for Terraform-native organizations. ## When to use it - Standing up a **new multi-account estate** where you want AWS-maintained landing zone baselines instead of hand-rolling CloudFormation for every guardrail - Organizations that need **preventive, detective, and proactive controls** with a central compliance view - Teams standardizing on **IAM Identity Center** (formerly AWS SSO) for human access across accounts - Terraform shops that want **AFT** to customize account vending without abandoning Infrastructure as Code ## When not to use it - Highly bespoke landing zones where every SCP, OU structure, and network pattern diverges from Control Tower’s model — a manual or custom landing zone may fit better - Single-account AWS environments — Control Tower’s overhead is not justified - Replacing an entrenched manual landing zone without a migration plan — account moves and SCP inheritance changes are disruptive - Expecting Control Tower to replace a full GRC program — it enforces AWS-native controls, not your entire compliance framework ## Tips - Enable **proactive controls** (CloudFormation hooks) for workloads deployed via IaC — they catch non-compliant templates before resources exist - Use AFT when Terraform is already your account-provisioning standard; Service Catalog-only flows frustrate platform teams used to GitOps - Map each control to an owner and exception process before enabling — “blocked by Control Tower” tickets without a path forward erode adoption - Keep the management account for governance only; workload teams should not deploy applications there - Review the compliance dashboard quarterly; detective control noise without remediation creates alert fatigue ## Gotchas ### Serious - **Terminology drift:** Internal docs still saying “guardrails” cause engineers to miss current AWS documentation and support cases referencing **controls**. - **SCP blast radius:** A misconfigured preventive control can block production deployments organization-wide. Test in a sandbox OU before enabling globally. - **AFT pipeline failures:** A broken AFT customization repo blocks new account provisioning for every request — treat AFT repos like production CI. ### Regular - Control Tower sets up CloudTrail and Config in specific accounts; teams that duplicate logging elsewhere pay twice until consolidated. - Not all AWS services have proactive controls — rely on preventive + detective layers for those gaps. - Account Factory via Service Catalog and AFT solve the same problem differently; running both without clear ownership confuses requesters. ## Official references - [What is AWS Control Tower?](https://docs.aws.amazon.com/controltower/latest/userguide/what-is-control-tower.html) — landing zone automation and core concepts - [Controls in Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/controls.html) — preventive, detective, and proactive control types ## Related FactualMinds content - [AWS Control Tower Setup Guide](/blog/how-to-set-up-aws-control-tower-multi-account-governance/) - [AWS Landing Zone vs Control Tower](/blog/aws-multi-account-strategy-landing-zone-best-practices/) - [AWS Architecture Review](/services/aws-architecture-review/) ## Related AWS Services - aws-architecture-review ## Related Posts - how-to-set-up-aws-control-tower-multi-account-governance --- *Source: https://www.factualminds.com/glossary/aws-control-tower/*