AWS Glossary
AWS Control Tower
Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls.
Key Facts
- • Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls
- • It builds on AWS Organizations, Service Control Policies (SCPs), and CloudTrail to enforce organizational standards across accounts
- • AWS renamed these "controls" in 2023; using the old name causes confusion when referencing AWS documentation
- • Mistake 2:** Not adopting proactive controls
- • Preventive controls block actions at runtime; proactive controls block non-compliant infrastructure before it's ever deployed — catching issues earlier
Entity Definitions
- EC2
- EC2 is an AWS service relevant to aws control tower.
- S3
- S3 is an AWS service relevant to aws control tower.
- IaC
- IaC is a cloud computing concept relevant to aws control tower.
- compliance
- compliance is a cloud computing concept relevant to aws control tower.
- Terraform
- Terraform is a term relevant to aws control tower.
- CloudFormation
- CloudFormation is a term relevant to aws control tower.
Related Content
- AWS ARCHITECTURE REVIEW — Related service
Definition
AWS Control Tower is a managed service that simplifies AWS multi-account governance by automating landing zone setup and providing pre-configured controls (formerly called “guardrails” — renamed in 2023). It builds on AWS Organizations, Service Control Policies (SCPs), and CloudTrail to enforce organizational standards across accounts.
Core Components
Orchestration
- Automated account provisioning via Account Factory
- Pre-configured account structure (management, shared services, workload accounts)
- CloudFormation-based landing zone setup
Controls (formerly “guardrails”)
- Pre-packaged AWS best practices enforced via SCPs and AWS Config rules
- Three types: Preventive, Detective, and Proactive (added 2023)
- Examples: Disable public S3 bucket creation, require encryption, enforce MFA
Account Factory
- Self-service account provisioning for teams via Service Catalog
- Baseline security, networking, and compliance applied automatically
- Reduces time-to-productivity from weeks to hours
- Account Factory for Terraform (AFT) — the recommended programmatic approach using Terraform to provision and customize accounts at scale
Compliance Dashboard
- Centralized view of control compliance across accounts
- Real-time violation detection and alerting
- Historical compliance trends
Three Types of Controls
Preventive Controls (block actions)
- Implemented via SCPs
- Disable public S3 access
- Disallow root account access key creation
- Require encryption on buckets
- Enforce MFA
Detective Controls (detect violations)
- Implemented via AWS Config rules
- Detect untagged resources
- Monitor CloudTrail logging
- Alert on logging disabled
- Detect unrestricted SSH access
Proactive Controls (added 2023)
- Implemented via CloudFormation hooks
- Evaluate resources before they are provisioned (shift-left governance)
- Block non-compliant CloudFormation deployments at the IaC level
- Example: Block EC2 instance creation if encryption is not enabled in the template
Account Factory for Terraform (AFT)
AFT is the recommended approach for organizations already using Terraform. It replaces the manual Service Catalog workflow with a GitOps-based pipeline:
- Store account customizations as Terraform code in a Git repository
- AFT pipeline runs automatically when a new account request is merged
- Supports pre/post-provisioning hooks for custom logic
- Scales to hundreds of accounts without manual intervention
Control Tower vs Manual Landing Zone
| Aspect | Control Tower | Manual Landing Zone |
|---|---|---|
| Setup effort | Low (hours) | High (weeks) |
| Flexibility | Moderate | Full |
| Controls | Pre-built + custom | Fully custom |
| AFT support | Yes | N/A |
| Best for | Governance out-of-the-box | Unique compliance requirements |
Common Mistakes
Mistake 1: Using the old “guardrails” terminology in documentation. AWS renamed these “controls” in 2023; using the old name causes confusion when referencing AWS documentation.
Mistake 2: Not adopting proactive controls. Preventive controls block actions at runtime; proactive controls block non-compliant infrastructure before it’s ever deployed — catching issues earlier.
Mistake 3: Skipping AFT for Terraform shops. If your team already uses Terraform, AFT gives you GitOps-driven account provisioning at no extra cost.
Implementation Timeline
Setup: 1-2 hours
- Enable Control Tower in AWS Console
- Configures landing zone and baseline accounts
Customization: 1-2 weeks
- Adjust controls for organizational needs
- Configure AFT pipeline for Terraform-based provisioning
- Enable proactive controls for key CloudFormation stacks
Adoption: Ongoing
- Teams provision accounts via AFT or Service Catalog
- Control Tower monitors compliance
- Quarterly control reviews
Related AWS Services
- AWS Organizations (multi-account management)
- AWS Service Control Policies (SCPs)
- AWS CloudTrail (audit logging)
- AWS Config (detective control implementation)
- AWS Identity Center (centralized SSO for all accounts)
Related FactualMinds Content
Related Services
Need Help with This Topic?
Our AWS experts can help you implement and optimize these concepts for your organization.