How to Reduce Operational Risk Using AWS Control Tower
Emma Button, COO at nubeGO, discusses her recent experience of gaining further insight into AWS Control Tower
Recently, a group of nubeGO Technical Solutions Consultants took part in an Immersion Day to gain deeper knowledge of Amazon Web Service’s (AWS) Control Tower - a solution to help AWS users speed up the creation of a centralised cloud governance solution. If, like many cloud adopters, you are now managing multiple AWS accounts, AWS Control Tower might help you to implement a set of overarching security and best practice controls in your AWS estate. If you’d like to find out more about AWS Control Tower, contact nubeGO for a Well-Architected Review of your AWS environments.
What is AWS Control Tower?
AWS Control Tower is an automated way of creating a multi-account AWS environment. Using Amazon’s Organisational Units capability you can create a master (administrative and billing) account (known as your Landing Zone) under which you group together related accounts such as Development Accounts or Departmental accounts or even Audit-only accounts.
AWS Control Tower provides an intuitive user interface and dashboard to configure and create your multi-account environment.
In addition to account creation and management, AWS provides three significant capabilities which can help you to improve cloud governance and make large steps in the reduction of operational risk:
Guardrails are set of security rules and policies that can be globally applied to all accounts in your environment to prevent or detect a suite of common and significant security and cost-control risks.
The Service Catalog is an AWS “storefront” from which your AWS users can choose to create and install accounts of a particular type. Using the AWS Control Tower account service catalog, your end-users can self-serve the creation of standard, templatised new AWS accounts that follow all of your company’s best practice guidelines.
AWS SSO provides a quick yet secure way of authenticating users into their permitted AWS accounts. It provides a neat landing page where users can view their full set of accounts and login details from one place. You can link AWS SSO to your existing identity provider using identity federation.
How Can I Apply Group-Wide Security Guardrails?
AWS Control Tower provides a set of out-of-the box security guardrails and operational checks. Under the covers, AWS Control Tower implements Security Control Policies (SCPs) on the accounts in your organisation to act as preventative controls and it creates AWS Config rules as detective controls. With this suite of checks you can quickly apply industry best practice policies upon account creation, with no need to retrospectively apply infrastructure changes to multiple accounts.
The AWS Control Tower dashboard provides you with a one-page view of the enabled checks on the accounts in your environment and a summary of the account compliance with your company’s rules. The suite of mandatory and recommended checks are regularly growing so you benefit from AWS’s learning and expertise having learned from common risks and usage patterns from their customer base. All the Guardrails are ongoing so you can check back regularly to see how well the compliance rules are being addressed.
What is a Service Catalog?
AWS Control Tower makes great usage of the AWS Service Catalog. Using a few defaults that you define, Control Tower creates a new product offering in your service catalog that allows people to pick and choose the type of new AWS account they wish to create.
The Service Catalog UI is like a library of pre-configured products and services that end-users can choose to create. Hooking this into AWS Control Tower means that account creation is streamlined and straightforward. At the click of a button, a user can request the creation of a brand new AWS account that you know will inherit all of the cost and security measures you demand of your estate.
How does AWS SSO Help?
At nubeGO, much like many organisations these days, we use a third-party identity management system for access to our IT platforms and tools. When you first start using AWS Control Tower, it encourages you to implement AWS SSO (Single Sign-On) which, at first felt like just another password to remember! However, you can integrate AWS SSO with your existing IdP so you can federate access using GSuite, Active Directory or a SAML-compliant provider. And here’s why you would want to…
The landing page when users log into AWS SSO provides a really handy starting point for accessing all of your AWS accounts. Users with permitted access are given direct links to the management console for each of their accounts with each of the IAM roles they are permitted to log in as. In addition to that, users have quick and easy access to their CLI/API access details in one place (which is great for preventing people from writing them down on sticky notes!) The SSO landing page is particularly useful for granting access to AWS resources for less technical team members as it simplifies access.
Having immersed ourselves in AWS Control Tower, our consultants came out feeling inspired about the application of Security Control Policies across AWS Organisations. For us, AWS Control Tower provides governance and simplification of multi-account cloud environments for organisations of all sizes, not just for large enterprises.
Contact nubeGO to find out more about implementing AWS Control Tower or your own security and cost management controls.
0203 901 8501