Tutorial / Cram Notes
Before you deploy AWS Control Tower, there are a few pre-requisites and considerations to be aware of, to ensure a successful deployment:
- AWS Account Setup: You must have a clean master account with which to deploy AWS Control Tower. This account should not contain any other resources or services that are not related to AWS Control Tower.
- Region Availability: Make sure that AWS Control Tower is available in the region where you want to deploy it. AWS Control Tower may not be supported in every AWS region.
- VPC Considerations: The master account should not have an existing VPC that was associated with AWS Organizations unless you are okay with AWS Control Tower managing it.
- Organizations: You should ideally deploy AWS Control Tower in an account that is already a management account of AWS Organizations with all features enabled.
- Service Role: Ensure that your account has the necessary permissions and service roles to allow Control Tower to manage resources on your behalf.
- Service Quotas: Check service quotas to ensure they permit creating the necessary resources within your landing zone, such as VPCs, S3 buckets, and IAM roles.
Before deploying AWS Control Tower, certain AWS services must be deactivated or not present in the master account for the deployment to be successful. These include:
- AWS Config
- AWS Single Sign-On (currently active)
- Amazon GuardDuty (currently active)
- AWS CloudTrail (multi-region trail)
- IAM roles, policies, and users that might conflict with the ones that Control Tower will create
Deploying AWS Control Tower
To deploy AWS Control Tower, you can follow these steps:
- Log In to the Master Account: Using your AWS master account, log in to the AWS Management Console.
- Navigate to AWS Control Tower Dashboard: Go to the AWS Control Tower service page through the AWS Management Console.
- Set up Your Landing Zone: Click on the “Set up landing zone” button from the AWS Control Tower dashboard.
- Provide Organizational Units (OUs): Specify your Organizational Units that represent different groups or departments in your company.
- Review and Configure: Review the pre-configured settings that AWS Control Tower will apply to your environment. At this stage, fine-tune the configuration such as network setup, shared accounts (audit and logging), and default security standards.
- Deploy: Once you have reviewed and confirmed the setup, click on “Set up landing zone” to start the deployment process.
Post-Deployment Configuration
After successful deployment:
- Validate the Environment: It is crucial to validate that the services and guardrails are correctly implemented. Navigate to the AWS Control Tower dashboard to see the status of your landing zones and to ensure that they are compliant with your specified policies.
- Implement Governance: Using Account Factory, you can provision new AWS accounts that automatically comply with pre-defined policies and are placed within the appropriate OUs.
- Set Up Data Protection: Implement additional data protection mechanisms, such as AWS Backup, and ensure encryption with AWS KMS is in place.
- Configure Identity Management: Set up centralized identity management with AWS Single Sign-On (SSO), and integrate it with your existing identity provider.
By following these steps and considerations, an organization can deploy AWS Control Tower effectively and ensure that it operates within a secure and compliant cloud environment. This approach supports ongoing governance and security best practices in preparation for achieving the AWS Certified Security – Specialty (SCS-C02) certification or managing a complex AWS infrastructure.
Practice Test with Explanation
True or False: Before deploying AWS Control Tower, Amazon Cloud Directory must be disabled in the AWS account.
- True
- False
Answer: False
Explanation: AWS Control Tower does not require Amazon Cloud Directory to be disabled before deployment. AWS Control Tower sets up a landing zone that includes necessary configurations for multiple AWS services.
Which AWS service has to be deactivated before deploying AWS Control Tower in an account?
- AWS Config
- AWS Organizations
- AWS Shield
- Amazon CloudWatch
Answer: AWS Config
Explanation: AWS Control Tower requires that AWS Config be deactivated in the regions where Control Tower is being set up, as it will manage AWS Config settings and rules for all accounts in the landing zone.
When deploying AWS Control Tower, should you first create an Organizational Unit (OU) manually?
- Yes
- No
Answer: No
Explanation: AWS Control Tower will automatically create two OUs (Security and Sandbox) during the setup. You should not create an OU manually before the deployment as it is part of the setup process.
True or False: An existing AWS account can be enrolled into AWS Control Tower after it has been deployed.
- True
- False
Answer: True
Explanation: Existing AWS accounts can be enrolled into AWS Control Tower by moving them into an Organizational Unit managed by Control Tower, as long as they adhere to the prerequisites.
Which of the following services does not need to be deactivated for AWS Control Tower deployment?
- AWS Single Sign-On
- AWS CloudFormation StackSets
- AWS Service Catalog
- Amazon GuardDuty
Answer: Amazon GuardDuty
Explanation: Amazon GuardDuty does not need to be deactivated prior to deploying AWS Control Tower. Control Tower can integrate with GuardDuty without any interference.
True or False: You need to disable AWS Trusted Advisor before setting up AWS Control Tower.
- True
- False
Answer: False
Explanation: AWS Trusted Advisor does not need to be disabled for AWS Control Tower setup, as there is no conflict between Trusted Advisor recommendations and Control Tower governance.
What should be the status of AWS Organizations for deploying AWS Control Tower?
- Enable All Features mode
- Disable AWS Organizations
- Be in Consolidated Billing features mode only
- None of the above
Answer: Enable All Features mode
Explanation: AWS Control Tower requires that AWS Organizations is enabled with all features, not just consolidated billing, as it uses service control policies (SCPs) that are available only in the “All Features” mode.
True or False: You should delete all AWS CloudFormation stacks before deploying AWS Control Tower.
- True
- False
Answer: False
Explanation: There is no blanket requirement to delete AWS CloudFormation stacks before deploying AWS Control Tower. However, stacks that might conflict with the setup should be reviewed and potentially removed or modified.
Which AWS service must be enabled in the management account for AWS Control Tower to function correctly?
- AWS Secrets Manager
- AWS Systems Manager
- AWS Single Sign-On
- Amazon VPC
Answer: AWS Single Sign-On
Explanation: AWS Single Sign-On (SSO) must be enabled as Control Tower uses AWS SSO for centralized user access and management across the multiple accounts in the landing zone.
True or False: AWS Control Tower requires a clean, unused AWS account for the initial setup.
- True
- False
Answer: True
Explanation: For the initial deployment, AWS Control Tower requires a clean account with no active resources or configurations in order to setup the landing zone appropriately.
After deploying AWS Control Tower, can you activate additional AWS Regions for your landing zone without restrictions?
- Yes
- No
Answer: No
Explanation: While AWS Control Tower does support multi-region deployments, you must follow specific guidelines and use the Control Tower dashboard to add new regions to ensure proper setup and governance of the landing zone.
True or False: You can deploy AWS Control Tower using an account that is already part of an AWS Organizations OU.
- True
- False
Answer: False
Explanation: Deployment requires a master account that is not already part of an AWS Organizations OU; this ensures that Control Tower can set up and manage the OUs as needed.
Interview Questions
Can you describe the core components of AWS Control Tower and their individual roles within the service?
AWS Control Tower has several key components such as the Landing Zone, which automatically sets up a baseline environment with best practices; the Account Factory for provisioning new accounts; Guardrails for governance that enforce policy adherence; SSO for user access management; and a Dashboard for visibility into your AWS environment. These components work together to simplify the setup and governance of a multi-account AWS environment.
How does AWS Control Tower fit into an organization’s existing multi-account AWS setup, and what are the implications for current services and infrastructure?
AWS Control Tower is designed to work with AWS Organizations, enhancing your ability to manage and monitor multiple AWS accounts. For an existing setup, deploying Control Tower will implement its governance framework over all accounts. This may affect existing services as Control Tower applies certain preventative and detective guardrails that might alter configurations. It is important to understand the impact of these guardrails and to follow AWS recommendations to prepare accounts before deployment.
What is a Landing Zone in AWS Control Tower, and why is it critical for successful deployment?
A Landing Zone in AWS Control Tower is a pre-configured, secure, and compliant multi-account AWS environment. It is critical for successful deployment as it lays the foundation for your AWS infrastructure, ensuring that standard security and compliance policies are applied consistently across all accounts, and accelerates the setup process.
Before deploying AWS Control Tower, which existing AWS services or features should be deactivated or configured, and why?
Before deploying AWS Control Tower, deactivate or remove AWS Organizations SCPs (Service Control Policies) that may conflict with the implementation, disable any cross-account roles that go against the OUs (Organizational Units) structure of Control Tower, and ensure that there are no existing AWS Config Rules or AWS CloudTrail trails that could interfere with Control Tower’s setup. Doing this helps to avoid conflicts that might cause the deployment to fail or lead to unexpected behavior in the environment.
What are the key considerations when planning the deployment of AWS Control Tower in an environment with pre-existing AWS resources?
Key considerations include ensuring account compliance with Control Tower prerequisites, reviewing existing organizational units, backing up current account configurations, understanding how Control Tower’s guardrails will interact with your current resources, and having a rollback plan in case the deployment affects your environment unexpectedly.
Describe how preventive and detective guardrails in AWS Control Tower ensure security and compliance.
Preventive guardrails in AWS Control Tower work by enforcing certain configurations and blocking actions that could violate your compliance policies, while detective guardrails actively monitor for non-compliant resources and alert you when violations occur. Together, they help ensure that your AWS environment adheres to compliance and security best practices.
Can you explain how you could use AWS Control Tower to provision new accounts, and what the process entails?
Provisioning new accounts in AWS Control Tower is done through the Account Factory, which streamlines account creation while applying baseline configurations. The process entails defining an account configuration template, including organizational units, IAM roles, and network setups. When a request for a new account is made, Control Tower automates the provisioning process in line with the template to ensure consistency and adherence to security standards.
Is it possible to integrate AWS Control Tower with third-party security tools, and if so, how would you go about doing that?
Yes, it is possible. AWS Control Tower integrates with third-party security tools via AWS service integrations, such as sending findings to Amazon EventBridge, which can then trigger actions or notify external services. Additionally, you can use AWS Lambda functions to further customize how you interact with third-party tools.
What roles and permissions need to be in place before deploying AWS Control Tower?
Before deploying AWS Control Tower, you need to have the necessary permissions assigned to the IAM user or role performing the deployment. This typically requires administrator-level privileges. It’s essential to audit existing IAM policies and roles to ensure compliance with AWS Control Tower’s security policies and identity management configurations.
How can you monitor compliance within AWS Control Tower, and which AWS services are leveraged for this purpose?
Compliance can be monitored within AWS Control Tower using the Guardrails dashboard, which provides an overview of the compliance status of your resources. AWS services leveraged for this include AWS Config, which evaluates the compliance of resources with AWS best practices, and AWS CloudTrail, which logs and monitors account activity.
In the case of detection of non-compliant resources, what steps can be taken within AWS Control Tower to remediate issues?
Upon detection of non-compliant resources, AWS Control Tower will flag these issues. The steps that can be taken to remediate them include using automated remediation actions through AWS Systems Manager or Lambda functions, or manually correcting the configurations as per the suggestions provided by AWS Control Tower’s guardrails.
Can you describe a scenario where you would choose not to deploy AWS Control Tower, despite managing multiple AWS accounts?
One might choose not to deploy AWS Control Tower if their organization has deeply customized multi-account management systems already in place that would conflict with Control Tower’s automated setup, or if they need flexibility beyond the standardized guardrails and policies provided. Another scenario could be a company with minimal AWS resources and accounts, where the overhead of Control Tower does not make sense compared to simpler management solutions.
Can Control Tower be deployed in an existing AWS environment without conflicts?
The information about deactivating specific services was really useful. Thank you!
Just a heads up to everyone: Make sure your organization’s security requirements are clearly documented before making changes.
Not the best blog post, found some of the steps a bit unclear.
Appreciate the detailed explanation on Control Tower deployment!
For those who have deployed Control Tower successfully, did you encounter any specific issues?
Your post was exactly what I needed to prep for the SCS-C02 exam. Thanks!
In the context of AWS Control Tower, how do I handle multi-account environments?