CloudGuild · Blog · Cheat sheets · Lessons · Certifications
AWS Organizations & Control Tower — Centralized account management and governance
AWS Organizations enables centralized management of multiple AWS accounts, while Control Tower provides governance and compliance.
What it is
- AWS Organizations: Service to manage multiple AWS accounts under a single organization.
- Control Tower: Offers pre-configured governance and best practices for managing AWS accounts.
When I reach for it
- When you need to manage multiple AWS accounts efficiently.
- For implementing organizational policies and compliance across accounts.
- When you want to automate account setup with best practices in mind.
Key architectural decisions
- Account Structure: Decide on the organizational units (OUs) and account structure that aligns with business needs.
- Service Control Policies (SCPs): Define policies to control access to AWS services across accounts.
- Guardrails: Choose preventive and detective guardrails in Control Tower to enforce compliance.
Gotchas & exam traps
- Remember that SCPs do not grant permissions; they only restrict them.
- Control Tower is not available in all regions; check regional support before planning.
- Be aware of the limitations on the number of OUs and accounts per organization.
The architect view
- Use AWS Organizations for centralized billing and consolidated reporting.
- Leverage Control Tower for a quick start on multi-account setup with governance.
- Keep security best practices in mind; apply least privilege and regular audits.