AWS Control Tower helps set up and govern an AWS multi-account environment, following prescriptive best practices.
AWS Control Tower offers the easiest way to set up and govern a secure, compliant, well-architected, multi-account AWS environment, that adheres to corporate standards, and meets regulatory requirements based on best practices established by working with thousands of enterprises.
AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS Single Sign-on, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.
AWS Control Tower applies preventive and detective controls (guardrails) to help keep AWS organizations and accounts from drift, which is divergence from best practices for e.g, guardrails can be used to help ensure that security logs and necessary cross-account access permissions are created, and not altered.
AWS Control Tower enables end-users on distributed teams to provision new AWS accounts quickly using configurable account templates in Account Factory. Meanwhile, the central cloud administrators can monitor that all accounts are aligned with established, company-wide compliance policies.
Control Tower Features
A landing zone is a well-architected, multi-account environment that’s based on security and compliance best practices.
It is the enterprise-wide container that holds all of the organizational units (OUs), accounts, users, and other resources that need to be subject to compliance regulation.
A landing zone can scale to fit the needs of an enterprise of any size.
AWS Control Tower automates a landing zone to set up a baseline environment that includes:
Updating guardrail status on the AWS Control Tower dashboard
An Account Factory is a configurable account template that helps to standardize the provisioning of new accounts with pre-approved account configurations.
AWS Control Tower offers a built-in Account Factory that helps automate the account provisioning workflow in the organization.
Account Factory uses AWS Service Catalog to provision new accounts.
The dashboard offers continuous oversight of the landing zone to your team of central cloud administrators.
Use the dashboard to see provisioned accounts across the enterprise, guardrails enabled for policy enforcement, guardrails enabled for continuous detection of policy non-conformance, and non-compliant resources organized by accounts and OUs.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company is expanding its use of AWS services across its portfolios. The company wants to provision AWS accounts for each team to ensure a separation of business processes for security, compliance, and billing. Account creation and bootstrapping should be completed in a scalable and efficient way so new accounts are created with a defined baseline and governance guardrails in place. An administrator needs to design a provisioning process that saves time and resources. Which action should be taken to meet these requirements?
Automate using AWS Elastic Beanstalk to provision the AWS accounts, set up infrastructure, and integrate with AWS Organizations.
Create bootstrapping scripts in AWS OpsWorks and combine them with AWS CloudFormation templates to provision accounts and infrastructure.
Use AWS Config to provision accounts and deploy instances using AWS Service Catalog.
Use AWS Control Tower to create a template in Account Factory and use the template to provision new accounts.