SlideShare a Scribd company logo
Using Control Tower to efficiently
manage organizations
Steve Seaney
SVP SaaS Operations and Engineering
Rego Consulting, Inc
Sushanth Mangalore
Sr. Solutions Architect
Amazon Web Services
Agenda
• Rego Introduction
• AWS Control Tower
• Control Tower @ Rego
• Lessons Learned
• Best practices
2
Rego Introduction
Who is Rego?
We are PPM strategic advisors, using our deep expertise in
PPM software as the entryway to build long-term
relationships with our clients.
We are experienced practitioners who use our previous
PPM job expertise to guide our clients to maximize the
value of their PPM software.
We bring industry best-practices to assist our clients in
developing a strategy for deploying PPM capabilities as well
as helping them realize that value.
4
AWS Control Tower
AWS Control Tower
The easiest self-service solution to automate the setup of new AWS multi-account environments
Deployment of AWS
best practice Blueprints
and Guardrails
An AWS service,
offering automated
account creation based
on AWS best practices
Dashboard for
monitoring compliance
status
AWS Managed Service
version of multi
account environment
Enable governance
Set up an AWS
landing zone
Establish controls
(guardrails)
Automate compliant
account provisioning
Centralize identity
and access
Manage
continuously
Out of the Box in < 1 Hr…ZERO lines of code written
Dashboard for visibility
Automated landing zone
Controls (Guardrails)
Account factory
Built-in identity and access
Preconfigured log archive and
audit access to accounts
Built-in monitoring and
notifications
Automatic updates
Landing Zone provisioned by AWS Control Tower
Management Account
AWS Control Tower AWS Organizations AWS IAM Identity
Center
AWS CloudFormation
StackSets
AWS Service Catalog
(Account Factory)
Security OU Custom OU SSO directory
Log Archive
Account
Audit Account Provisioned accounts
Account
Baseline
Centralized AWS CloudTrail
and AWS Config logs
Account
Baseline
Security
Notifications
Security Cross-
account roles
Amazon
Config Aggregator
Account
Baseline
Network
Baseline
Control Tower @ Rego
Newly migrated to AWS Lean Operations Team Hard Project End Date
150+ AWS Accounts Early adopters of CfCT
Hosting a closed source
product
Unique challenges in the Rego AWS environment
Lessons Learnt
Centralize security tooling
Keep current with the landing
zone and CfCT updates
Implement all Controls, unless
you have a reason not to
Automate account and
resource provisioning
Utilize IAM Identity Center for
SSO
Utilize Lifecycle events and
Organization Events
Monitor and maintain security
standard compliance
Automate, maintain, and
monitor patching
Control Tower Best Practices
New customer journey
AWS Cloud
New Payer
Account
Management account
Log archive account Audit account Provisioned accounts
AWS Control Tower AWS Organizations AWS Single Sign-On
AWS Service Catalog
Stack sets Core OU Custom OU AWS SSO directory
Account
baseline
Account
baseline
Network
baseline
Aggregate
AWS CloudTrail
and AWS Config
logs
Account
baseline
Security cross-
account roles
Security
notifications
Amazon
CloudWatch
aggregator
Additional OU
Sandbox
• Fixed spending
limit
• Disconnected
from network
Workloads
• For software
development
ΔDev
ΔPre-Prod
ΔProd
Policy Staging
• Verify & test
SCP changes
Suspended
• Account
closures
• Tag account
prior to moving
Individual Users
• For individual
business users
Exceptions
• Customized
security stance
• SCPs at
account level
• Under greater
scrutiny
Deployments
• For
deployment
infrastructure
Dev 1
Dev 2 Dev 3
Prod
SDLC
Organizations Summary
Centrally provision resources
in a multi-account
environment
Share resources and control
access to accounts, regions, and
services
Optimize costs and identify
cost-saving measures
Rapid innovation with resources provisioned
quickly and exclusively for each team
Many teams
Business
process
Billing
Organize AWS accounts to reflect business
processes with different operational,
regulatory, and budgetary requirements
Simplify billing where resources used
within an AWS account can be
allocated to the business unit that is
responsible for that account
Seamless integration with AWS
security services
Isolation &
security
Tight security boundaries enforced by
built-in isolation between accounts, and
consolidation for workloads with similar
risk profiles
Benefits Use Cases
Existing customer journey
Review and test requirements:
- Single Sign-On
- Secure Token Service - STS
- Service Control Policies (SCP)
- AWS Config
- CloudTrail
- CloudFormation Stack Sets
Jump start your Organization
AWS Control Tower
SCPs
AWS Config
Service
Catalog
AWS IAM
Identity
Center
with
Extend central governance with AWS Organizations
AWS Systems Manager
AWS Service Catalog
AWS CloudFormation
AWS Audit Manager
AWS Backup
&
Backup Policies
Amazon Cloud Directory
AWS IAM Access
Analyzer
AWS Firewall Manager
AWS Security Hub
Amazon GuardDuty
AWS Resource
Access Manager
Amazon Macie
AWS Personal
Health Dashboard
AWS Cost Explorer
S3 Storage
Lens
AWS Trusted Advisor
AWS License Manager
AWS Compute Optimizer
Centrally provision
resources in a multi-
account environment
Share resources and control
access to accounts, regions,
and services
Optimize costs and identify
cost-saving measures
Seamless integration with
AWS security services
Tag Policies
AI/ML Policies
Thank you
steve@regoconsulting.com
mangalos@amazon.com

More Related Content

Similar to Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx

Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Amazon Web Services
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
Amazon Web Services
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
Amazon Web Services
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Amazon Web Services
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing Zone
Amazon Web Services
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
Amazon Web Services
 
Migración a la Nube: Preparación y Mejores Prácticas
Migración a la Nube: Preparación y Mejores PrácticasMigración a la Nube: Preparación y Mejores Prácticas
Migración a la Nube: Preparación y Mejores Prácticas
Amazon Web Services LATAM
 
Accelerating your Business with Security
Accelerating your Business with SecurityAccelerating your Business with Security
Accelerating your Business with Security
Amazon Web Services
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
Amazon Web Services
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Amazon Web Services
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Amazon Web Services
 
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management ToolsRaleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
Amazon Web Services
 
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Amazon Web Services
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
Amazon Web Services
 
Accelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAccelerating YourBusiness with Security
Accelerating YourBusiness with Security
Amazon Web Services
 
Best Practices for getting Started on AWS
Best Practices for getting Started on AWSBest Practices for getting Started on AWS
Best Practices for getting Started on AWS
Amazon Web Services
 
Transform IT Operations and Management
Transform IT Operations and ManagementTransform IT Operations and Management
Transform IT Operations and Management
Amazon Web Services
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
Amazon Web Services
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
Amazon Web Services
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
Amazon Web Services
 

Similar to Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx (20)

Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
Governance @ Scale: Compliance Automation in AWS | AWS Public Sector Summit 2017
 
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
AWS re:Invent 2016: Enabling Enterprise Migrations: Creating an AWS Landing Z...
 
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
AWS re:Invent 2016: Embracing DevSecOps while Improving Compliance and Securi...
 
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing ZoneSimplify & Standardise Your Migration to AWS with a Migration Landing Zone
Simplify & Standardise Your Migration to AWS with a Migration Landing Zone
 
AWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing ZoneAWS Enterprise Summit Netherlands - Creating a Landing Zone
AWS Enterprise Summit Netherlands - Creating a Landing Zone
 
The Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the CloudThe Automation of Supervision Governance in the Cloud
The Automation of Supervision Governance in the Cloud
 
Migración a la Nube: Preparación y Mejores Prácticas
Migración a la Nube: Preparación y Mejores PrácticasMigración a la Nube: Preparación y Mejores Prácticas
Migración a la Nube: Preparación y Mejores Prácticas
 
Accelerating your Business with Security
Accelerating your Business with SecurityAccelerating your Business with Security
Accelerating your Business with Security
 
AWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security ModelAWS Webcast - Understanding the AWS Security Model
AWS Webcast - Understanding the AWS Security Model
 
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech TalksLaunch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
Launch AWS Faster using Automated Landing Zones - AWS Online Tech Talks
 
Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...Cloud Governance and Provisioning Management using AWS Management Tools and S...
Cloud Governance and Provisioning Management using AWS Management Tools and S...
 
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management ToolsRaleigh DevDay 2017: Deep Dive on AWS Management Tools
Raleigh DevDay 2017: Deep Dive on AWS Management Tools
 
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...Raleigh DevDay 2017: Are you well architected learn best practices to build r...
Raleigh DevDay 2017: Are you well architected learn best practices to build r...
 
An Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - WebinarAn Introduction to the AWS Well Architected Framework - Webinar
An Introduction to the AWS Well Architected Framework - Webinar
 
Accelerating YourBusiness with Security
Accelerating YourBusiness with SecurityAccelerating YourBusiness with Security
Accelerating YourBusiness with Security
 
Best Practices for getting Started on AWS
Best Practices for getting Started on AWSBest Practices for getting Started on AWS
Best Practices for getting Started on AWS
 
Transform IT Operations and Management
Transform IT Operations and ManagementTransform IT Operations and Management
Transform IT Operations and Management
 
ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools ENT302 Deep Dive on AWS Management Tools
ENT302 Deep Dive on AWS Management Tools
 
Getting Started with AWS
Getting Started with AWSGetting Started with AWS
Getting Started with AWS
 
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
AWS Public Sector Symposium 2014 Canberra | Compliance and Governance on the ...
 

More from AWS Chicago

Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
AWS Chicago
 
Rob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community DayRob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community Day
AWS Chicago
 
LinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice awardLinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice award
AWS Chicago
 
Lloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating ComplianceLloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating Compliance
AWS Chicago
 
Drake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migrationDrake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migration
AWS Chicago
 
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
AWS Chicago
 
Steve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline complianceSteve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline compliance
AWS Chicago
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
AWS Chicago
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
AWS Chicago
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptx
AWS Chicago
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
AWS Chicago
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
AWS Chicago
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
AWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
AWS Chicago
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptx
AWS Chicago
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
AWS Chicago
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
AWS Chicago
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
AWS Chicago
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
AWS Chicago
 
Pat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfPat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdf
AWS Chicago
 

More from AWS Chicago (20)

Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
Lena Taupier: Secure your App from bots and attacks with AWS WAF (Web Applica...
 
Rob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community DayRob Sable: Gen AI and Manufacfuring Community Day
Rob Sable: Gen AI and Manufacfuring Community Day
 
LinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice awardLinkedIn profile and strategies for earning the Top Voice award
LinkedIn profile and strategies for earning the Top Voice award
 
Lloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating ComplianceLloyd Evans: GRC Engineering Automating Compliance
Lloyd Evans: GRC Engineering Automating Compliance
 
Drake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migrationDrake Lundstrom: How not to do a cloud migration
Drake Lundstrom: How not to do a cloud migration
 
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)Andrew May: Things AWS could learn from Azure (and things it shouldn't)
Andrew May: Things AWS could learn from Azure (and things it shouldn't)
 
Steve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline complianceSteve Seaney: Leveraging AWS services to streamline compliance
Steve Seaney: Leveraging AWS services to streamline compliance
 
AWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user groupAWS reInvent 2023 recaps from Chicago AWS user group
AWS reInvent 2023 recaps from Chicago AWS user group
 
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
Chicago AWS Solutions Architect Mehdy Haghy recaps the new AI/ML releases and...
 
WilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptxWilliamCollins_Road-to-Transit-Gateway.pptx
WilliamCollins_Road-to-Transit-Gateway.pptx
 
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdfSuresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
Suresh Poopandi_Generative AI On AWS-MidWestCommunityDay-Final.pdf
 
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha DwivedulaStreamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
Streamlined Entitlements with AWS Lake Formation - Anusha Dwivedula
 
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptxSaurabh_Shanbhag - Building_SaaS_on_AWS.pptx
Saurabh_Shanbhag - Building_SaaS_on_AWS.pptx
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Ross Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptxRoss Stuart_Using ML to Solve Lifes Problems.pptx
Ross Stuart_Using ML to Solve Lifes Problems.pptx
 
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdfrobsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
robsable_Enhancing DevOps Practices with CloudWatch APM FINAL.pdf
 
Sanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdfSanket_Nasre_Simplify Modernization.pdf
Sanket_Nasre_Simplify Modernization.pdf
 
Mohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptxMohamed Wali_AWS Security Reference Architecture.pptx
Mohamed Wali_AWS Security Reference Architecture.pptx
 
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptxNick-Walter-HOB_Migrating_Dinosaurs.pptx
Nick-Walter-HOB_Migrating_Dinosaurs.pptx
 
Pat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdfPat_Davies_AWSCostOptimization_Final.pdf
Pat_Davies_AWSCostOptimization_Final.pdf
 

Recently uploaded

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
Javier Junquera
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
Data Hops
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
alexjohnson7307
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
maazsz111
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 

Recently uploaded (20)

HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)GNSS spoofing via SDR (Criptored Talks 2024)
GNSS spoofing via SDR (Criptored Talks 2024)
 
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3FREE A4 Cyber Security Awareness  Posters-Social Engineering part 3
FREE A4 Cyber Security Awareness Posters-Social Engineering part 3
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
leewayhertz.com-AI in predictive maintenance Use cases technologies benefits ...
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
SAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloudSAP S/4 HANA sourcing and procurement to Public cloud
SAP S/4 HANA sourcing and procurement to Public cloud
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 

Steve Seaney_AWS Control Tower - 2023 Midwest Community Day - Final.pptx

  • 1. Using Control Tower to efficiently manage organizations Steve Seaney SVP SaaS Operations and Engineering Rego Consulting, Inc Sushanth Mangalore Sr. Solutions Architect Amazon Web Services
  • 2. Agenda • Rego Introduction • AWS Control Tower • Control Tower @ Rego • Lessons Learned • Best practices 2
  • 4. Who is Rego? We are PPM strategic advisors, using our deep expertise in PPM software as the entryway to build long-term relationships with our clients. We are experienced practitioners who use our previous PPM job expertise to guide our clients to maximize the value of their PPM software. We bring industry best-practices to assist our clients in developing a strategy for deploying PPM capabilities as well as helping them realize that value. 4
  • 6. AWS Control Tower The easiest self-service solution to automate the setup of new AWS multi-account environments Deployment of AWS best practice Blueprints and Guardrails An AWS service, offering automated account creation based on AWS best practices Dashboard for monitoring compliance status AWS Managed Service version of multi account environment
  • 7. Enable governance Set up an AWS landing zone Establish controls (guardrails) Automate compliant account provisioning Centralize identity and access Manage continuously
  • 8. Out of the Box in < 1 Hr…ZERO lines of code written Dashboard for visibility Automated landing zone Controls (Guardrails) Account factory Built-in identity and access Preconfigured log archive and audit access to accounts Built-in monitoring and notifications Automatic updates
  • 9. Landing Zone provisioned by AWS Control Tower Management Account AWS Control Tower AWS Organizations AWS IAM Identity Center AWS CloudFormation StackSets AWS Service Catalog (Account Factory) Security OU Custom OU SSO directory Log Archive Account Audit Account Provisioned accounts Account Baseline Centralized AWS CloudTrail and AWS Config logs Account Baseline Security Notifications Security Cross- account roles Amazon Config Aggregator Account Baseline Network Baseline
  • 11. Newly migrated to AWS Lean Operations Team Hard Project End Date 150+ AWS Accounts Early adopters of CfCT Hosting a closed source product Unique challenges in the Rego AWS environment
  • 12. Lessons Learnt Centralize security tooling Keep current with the landing zone and CfCT updates Implement all Controls, unless you have a reason not to Automate account and resource provisioning Utilize IAM Identity Center for SSO Utilize Lifecycle events and Organization Events Monitor and maintain security standard compliance Automate, maintain, and monitor patching
  • 13. Control Tower Best Practices
  • 14. New customer journey AWS Cloud New Payer Account Management account Log archive account Audit account Provisioned accounts AWS Control Tower AWS Organizations AWS Single Sign-On AWS Service Catalog Stack sets Core OU Custom OU AWS SSO directory Account baseline Account baseline Network baseline Aggregate AWS CloudTrail and AWS Config logs Account baseline Security cross- account roles Security notifications Amazon CloudWatch aggregator Additional OU Sandbox • Fixed spending limit • Disconnected from network Workloads • For software development ΔDev ΔPre-Prod ΔProd Policy Staging • Verify & test SCP changes Suspended • Account closures • Tag account prior to moving Individual Users • For individual business users Exceptions • Customized security stance • SCPs at account level • Under greater scrutiny Deployments • For deployment infrastructure Dev 1 Dev 2 Dev 3 Prod SDLC
  • 15. Organizations Summary Centrally provision resources in a multi-account environment Share resources and control access to accounts, regions, and services Optimize costs and identify cost-saving measures Rapid innovation with resources provisioned quickly and exclusively for each team Many teams Business process Billing Organize AWS accounts to reflect business processes with different operational, regulatory, and budgetary requirements Simplify billing where resources used within an AWS account can be allocated to the business unit that is responsible for that account Seamless integration with AWS security services Isolation & security Tight security boundaries enforced by built-in isolation between accounts, and consolidation for workloads with similar risk profiles Benefits Use Cases
  • 16. Existing customer journey Review and test requirements: - Single Sign-On - Secure Token Service - STS - Service Control Policies (SCP) - AWS Config - CloudTrail - CloudFormation Stack Sets Jump start your Organization AWS Control Tower SCPs AWS Config Service Catalog AWS IAM Identity Center with
  • 17. Extend central governance with AWS Organizations AWS Systems Manager AWS Service Catalog AWS CloudFormation AWS Audit Manager AWS Backup & Backup Policies Amazon Cloud Directory AWS IAM Access Analyzer AWS Firewall Manager AWS Security Hub Amazon GuardDuty AWS Resource Access Manager Amazon Macie AWS Personal Health Dashboard AWS Cost Explorer S3 Storage Lens AWS Trusted Advisor AWS License Manager AWS Compute Optimizer Centrally provision resources in a multi- account environment Share resources and control access to accounts, regions, and services Optimize costs and identify cost-saving measures Seamless integration with AWS security services Tag Policies AI/ML Policies

Editor's Notes

  1. We recommend customers deploying a new environment to start with AWS Control Tower We also recommend that existing customers use the power of Control Tower to extend governance into their legacy accounts and implement Control Tower Guardrails 2. Control Tower takes care of all the best practices for you – from fundamental accounts to Blueprint/Guardrails for security and monitoring 3. Account factory makes account creation and provisioning easy The AWS Landing Zone is a solution that helps customers quickly set up a new AWS environment for multiple accounts. The AWS Landing Zone solution can save customers time by automating the set-up of their environment in line with AWS best practice recommendations.   With the AWS Landing Zone, customers receive a baseline environment that gets them started with a multi-account architecture, identity and access management, governance, data security, network design, and logging. This solution was built to help customers set up net new AWS environments, but can scale to support production implementations for large-scale migrations.
  2. Control Tower enables you to a) set up an AWS landing zone (click) Centralize identity and access (click) Establish guardrails for security, compliance, and operations… (click) Automate compliant account provisioning (click) And manage continuously over time.
  3. With AWS Control Tower the landing zone is built in just about 1 hour -So customer get an automated landing zone -Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective -Account Factory that you can to create new accounts or enroll existing accounts into C -Provides a centralized dashboard to allow for visibility into the accounts across each region With the built in integration with AWS SSO customers get a centralized location for Identity and Access management They can also integrate into partner solutions such as one login and okta into the SSO dashboard Pre-configured log archive and audit account CT provides a strong governance start Built in monitoring and notifications and automatic updates If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
  4. This base archtecture or foundation is what AWS Control Tower provides to our customers as they are starting to build their multi- account environment. AWS Control Tower provides a framework to set up and extend a well-architected, multi-account AWS environment based on security and compliance best practices. With AWS Control Tower, you can easily provision new AWS accounts using the Account Factory. Account Factory creates new AWS accounts with a baseline security posture enabled by preventive and detective guardrails. As part of this framework, AWS Control Tower automatically: Enables AWS CloudTrail and AWS Config and enables centralize login to an Amazon S3 bucket located in a Log Archive  account Pre-configures Amazon Simple Notification Service (Amazon SNS) topics that other services could subscribe to Provides federated access to accounts using AWS Single Sign-On (AWS SSO) Enables guardrails to protect the resources deployed by AWS Control Tower and detects non-compliance across multiple accounts Supports lifecycle events, which allows you to configure any additional custom automations as part of new account creation.
  5. With AWS Control Tower the landing zone is built in just about 1 hour -So customer get an automated landing zone -Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective -Account Factory that you can to create new accounts or enroll existing accounts into C -Provides a centralized dashboard to allow for visibility into the accounts across each region With the built in integration with AWS SSO customers get a centralized location for Identity and Access management They can also integrate into partner solutions such as one login and okta into the SSO dashboard Pre-configured log archive and audit account CT provides a strong governance start Built in monitoring and notifications and automatic updates If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
  6. With AWS Control Tower the landing zone is built in just about 1 hour -So customer get an automated landing zone -Guardrails –pre defined rules to help with compliance. There are 2 types of guardrails: Preventive and Detective -Account Factory that you can to create new accounts or enroll existing accounts into C -Provides a centralized dashboard to allow for visibility into the accounts across each region With the built in integration with AWS SSO customers get a centralized location for Identity and Access management They can also integrate into partner solutions such as one login and okta into the SSO dashboard Pre-configured log archive and audit account CT provides a strong governance start Built in monitoring and notifications and automatic updates If customers were to customize the deployment of a landing zone on their own they would be sticking together over 10 services and that would take a long time and very high technical skills. And customers would own the code and have to maintain it
  7. When we first went live in June of 2019 you could only deploy CT into a brand new account. That meant that a new management account would be created and customers would than create all new accounts. That was ok for customers with few accounts to migrate or companies just starting out their cloud journey. But this was difficult for customers who already had existing organizations and a billing structure in place because that meant they had two houses to maintain.
  8. Whether you are building out your landing zone for the first time with Control Tower, or deploying Control Tower to an existing Organization, you are gaining access to all of the automation and simplicity benefits that Control Tower offers. But, what customers often come to realize after the fact is that because Control Tower is built on top of AWS Organizations, you also have the ability to use all of the multi-account features of Organizations with your Control Tower environment. AWS Organization provides native capabilities, along with providing features for a number of AWS services to operate across accounts. There are four main categories of features that AWS unlocks for customers: Centrally provisioning accounts and resources Share resources and control access to accounts, regions, and services Secure and audit your environment for compliance Optimize costs and identify cost-saving measures This helps you to drive rapid innovation for your teams, allowing them to quickly provision resources for their use. Using AWS Organizations you can reflect your business processes and the different requirements for different business units like Operations, Governance, and Budgets We understand than handling different billing across multiple accounts can be complicated, however, Organizations helps consolidate a view on what resources are being used on each account and offers a detailed view per account. Allowing you to establish budgets for the business units responsible for the accounts and identifying where there are different opportunities. Last, but the most important, organizations helps establish isolation using the boundaries given by an account, allowing you to consolidate workloads that have similar risk profiles. AWS Control Tower can help you to set up this initial environment, providing an orchestration framework to create accounts, establish different guardrails across your organization and offering an overview of the status of the managed accounts by Control Tower in the organization.
  9. Since you are already using Organizations, you can use Control Tower to automate the management of some of the features and the management of your multi account strategy. However, there is some pre-requisites you need to take into consideration for a smooth transition. AWS Control Tower will deploy certain resources to the accounts under its governance to enforce the security measures and collect logs from this accounts to be stored on the Log Archive Account. To have a smooth transition, before deploying Control Tower on your current Organization, review the management account Service quotas for the services AWS Config Service Control Policies Single Sign-On STS Cloud Trail If you have already deployed Single Sign-On, Control Tower needs to be launched on the same region on the Management account, for Control Tower to be able to adopt it. Additionally, Control Tower allows you to select what regions you would like the service to govern. It is important that STS is enabled on the regions that Control Tower supports so it can assume a role in that region to deploy the resources and do the necessary checks it needs to succeed. AWS Control Tower is going to create a set of 3 SCP’s that will be attached to the OU’s managed by the service. When extending governance to already existing OU’s, make sure there is room on these OU’s so Control Tower can attach these SCPs to them. Additionally, make sure there are not any current SCP’s that are blocking the Control Tower to perform any actions on the Organization or in any particular OU’s that would prevent Control Tower from executing any actions on those accounts. There can only be a Single Config Recorder and a Single Delivery Channel per region on each account, for any account that governance will be extended, The Current config Recorder and Delivery Channels will need to be removed before we extend governance, so Control Tower can record and monitor those regions on the enrolled accounts. For new accounts, Control Tower automatically creates this for you without any nuance. Control Tower will deploy a CloudTrail Trail, that will log the activity on that account and deliver it to the Log Archive Account, make sure, that for any existing accounts, there is space for this CloudTrail trail to be created prior to enrolling the account or the OU. Last, but not least, Control Tower uses Cloud Formation StackSets to deploy resources across the accounts in the organization from the Management account, make sure, there is room on the Management account for creating about 10-15 new StackSets so Control Tower can manage the resources being deployed on your Organization efficiently! Once you have checked, you are ready to start enrolling your already existing OU’s and accounts in the organization in Control Tower.
  10. This means you get a rich set of capabilities to extend governance across your multi-account environments using services that integrate with Organizations. By using Control Tower, you are taking advantage of the automation and simple management of Control Tower while leveraging the additional Organizations capabilities that are available to you. You can extend your governance across your multi-account environment using consistent provisioning with AWS CloudFormation StackSets, manage our backup with granular policies, monitor your environments for security threats using Amazon Macie, share resources with your accounts using AWS Resource Access Manager, have visibility into your AWS budgets and spend using AWS Cost explorer, and more! You get the best of both worlds by combining Control Tower with the extensibility of Organizations. Would you like us to dive into any of these multi-account capabilities for later discussion ?