Why I use Control Tower

You'll find below an AmazonQ pros and cons on Control Tower. Many will say it's overkill for personal use. However, having an environment where you can safely explore the services orchestrated by Control Tower is invaluable when you're solving problems in an environment that is running critical workloads.


The services that become immediately impactful are the ability to apply controls and governance, track changes across the environment, consolidated billing and identity management and vend security tokens.


I find the AWS description from their documentation lands the message well:



My (Console) Approach to AWS Control Tower

I always kick off Control Tower from the AWS Console. I know I should script this, but I'm in a fresh account, logged in, and not via SSO. I want to set up the account with SSO running as a priority.


The Control Tower setup UI asks all the right questions in a simple-to-understand way, sets everything up cleanly, and gives me a solid, opinionated baseline perfect for iterating from. For a lab environment, that vanilla setup is exactly what I want - secure, multi-account, and ready to grow.


The guide by AWS is excellent and walks you through everything you need to do.


AWS Config defaults to record everything

Once Control Tower finishes spinning up, my first tweak is reining in AWS Config and managing unwanted costs.

Out of the box, it tracks every configuration change across every account. If you change some parameter five times in a day, you will have five configuration change logs. This is excellent for compliance-heavy production workloads, but complete overkill for a lab.


This change is a simple adjustment to the CloudFormation stack set that Control Tower uses to deploy the AWS Config Configuration Recorder in each account. It's a simple adjustment to only record changes daily, so it limits data production, especially in development environments where there could be thousands of changes per day:


Change the Recording Frequency to "Daily" in AWSControlTowerBP-BASELINE-CONFIG

1 ConfigRecorder:
2 Type: AWS::Config::ConfigurationRecorder
3 Properties:
4 Name: !Sub ${ManagedResourcePrefix}-BaselineConfigRecorder
5 RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
6 RecordingGroup:
7 AllSupported: !Ref AllSupported
8 IncludeGlobalResourceTypes: !If
9 - IsHomeRegion
10 - !Ref IncludeGlobalResourceTypes
11 - 'false'
12 ResourceTypes: !If
13 - IsAllSupported
14 - !Ref AWS::NoValue
15 - !Ref ResourceTypes
16 RecordingMode:
17 RecordingFrequency: "DAILY"


This keeps costs and noise down while giving me enough historical state to debug or understand drift if needed.