Why I use Control Tower
You'll find below an AmazonQ pros and cons on Control Tower. Many will say it's overkill for personal use. However, having an environment where you can safely explore the services orchestrated by Control Tower is invaluable when you're solving problems in an environment that is running critical workloads.
The services that become immediately impactful are the ability to apply controls and governance, track changes across the environment, consolidated billing and identity management and vend security tokens.
I find the AWS description from their documentation↗ lands the message well:
Straight from AWS
AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services↗, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center, to build a landing zone in less than an hour. Resources are set up and managed on your behalf.
AWS Control Tower orchestration extends the capabilities of AWS Organizations. To help keep your organizations and accounts from drift, which is divergence from best practices, AWS Control Tower applies controls (sometimes called guardrails). For example, you can use controls to help ensure that security logs and necessary cross-account access permissions are created, and not altered.
If you are hosting more than a handful of accounts, it’s beneficial to have an orchestration layer that facilitates account deployment and account governance. You can adopt AWS Control Tower as your primary way to provision accounts and infrastructure. With AWS Control Tower, you can more easily adhere to corporate standards, meet regulatory requirements, and follow best practices.
My (Console) Approach to AWS Control Tower
I always kick off Control Tower from the AWS Console. I know I should script this, but I'm in a fresh account, logged in, and not via SSO. I want to set up the account with SSO running as a priority.
The Control Tower setup UI asks all the right questions in a simple-to-understand way, sets everything up cleanly, and gives me a solid, opinionated baseline perfect for iterating from. For a lab environment, that vanilla setup is exactly what I want - secure, multi-account, and ready to grow.
The guide by AWS↗ is excellent and walks you through everything you need to do.
AWS Config defaults to record everything
Once Control Tower finishes spinning up, my first tweak is reining in AWS Config and managing unwanted costs.
Out of the box, it tracks every configuration change across every account. If you change some parameter five times in a day, you will have five configuration change logs. This is excellent for compliance-heavy production workloads, but complete overkill for a lab.
This change is a simple adjustment to the CloudFormation stack set that Control Tower uses to deploy the AWS Config Configuration Recorder in each account. It's a simple adjustment to only record changes daily, so it limits data production, especially in development environments where there could be thousands of changes per day:
Change the Recording Frequency to "Daily" in AWSControlTowerBP-BASELINE-CONFIG
1 ConfigRecorder:
2 Type: AWS::Config::ConfigurationRecorder
3 Properties:
4 Name: !Sub ${ManagedResourcePrefix}-BaselineConfigRecorder
5 RoleARN: !Sub arn:${AWS::Partition}:iam::${AWS::AccountId}:role/aws-service-role/config.amazonaws.com/AWSServiceRoleForConfig
6 RecordingGroup:
7 AllSupported: !Ref AllSupported
8 IncludeGlobalResourceTypes: !If
9 - IsHomeRegion
10 - !Ref IncludeGlobalResourceTypes
11 - 'false'
12 ResourceTypes: !If
13 - IsAllSupported
14 - !Ref AWS::NoValue
15 - !Ref ResourceTypes
16 RecordingMode:
17 RecordingFrequency: "DAILY"
This keeps costs and noise down while giving me enough historical state to debug or understand drift if needed.
Enterprise vs. Lab
In an enterprise landing zone, I would configure Control Tower to deploy the daily recorder to sandbox and some non-prod accounts, but have the granular recording in compliance-heavy accounts to ensure we capture everything we might need in the future in the audit log.
ChatGPT: Pros and Cons of Using AWS Control Tower in a Lab Environment
AWS Control Tower is a service that helps you set up and govern a secure, compliant, multi-account AWS environment. Here's an analysis of its pros and cons specifically for lab environments:
Pros:
- Automated Setup: Quickly establishes a well-architected multi-account environment following AWS best practices without manual configuration
- Standardized Guardrails: Implements preventive and detective controls to enforce security policies across all accounts
- Account Factory: Streamlines the process of creating and provisioning new AWS accounts with consistent configurations
- Centralized Dashboard: Provides visibility into compliance status and account management from a single interface
- Learning Environment: Excellent for learning enterprise-level AWS governance and security practices
- Landing Zone: Creates a secure baseline with predefined account structure (management, log archive, audit)
- Integration with AWS Services: Works seamlessly with AWS Organizations, Config, CloudTrail, and other services
- Hands-on Experience: Provides practical experience with enterprise-grade AWS governance tools
Cons:
- Resource Overhead: Deploys numerous resources that may be excessive for simple lab environments
- Cost Implications: While the service itself is free, the underlying services it deploys (CloudTrail, Config, etc.) incur costs
- Learning Curve: Can be complex to understand all the components and guardrails for lab users
- Limited Flexibility: Some configurations are fixed and cannot be easily modified to suit specific lab requirements
- Deployment Time: Initial setup can take 30+ minutes, which may be excessive for short-lived lab scenarios
- Cleanup Challenges: Removing Control Tower can be complex as it creates many interdependent resources
- Minimum Account Requirements: Requires at least three accounts (management, log archive, audit), which may be overkill for simple labs
- Resource Quotas: May hit service quotas in lab environments with limited quota increases
For lab environments specifically, Control Tower might be most appropriate when:
- You're teaching or learning enterprise AWS governance
- You need to simulate a real-world multi-account structure
- The lab will run for an extended period to justify the setup time
- You have budget allocated for the underlying services
For simpler, short-lived labs, manually setting up specific governance components as needed might be more efficient and cost-effective.