</>Học Dev
Bài học

Tuần 3 - Ngày 5: AWS Control Tower

Tuần 3 – Ngày 5

Tuần 3 - Ngày 5: AWS Control Tower

Mục tiêu học tập

  • Hiểu cách hoạt động của AWS Control Tower
  • Nắm vững Guardrails (preventive và detective)
  • Biết cách setup và customize Landing Zone

1. Tổng quan AWS Control Tower

Định nghĩa

AWS Control Tower cung cấp cách dễ nhất để setup và govern multi-account AWS environment, được gọi là Landing Zone.

Core Components

AWSControlTowerLandingZoneGuardrails(Foundation)(GovernanceRules)AccountFactoryDashboard(Provisioning)(ComplianceVisibility)

Underlying Services

ControlTowerorchestrates:OrganizationsServiceCloudFormCatalogStackSetsConfigCloudTrailIAMRulesIdentityCenter

2. Landing Zone

Default Structure

RootSecurityOULogArchiveAccount-Centralizedlogging-S3bucketsforCloudTrail,ConfigAuditAccount-Security&compliancetools-Cross-accountaccessforauditorsSandboxOUDevelopersandboxaccounts[CustomOUs]Yourworkloadaccounts

Shared Accounts

ManagementAccount-ControlTowerconfiguration-Organizationsmanagement-BillingandcostmanagementShouldhaveminimalworkloadsLogArchiveAccountAuditAccountContains:Contains:-CloudTraillogs-Cross-account-Configlogsauditrole-VPCFlowlogs-Securitytools-Accesslogs-ConfigaggregatorHighlyprotectedRead-onlyaccess

3. Guardrails

Types of Guardrails

GUARDRAILSPREVENTIVE(SCP-based)BlockactionsbeforetheyhappenExamples:-DisallowchangestoCloudTrailconfig-Disallowdeletionoflogarchive-DisallowchangestoIAMIdentityCenterDETECTIVE(ConfigRules)Detectnon-compliantresourcesExamples:-DetectpublicS3buckets-DetectunencryptedEBSvolumes-DetectrootuseraccessPROACTIVE(CFNHooks)CheckCloudFormationbeforedeploymentExamples:-ValidateS3bucketencryption-ValidateRDSencryption

Guardrail Behaviors

BehaviorDescription
MandatoryAlways enabled, cannot be disabled
Strongly RecommendedBest practices, can be disabled
ElectiveOptional, enable as needed

Common Guardrails

Mandatory Preventive:

  • Disallow changes to CloudTrail
  • Disallow changes to AWS Config rules
  • Disallow deletion of Log Archive

Strongly Recommended:

  • Disallow public read access to S3 buckets
  • Disallow public write access to S3 buckets
  • Enable encryption for EBS volumes
  • Enable encryption for RDS databases

Detective Examples:

Guardrail:DetectpublicS3bucketsStatus:EnabledFindings:Account:111122223333Resource:my-public-bucketStatus:NON_COMPLIANTReason:BlockPublicAccessisdisabled

4. Account Factory

Purpose

Standardized, automated account provisioning với pre-configured:

  • Network configuration
  • IAM roles
  • Guardrail compliance
  • Organizational unit placement

Account Factory Workflow

RequestNewAccountAccountFactory(ServiceCatalog)AccountDetails:-Accountname:dev-team-a-Email:dev-team-a@company.com-OU:Workloads/Development-IAMIdentityCenteruser:john.doeNetworkConfiguration:-VPCCIDR:10.1.0.0/16-Region:ap-southeast-1AutomatedProvisioning1.CreateAWSaccount2.MovetospecifiedOU3.Applyguardrails4.DeploybaselineCloudFormation5.ConfigureIAMIdentityCenteraccess6.DeployVPC(ifconfigured)AccountReadytoUse

Customizations for Control Tower (CfCT)

CustomCustomizations:manifest.yaml-DeployadditionalIAMroles-ConfigureVPCwithTransitGatewayattachment-EnableadditionalAWSservices-ApplycustomConfigrules-Deploysecuritytools

5. Dashboard & Compliance

Control Tower Dashboard

ControlTowerDashboardOrganizationalUnits:5EnrolledAccounts:12GuardrailsEnabled:25ComplianceStatusCompliant:95%Non-compliant:5%Violations:-Account111:PublicS3bucket-Account222:UnencryptedEBSvolume

6. Extending Control Tower

Account Factory for Terraform (AFT)

AccountFactoryforTerraformBenefits:-Terraform-basedaccountprovisioning-GitOpsworkflow-Customaccountcustomizations-Pipeline-baseddeploymentWorkflow:GitRepoCodePipelineAccountProvisioning

Integrations

Control Tower integrates with:
- AWS Security Hub (aggregate findings)
- AWS Config (conformance packs)
- AWS CloudFormation (StackSets)
- AWS Service Catalog (account vending)

7. Limitations & Considerations

Limitations

LimitationDetail
RegionsLimited to specific regions
Existing OrgsRequires migration steps
Nested OUsLimited nesting support
CustomizationSome limits on guardrails

When NOT to use Control Tower

  • Very simple single-account setup
  • Highly customized requirements beyond CfCT
  • Need unsupported regions
  • Existing complex Organization structure

8. Câu hỏi ôn tập

  1. Control Tower sử dụng những AWS services nào underneath?

    Xem đáp án

    Control Tower orchestrate: AWS Organizations (account structure, OUs, SCPs), IAM Identity Center (SSO), AWS Config (compliance rules), CloudTrail (audit logging), Service Catalog (Account Factory), CloudFormation StackSets (deploy baselines to accounts), S3 + CloudWatch (logs). Control Tower là "orchestration layer" — không implement mới mà kết hợp existing services theo best practices.

  2. Sự khác biệt giữa Preventive và Detective guardrails?

    Xem đáp án

    Preventive guardrails: implemented via SCPs — block actions trước khi happen. Ví dụ: prevent disabling CloudTrail, prevent leaving Organization. Detective guardrails: implemented via AWS Config rules — detect non-compliance sau khi happen, generate findings. Ví dụ: detect unencrypted S3 buckets, detect EC2 without required tags. Preventive = hard block; Detective = notify and alert.

  3. Landing Zone mặc định tạo những accounts nào?

    Xem đáp án

    Control Tower setup tạo tự động: Management Account (đã có), Log Archive Account (tập trung CloudTrail logs, Config snapshots), Audit Account (security review, cross-account access cho security tools). Hai accounts này trong Security OU. Cũng tạo sẵn Sandbox OU cho dev/test accounts. Tổng cộng 2 accounts mới và 2 OUs baseline.

  4. Account Factory hoạt động như thế nào?

    Xem đáp án

    Account Factory dùng Service Catalog để provision accounts. Requester fill form (account email, OU, SSO user, VPC config) → Account Factory trigger Account Factory for Terraform (AFT) hoặc built-in provisioning → tạo AWS account → apply baseline StackSets (CloudTrail, Config, VPC, IAM Identity Center assignment) → register với Organizations. Account ready trong 30-60 phút với all governance baselines applied.

  5. Khi nào không nên dùng Control Tower?

    Xem đáp án

    Không phù hợp khi: (1) Organization đã có complex custom setup và Control Tower would conflict, (2) Cần custom networking phức tạp hơn Control Tower opinionated patterns, (3) Compliance requirements rất specific mà Control Tower guardrails không cover đúng, (4) Single account — Control Tower over-engineering cho small setups, (5) Khi team chưa sẵn sàng — Control Tower cần hiểu Organizations, IAM Identity Center, Config để maintain.

9. Bài tập thực hành

  • Setup Control Tower Landing Zone (nếu có sandbox account)
  • Review available guardrails
  • Explore Account Factory options
  • Study Customizations for Control Tower (CfCT)

Tài liệu tham khảo chính thức

Ngày tiếp theo: Quiz tổng kết Tuần 3