Back to Domain 6: Management and Security Governance

AWS Control Tower

5 minutes 5 Questions

AWS Control Tower is a managed service that simplifies the setup and governance of a secure, multi-account AWS environment based on AWS best practices. It is a critical topic within Domain 6: Management and Security Governance of the SCS-C02 exam, as it directly addresses how organizations establis…

AWS Control Tower: Complete Guide for AWS Security Specialty Exam

Why AWS Control Tower Is Important

As organizations scale their AWS environments, managing multiple accounts becomes increasingly complex. Without a centralized governance framework, security misconfigurations, compliance violations, and inconsistent policies can proliferate across accounts. AWS Control Tower addresses this challenge by providing a comprehensive, automated way to set up and govern a secure, multi-account AWS environment. For the AWS Security Specialty exam, understanding Control Tower is critical because it sits at the intersection of management governance, preventive and detective controls, and organizational security — all core themes of the certification.

What Is AWS Control Tower?

AWS Control Tower is a managed service that automates the setup and governance of a secure, well-architected multi-account AWS environment based on AWS best practices. It builds upon AWS Organizations, AWS Service Catalog, AWS Config, AWS CloudTrail, AWS IAM Identity Center (formerly AWS SSO), and other services to create what AWS calls a landing zone.

Key components of AWS Control Tower include:

• Landing Zone: A well-architected, multi-account environment that serves as a baseline for your organization. It includes a management account, a log archive account, and an audit account.

• Guardrails (Controls): High-level rules that provide ongoing governance for your AWS environment. These are categorized as either preventive or detective guardrails, and further classified by guidance level: mandatory, strongly recommended, or elective.

• Account Factory: A configurable account template that helps standardize the provisioning of new accounts with pre-approved configurations, including VPC settings, IAM roles, and guardrails.

• Dashboard: A centralized view that provides visibility into your landing zone, including the status of accounts, guardrails, and compliance.

How AWS Control Tower Works

AWS Control Tower operates through the following workflow and architecture:

1. Landing Zone Setup
When you enable Control Tower, it automatically sets up a landing zone that includes:
- A management account (the root account in AWS Organizations)
- A log archive account that centralizes all AWS CloudTrail logs and AWS Config logs from all enrolled accounts
- An audit account (also called the security account) that provides cross-account access for auditing purposes
- Two default organizational units (OUs): the Security OU (containing the log archive and audit accounts) and the Sandbox OU (for development and testing)

2. Guardrails (Controls)
Guardrails are the governance rules enforced across your environment:

• Preventive Guardrails: Implemented using AWS Organizations Service Control Policies (SCPs). These prevent actions from occurring. For example, a preventive guardrail might disallow changes to the CloudTrail configuration or prevent the deletion of log archive buckets. They enforce rules before an action is taken.

• Detective Guardrails: Implemented using AWS Config Rules. These detect non-compliant resources and report violations but do not prevent the action. For example, a detective guardrail might check whether S3 buckets have public read access enabled and flag them as non-compliant.

• Proactive Guardrails: Implemented using AWS CloudFormation Hooks. These check resources before they are provisioned via CloudFormation and can block non-compliant resource creation.

Guardrails are applied at the OU level, meaning all accounts within that OU inherit the guardrails. This is a key architectural concept.

3. Account Factory
Account Factory leverages AWS Service Catalog under the hood. It allows administrators to define account templates (blueprints) with pre-configured settings such as:
- VPC configurations (CIDR ranges, subnets, regions)
- IAM Identity Center (SSO) access configurations
- Guardrail enrollment
- Approved regions

End users (cloud administrators or developers) can request new accounts through the Service Catalog, and those accounts are automatically provisioned with all the required guardrails and configurations.

4. Centralized Logging and Monitoring
Control Tower automatically configures:
- AWS CloudTrail: An organization-wide trail that logs all API activity to the log archive account
- AWS Config: Enabled across all enrolled accounts and regions, with aggregated data flowing to the audit account
- Amazon S3 buckets in the log archive account with appropriate bucket policies and encryption

5. IAM Identity Center Integration
Control Tower integrates with AWS IAM Identity Center to provide centralized access management. It creates pre-configured groups and permission sets for managing access across accounts.

6. Drift Detection
Control Tower continuously monitors for drift, which occurs when the actual state of your landing zone deviates from the expected configuration. Examples of drift include:
- Deletion or modification of an OU managed by Control Tower
- Removal or modification of a guardrail SCP
- Changes to the CloudTrail or Config configurations
- Moving accounts between OUs outside of Control Tower

When drift is detected, Control Tower flags it on the dashboard, and administrators must resolve the drift to restore governance.

7. Region Deny Guardrail
Control Tower can enforce a Region deny guardrail, which uses an SCP to prevent access to AWS services in non-governed regions. This is important for data residency and compliance requirements.

Key Integrations and Advanced Concepts

• AWS Control Tower + AWS Organizations: Control Tower manages the organizational structure. SCPs created by Control Tower should not be manually edited.

• AWS Control Tower + AWS Security Hub: Security Hub can aggregate findings across Control Tower-managed accounts for centralized security posture management.

• AWS Control Tower + AWS CloudFormation StackSets: Control Tower uses StackSets to deploy resources consistently across multiple accounts and regions.

• Customizations for AWS Control Tower (CfCT): An AWS solution that allows you to customize your Control Tower landing zone using CloudFormation templates and SCPs beyond the built-in guardrails.

• Account Factory for Terraform (AFT): Allows provisioning and customizing AWS Control Tower accounts using Terraform instead of Service Catalog.

• Lifecycle Events: Control Tower emits lifecycle events to Amazon EventBridge when certain actions occur (e.g., account creation, guardrail enablement). These events can trigger automated workflows such as Lambda functions for additional account configuration.

Exam Tips: Answering Questions on AWS Control Tower

Here are essential strategies for tackling AWS Control Tower questions on the AWS Security Specialty exam:

• Preventive vs. Detective vs. Proactive: Always remember that preventive guardrails use SCPs, detective guardrails use AWS Config Rules, and proactive guardrails use CloudFormation Hooks. If a question asks about blocking an action, think preventive (SCP). If it asks about detecting non-compliance, think detective (Config).

• Guardrails are applied at the OU level, not the account level. If a question mentions applying governance to a specific group of accounts, the answer likely involves organizing those accounts into an OU and applying guardrails to that OU.

• Log Archive and Audit Accounts: Know the purpose of each. The log archive account is for centralized logging (CloudTrail, Config). The audit account is for cross-account security auditing. Questions about centralized log storage typically point to the log archive account.

• Drift detection: If a question describes a scenario where someone has manually changed an SCP, deleted an OU, or modified a Control Tower-managed resource, the answer involves drift. Understand that drift must be resolved through the Control Tower console.

• Account Factory + Service Catalog: If a question asks about automated, standardized account provisioning with pre-approved configurations, Account Factory is the answer. Remember that it uses AWS Service Catalog behind the scenes.

• Region deny: Questions about restricting users from deploying resources in unauthorized regions within a multi-account setup often point to the Region deny guardrail in Control Tower.

• Think multi-account governance: Control Tower is the answer when questions describe a need to set up and govern a multi-account environment following AWS best practices. It is preferred over manually configuring Organizations, Config, and CloudTrail individually.

• Control Tower vs. AWS Organizations: Control Tower is a higher-level abstraction built on top of Organizations. If the question specifically mentions automated landing zone setup, guardrails, or Account Factory, choose Control Tower. If it only mentions SCPs and OU structure, it may be Organizations alone.

• Mandatory guardrails cannot be disabled. Strongly recommended and elective guardrails can be selectively enabled or disabled. Questions about governance flexibility should consider this distinction.

• Lifecycle events and EventBridge: If a question asks about automating actions when new accounts are created (e.g., auto-tagging, deploying security baselines), think about Control Tower lifecycle events triggering EventBridge rules that invoke Lambda functions.

• Nested OUs: Control Tower supports nested OUs, allowing hierarchical governance. Guardrails applied to a parent OU are inherited by child OUs and their accounts.

• Existing accounts: Control Tower can enroll existing AWS accounts into governance. Questions about bringing unmanaged accounts under centralized governance should consider this capability.

• Remember the principle of least privilege: Control Tower helps enforce least privilege at scale through SCPs and centralized access management via IAM Identity Center. If a question asks about enforcing consistent security policies across dozens or hundreds of accounts, Control Tower is the scalable answer.

Summary

AWS Control Tower is a foundational service for multi-account governance and security in AWS. It automates the creation of a well-architected landing zone, enforces guardrails through SCPs and Config Rules, standardizes account provisioning through Account Factory, and provides centralized visibility through its dashboard. For the AWS Security Specialty exam, focus on understanding the types of guardrails, the architecture of the landing zone (management, log archive, and audit accounts), drift detection, and how Control Tower integrates with other AWS security services. Mastering these concepts will help you confidently answer exam questions related to management and security governance.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

Unlock Premium Access

AWS Certified Security – Specialty (SCS-C02) + ALL Certifications

Access to ALL Certifications: Study for any certification on our platform with one subscription
2160 Superior-grade AWS Certified Security – Specialty (SCS-C02) practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS SCS-C02: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!