As of recent times, AWS Control Tower is no longer confined to previously supported regions. With its advanced governance features being made available now in Hyderabad, Spain, UAE, and Zurich, AWS Control Tower fortifies its position as the ultimate solution for setting up and managing multi-account AWS environments with heightened compliance and security. It offers the necessary tools and infrastructure compliance regulations, ensuring a seamless and well-governed environment.
This comprehensive guide will walk you through the entire process: from understanding what AWS Control Tower is, how to launch it, and extend its governance features to the newly supported regions, updating your landing zone to putting the granted accounts under governance in the new region(s).
What is AWS Control Tower¶
AWS Control Tower provides a way to set up and govern a secure, multi-account AWS environment. It automates the process of setting up a new baseline or landing zone that is secure, well-architected, and ready to use. This solution is rooted in AWS best practices for security and compliance.
Launching AWS Control Tower¶
To launch the AWS Control Tower, follow the steps outlined below:
- Log in to your AWS account.
- Open the AWS Control Tower console.
- Choose
“Set up your landing zone”
. - In the AWS Organizations section, provide the details of your organization description and email. The email you specify here is notified whenever an account is added or updated in your organization.
- In the User accounts section, specify the email addresses and usernames for the AWS SSO user accounts (log archive and audit).
- Review the AWS Control Tower settings and choose “Set up landing zone”.
- The process execution takes approximately an hour, during which you should not manually add, remove, or modify your resources.
Once you have successfully launched the AWS Control Tower, the same can be used in all supported regions, fostering your ability to meet the various regional compliance, data residency, and latency requirements.
Extending AWS Control Tower to New Regions¶
With the recent announcement, AWS Control Tower can be extended to new regions, namely Hyderabad, Spain, UAE, and Zurich.
To do this:
- Go to the
Settings
page in your AWS Control Tower dashboard. - Select the
Regions
tab, then the regions you want to add, and click“Save”
. - In your landing zone settings, select the regions and then click
“Update”
. - You must then update all accounts that are governed by AWS Control Tower.
- Once these steps are completed, your landing zone, all accounts, and OUs will be under governance in the new region(s).
Extending AWS Control Tower’s governance features to new regions increases data durability, scalability, and performance across many industries, including startups, enterprises, and public sector organizations, to name a few.
Updating Your Landing Zone¶
Once AWS Control Tower is available in your selected new regions, the next step is updating your landing zone. The landing zone is a configuration where new accounts are securely configured as a part of the AWS Control Tower environment.
To do this:
- Go to the
Landing Zone
on the dashboard. - Choose the
Update Landing Zone
option. - Review your changes before you click on the
Update
button.
The ‘Update Landing Zone’ action ensures that:
- The pre-existing Guardrails, both preventive and detective, become available in these new regions.
- The default VPCs in newly supported regions are removed from all AWS Control Tower managed accounts.
Final Words¶
The expansion of AWS Control Tower to regions like Hyderabad, Spain, UAE, and Zurich empowers organizations around the globe, making it easier to manage AWS environments according to established best practices. By following the steps outlined in this guide, organizations can effortlessly expand their use of AWS Control Tower into the new regions and harness the great power of secure, multi-account AWS environments, all while conforming to compliance standards and best-practices for AWS foundational security.
The leap to data-driven governance has never been easier, and AWS Control Tower’s global expansion is reinforcing this reality at an impressive pace. Take the leap, extend AWS Control Tower to the newly supported regions, and elevate your AWS multi-account environment management to unprecedented heights.