Setting up AWS Landing Zone with Control Tower, Organizations, and Service Catalog

🔑 AWS Control Tower is used to set up an AWS Landing Zone and provides centralized management for resources and accounts.

🏢 Multiple AWS accounts are beneficial for grouping workloads based on business purpose, separating environments, and applying different guardrails.

💰 Using multiple AWS accounts allows for easier cost management, centralized billing, and the ability to apply guardrails to the entire organization.

🔑 AWS Control Tower provides a way to set up and manage AWS accounts and resources within an organization.

📚 Organizational Units (OUs) can be used to group accounts, apply policies, and share resources based on specific use cases or environments.

🔒 Design principles for organizing accounts include separating production and non-production workloads, applying guardrails to OUs, and using federated access and automation for improved security and scalability.

🔑 The setup of an AWS Landing Zone involves central networking accounts to manage network-related resources and recommended sandbox accounts for testing.

⚙️ Start simple by organizing workloads and security tooling into dedicated organizational units. Expand as needed and avoid complexity from the beginning.

🔒 Enabling control tower in an existing organization requires completing prerequisites, setting up the control tower without impacting existing accounts, and deploying guardrails to protect resources.

🔒 Enrolling AWS accounts in Control Tower requires manual selection and management.

🔌 Third-party integrations may need to be checked when using Control Tower.

🔐 AWS SSO configuration and permissions are affected by Control Tower.

📦 CloudTrail logs are directed to a log archive account managed by Control Tower.

🌐 Default VPC configuration is automatically deployed to new AWS accounts.

🔄 Enrollment of existing accounts does not modify shared resources, but individual checks are needed.

🔑 Enrollment prerequisites include having AWS Control Tower execution role and resolving any conflicts.

🔑 Setting up AWS Landing Zone with AWS Control Tower is best done by enrolling the accounts in a control tower managed organizational unit.

⚙️ Enrolling the accounts automatically adds the AWS Control Tower execution role and resolves errors and issues easily.

🔒 There are limitations regarding SCPs and nested organization units, but starting with less critical accounts and ensuring account owners understand the enrollment process can simplify the process.

🔑 Setting up AWS Landing Zone with AWS Control Tower

🔒 Enrolling AWS accounts into the organizational unit

🛠️ Using the Control Tower Account Factory to create and manage accounts

🔧 Customers can use the API provided by the service catalog to programmatically launch products and initiate account creation.

🔒 The video demonstrates how to activate a guardrail for an organizational unit in the AWS Control Tower dashboard to ensure compliance with S3 bucket versioning.

⏳ Account creation and guardrail activation may take some time, but future updates are expected to allow for multiple account creation simultaneously.