Share your experience using AWS Control Tower

I use AWS Control Tower to enhance governance, enhance security, and manage multiple subsidiaries. We sunset the AWS Control Tower that I implemented, but it was a new project that we implemented. It is good for some use cases and not suitable for others, especially when I built the common blockchain infrastructure for the whole CP group in Thailand which has multiple organizations and subsidiaries. When it scaled down, the project needed to run at a very small scale. AWS Control Tower is too complex for a small team, but for big projects with multiple BUs and one single team to manage them, AWS Control Tower can be suitable.

The advantages of AWS Control Tower that stand out for me include centralized management and easy governance control. We can implement policy as code.

My experience with the automated security guardrails in AWS Control Tower shows it has a built-in mechanism on the security control policy. In the past, we would create the policy on paper and in an Excel sheet. Now we need to create a JSON format that can be kept and stored on a Git repository for the blueprint, making it easier for tracking changes.

I leverage Account Factory customization options in AWS Control Tower; it is a useful feature, but it enforces you to use it if you use AWS Control Tower. It is useful because if you create the template for the account, when you provision it, it can be simpler to scale or provision the new account. For example, if you have a security team for company A and create the account template, then if you have another company, you can use the Account Factory to create and provision it. The centralized logging and monitoring functionalities in AWS Control Tower are useful, but I did not use them much at that time. We implemented it and provisioned it, and later on, we were just monitoring. It has some hidden costs or we do not know how to manage it appropriately.

I believe AWS Control Tower could be improved. I compare it with Huawei Cloud's enterprise project, which is a similar concept but different implementation. In Huawei Cloud, you partition in one single account, but in AWS, you have to separate many accounts. You end up with maybe 20 or 30 accounts if you try to separate. It has limitations; you pay a fixed amount for 15 accounts, but if you exceed that, you have to pay more. It could be useful for implementing a Cloud Center of Excellence (CCOE) for multiple organizations, but for one organization, I would advise against it; it is too much overhead and adds hidden costs.

There are limitations on the Landing Zone feature as well. If we implement AWS Control Tower, we need to implement Landing Zone and the security policy, guardrails, and Account Factory; it is not one single product. Using another cloud's enterprise project, you can just create the project and manage it already. It requires some learning curve to get hands-on.

For pricing and licensing of AWS Control Tower, it has hidden costs. The Control Tower itself does not cost much, but the child accounts created from AWS Control Tower add costs for checking all configurations, logging, and metrics.

I have been working with AWS Control Tower for around three to four years.

The installation of AWS Control Tower is challenging at the beginning. However, after you have done it once, it becomes clear that it is not that difficult. You can follow through the guideline, but there are many processes. At that time, there were many manual processes, scripting to create it, and YAML files to develop.

I do not see any issues about stability; there are no glitches or latency issues.

The solution is scalable enough; it just has limitations in terms of commercial pricing. They add soft limits on the product.

My experience with technical support from AWS is satisfactory. It depends on each project. If we go for premium support, they have a technical account manager and treat you very well, but for the developer plan support, it is just adequate. Some issues take two to three months to resolve, while others can resolve in just one or two days. I would rate it around eight.

Positive

Regarding CyberArk, I am not really touching the product; I just see it all the time, but I used 1Password. That solution I used is not from Delinea; it is from 1password.com. Before it was for personal use, but now it has stepped into software development. It integrates with Kubernetes and command line and is developer-friendly.

I see 1Password Business, but the team plan is sufficient on my side for the new small team. I try to create a corporate startup and use it for the new project.

AWS Control Tower creates many issues from the operation point of view and requires the engineer to get a better understanding. It takes time, and it can become a blocker because our engineers do not understand it enough. It requires a learning curve to use it. After that, AWS Control Tower can integrate with the AWS service because it is suitable for the AWS environment. There is the product to learn, and AWS has documentation, but I think it needs some kind of demo on it, an interactive demo—not only the text. There is a lot of text that engineers need to read and understand. It would be better to have an interactive demo or a sandbox environment to play.

For ROI, I do not see it yet. At that time, it felt excessive because when we create a new project, it should be something small and go to market fast, or an MVP product. We originally wanted every organization in the big group to use this, but in real execution, we only had a pilot for one organization, which made it feel useless. If we have a clear direction on the group company wanting to implement a CCOE, then this should be the way.

Only AWS has AWS Control Tower; the other clouds have their own products. The Landing Zone is a concept that every cloud can implement, but Control Tower is the product name of AWS.

I am Head of Platform Engineering at Ascentcorp. Hybrid and multi-cloud is how I have it set up. We have multiple projects, and it depends on what kind of requirement. On cloud is around 60 to 70%, and 30 to 40% is on-premises. I have it on AWS cloud and also on Huawei Cloud. I buy some products from AWS Marketplace directly, but not much. Currently, I mostly use our own deployment, self-managed. I used the product from AWS, and we use AWS extensively. We are the number one customer in Thailand that uses AWS. We use many AWS services including EKS, RDS, S3, and the network services Transit Gateway, Landing Zone, Control Tower, MSK, EMR and EBS. The Landing Zone capability is useful but has some limitations. It has hidden costs and operational overhead on managing the Landing Zone security. If everything is fully implemented, it is good for the long term and for large organizations; it helps with fine-grained cost tracking on each unit. I rate AWS Control Tower a seven out of ten.

I use Control Tower with my AWS organization whenever I want to sync the security part with the integration and manage those parts via AWS Control Tower. I primarily use it for security purposes and to manage the security of child accounts within my AWS organization.

Control Tower offers many valuable features for managing all account security. I can manage user security and user IAM, firewall, and other security-related tasks via Control Tower. The unified security management is a crucial aspect, and whenever an AWS organization is used, Control Tower is typically included to ensure comprehensive compliance fulfillment.

There is a sync issue within the organization. It is important that the system syncs automatically instead of requiring me to manually choose sync options.

I have used the solution for three years.

I rate the stability ten out of ten. 

It is a stable solution managed by AWS, which ensures that I find the products stable as well.

I rate the scalability ten out of ten. It is beneficial because it is totally managed by AWS, meaning I do not have to worry about scalability or durability.

I have not used customer support specifically for Control Tower, yet, given the quality of AWS services, I believe their support for this product is also good.

Neutral

I rate the initial setup eight out of ten. Although minor tricky aspects exist, such as choosing the organization and control towers needed for multiple accounts, the process overall is relatively simple.

Control Tower within the AWS Organization does not have a charge. It is free and does not incur additional charges.

In terms of advice for new users, I suggest focusing on your AWS goal and the compliance you need to achieve. 

Once you understand your compliance requirements, you can sync the rules with Control Tower to ensure everything is in line with your needs.

I would rate the solution a 10 out of 10.