What is our primary use case?
How has it helped my organization?
When we took on that project, the client had various business units within their organization, including a BI unit, an engineering unit, and other units related to development and different business functions. They also had a centralized IT team responsible for cloud operations. Initially, their AWS environment was highly decentralized, lacking a centralized management system. They approached us to establish a centralized solution that could handle tasks like creating new AWS accounts based on business needs and enforcing baseline security standards. To address their requirements, we engaged with AWS and, after discussing their needs, concluded that migrating to AWS Control Tower would be the most suitable solution. In addition to Control Tower, we set up a centralized networking system to provide controlled access to new accounts. This approach centralized authentication and access management, simplifying operations. We also implemented various guardrails, as their previous setup lacked mechanisms for account owners to identify and adhere to best practices. After implementation, we organized the AWS organization structure based on their business units, each with its set of preventive and detective guardrails. This allowed for a more structured and controlled environment.
What is most valuable?
When we compare it to the earlier approach of setting up from scratch, the solution proved to be highly valuable. With Control Tower, there are ready-to-use automated templates available, simplifying the implementation of a centralized management solution. We have approximately three hundred managed AWS rules that are common to Control Tower, which is a significant advantage. This means we no longer have to write complex Python code, as it is all managed for us. When we need to provision a new AWS account or establish specific guardrails and baselines, Control Tower offers an excellent option. Previously, if we had to create a new account, we had to set up the foundational networking components manually, including writing templates for VPCs, subnets, and more. With Control Tower, it became remarkably easy to configure these baseline networking components for a new AWS account.
What needs improvement?
It is undoubtedly a growing service, and it's evident that AWS is continuously working to improve it. However, some challenges do arise when it comes to migrating existing accounts that are not yet under Control Tower into the system. This process often involves creating specific roles manually, and it can be somewhat tedious and there isn't a readily available set of guidelines for this process. It requires some searching and digging through to find the necessary information. It is essential to clarify that this isn't necessarily a drawback of the service, but having a clear and concise set of predefined guidelines from AWS for moving existing accounts under AWS Control Tower would be highly beneficial as it would simplify the process and make it more user-friendly.
For how long have I used the solution?
We used it for a couple of months.
What do I think about the stability of the solution?
When setting up from scratch, stability isn't usually a major concern as you're starting with a clean slate. The real challenges arise when you have existing accounts that aren't integrated with Control Tower. Achieving stability in such cases can be a bit of a struggle, as it often involves navigating complex configurations and adjustments to align those accounts with Control Tower's framework. I would rate it seven out of ten.
What do I think about the scalability of the solution?
During our discussions, we learned that AWS Control Tower initially allows you to launch it in a single region for each account. This limitation posed a challenge because it doesn't inherently provide high availability across multiple regions. When we inquired with AWS, they confirmed that at the time, they primarily operate within a single region, even though you can manage multiple regions within that account. While this setup can be highly available within that single region, it presents some complexities when aiming for broader geographical coverage. It does offer scalability, and it can manage a substantial number of accounts. To the best of my knowledge, it supports up to around two hundred to two hundred fifty accounts. I would rate it eight out of ten.
How are customer service and support?
We didn't encounter significant issues, especially since the authentication was handled by us, as a partner.
Which solution did I use previously and why did I switch?
We were previously using AWS landing zone, and managing it was relatively straightforward. There was a significant amount of configuration required. We had to set up the AWS organization separately, and there were various aspects to manage under different categories. Control Tower simplifies the management of these interconnected components, making it more efficient and user-friendly.
How was the initial setup?
The initial setup was straightforward. I began using it for the first time last year, and I found it to be an easy and user-friendly tool.
What about the implementation team?
It took approximately one to one and a half hours to set up the basic configuration, while the entire project spanned about six months. This extended timeline was due to various additional tasks we needed to address. We had to centralize networking, establish a centralized firewall, manage ingress and egress controls, and handle a range of other requirements.
What's my experience with pricing, setup cost, and licensing?
I would say it is average. It operates on a pay-as-you-go model, meaning we are charged only for the services we actively use within it.
What other advice do I have?
It is a highly commendable product. It significantly enhances the management of multi-account architectures. It stands out as one of the best products AWS has introduced in recent years. I'm confident that AWS will continue to make enhancements, possibly expanding support to additional regions and introducing more managed rules to seamlessly align with evolving business needs. I would rate it eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
*Disclosure: My company has a business relationship with this vendor other than being a customer. Partner