What is our primary use case?
We utilized AWS Control Tower for implementing guardrails, mainly for account creation and enforcing rules related to security, application access, and other relevant aspects. The tool ensures that CI/CD pipelines, incorporating TerraForm codes, are only accepted if they adhere to the predefined guardrails established by the company.
How has it helped my organization?
With Control Tower, there's no need to worry about individuals creating accounts and introducing risks to the company. Control Tower ensures that everything created in the organization is regulated. People are compelled to adhere to established rules. The key is to ensure that these rules are practical. If, for instance, you restrict internet access, it means no one in the organization can access the internet. Therefore, it's essential to carefully define rules, specifying the required IP addresses, interfaces, and security protocols to achieve the desired regulation within AWS.
What is most valuable?
The most intriguing feature is the automatic generation of user accounts. Leveraging Active Directory and global company settings, AWS Control Tower enables the creation of AWS user accounts based on job descriptions in Active Directory. This establishes a direct correlation between the user's name, job definition, and the corresponding rules applied to each account.
What needs improvement?
There aren't any additional features that I feel are missing. However, it's worth noting that Control Tower seems to function as a layer utilizing standard AWS products in the background. Occasionally, the interface may appear less streamlined, with changes in layout based on the underlying products being used. While this doesn't impact functionality, having a more standardized user interface, irrespective of the background products, could enhance the user experience.
For how long have I used the solution?
I have been using AWS Control Tower for one year.
What do I think about the stability of the solution?
The stability of AWS Control Tower is satisfactory. It's a reliable product that builds upon existing AWS services, providing a user-friendly interface to streamline various tasks. The product is well-established and stable, offering a comprehensive solution that ensures all relevant aspects of a task are addressed, preventing oversights that may occur when performed manually.
What do I think about the scalability of the solution?
The scalability of AWS Control Tower is commendable. When you use this product, you automatically gain additional resources from AWS, and this scalability feature is provided without incurring extra charges. For instance, the automatic user creation or account creation function may have a minimal cost, like a few cents per user per year, making it an almost free-of-charge feature.
How are customer service and support?
Regarding technical support, it's quite okay, but it's specific to Control Tower matters. They don't assist with security rule setups, access permission configurations, or Active Directory integration. Those aspects need to be handled by our own team or the company.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We utilize AWS products for security, firewall, and networking settings. However, when managing manual processes within AWS, coordination among different departments, such as network and security, can become challenging. Control Tower becomes invaluable in this context, compelling us to establish a comprehensive plan rather than individualized setups. This ensures a global approach to AWS implementation, reducing the risks associated with inconsistent data access and unauthorized permissions.
How was the initial setup?
The user interface is generally straightforward, but it involves a combination of different products in the background. One complexity arises when interfacing with Active Directory, especially when bridging AWS and Azure. AWS makes assumptions, while Azure's Active Directory can be highly customized. In many cases, companies have diverse Active Directory setups due to mergers, making it challenging to connect AWS to Azure seamlessly. Improvement could be made in handling the variety of Active Directory configurations, considering that companies often have a mix of settings rather than a single standardized setup. Activating Control Tower is straightforward, and it should be done before creating AWS accounts. In an existing AWS implementation, activating Control Tower can be impactful, as previous builds might lack control over guardrails and security settings implemented in Control Tower. This could lead to disruptions in working environments, and it is recommended to either create Control Tower at the beginning of a project or set it up alongside existing environments. Verifying that everything works before transitioning to production is crucial to avoid the high risk of disruptions in the production environment.
What about the implementation team?
We handled the deployment in-house without the need for external consultants or integrators. By default, all users entering the company are automatically connected to Control Tower. Regarding the technical team for deployment and maintenance, we had an architect each for security, networking, and AWS cloud, along with one manager and one engineer for implementation—so, in total, five people.
What's my experience with pricing, setup cost, and licensing?
I believe it's free of charge or comes at a very low cost. It's an additional feature. Even if there is a fee, it's minimal. AWS seems to assist customers in gaining a comprehensive view of their security setups within AWS. Using Control Tower is highly recommended, especially as your company grows and involves Active Directory, various departments, and different architectural aspects. It becomes more advisable to leverage Control Tower rather than managing these aspects manually, especially for larger organizations.
What other advice do I have?
Overall, I rate the solution a nine out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.