Share your experience using AWS Control Tower

We utilized AWS Control Tower for implementing guardrails, mainly for account creation and enforcing rules related to security, application access, and other relevant aspects. The tool ensures that CI/CD pipelines, incorporating TerraForm codes, are only accepted if they adhere to the predefined guardrails established by the company.

With Control Tower, there's no need to worry about individuals creating accounts and introducing risks to the company. Control Tower ensures that everything created in the organization is regulated. People are compelled to adhere to established rules. The key is to ensure that these rules are practical. If, for instance, you restrict internet access, it means no one in the organization can access the internet. Therefore, it's essential to carefully define rules, specifying the required IP addresses, interfaces, and security protocols to achieve the desired regulation within AWS.

The most intriguing feature is the automatic generation of user accounts. Leveraging Active Directory and global company settings, AWS Control Tower enables the creation of AWS user accounts based on job descriptions in Active Directory. This establishes a direct correlation between the user's name, job definition, and the corresponding rules applied to each account.

There aren't any additional features that I feel are missing. However, it's worth noting that Control Tower seems to function as a layer utilizing standard AWS products in the background. Occasionally, the interface may appear less streamlined, with changes in layout based on the underlying products being used. While this doesn't impact functionality, having a more standardized user interface, irrespective of the background products, could enhance the user experience.

I have been using AWS Control Tower for one year.

The stability of AWS Control Tower is satisfactory. It's a reliable product that builds upon existing AWS services, providing a user-friendly interface to streamline various tasks. The product is well-established and stable, offering a comprehensive solution that ensures all relevant aspects of a task are addressed, preventing oversights that may occur when performed manually.

The scalability of AWS Control Tower is commendable. When you use this product, you automatically gain additional resources from AWS, and this scalability feature is provided without incurring extra charges. For instance, the automatic user creation or account creation function may have a minimal cost, like a few cents per user per year, making it an almost free-of-charge feature.

Positive

We utilize AWS products for security, firewall, and networking settings. However, when managing manual processes within AWS, coordination among different departments, such as network and security, can become challenging. Control Tower becomes invaluable in this context, compelling us to establish a comprehensive plan rather than individualized setups. This ensures a global approach to AWS implementation, reducing the risks associated with inconsistent data access and unauthorized permissions.

The user interface is generally straightforward, but it involves a combination of different products in the background. One complexity arises when interfacing with Active Directory, especially when bridging AWS and Azure. AWS makes assumptions, while Azure's Active Directory can be highly customized. In many cases, companies have diverse Active Directory setups due to mergers, making it challenging to connect AWS to Azure seamlessly. Improvement could be made in handling the variety of Active Directory configurations, considering that companies often have a mix of settings rather than a single standardized setup. Activating Control Tower is straightforward, and it should be done before creating AWS accounts. In an existing AWS implementation, activating Control Tower can be impactful, as previous builds might lack control over guardrails and security settings implemented in Control Tower. This could lead to disruptions in working environments, and it is recommended to either create Control Tower at the beginning of a project or set it up alongside existing environments. Verifying that everything works before transitioning to production is crucial to avoid the high risk of disruptions in the production environment.

We handled the deployment in-house without the need for external consultants or integrators. By default, all users entering the company are automatically connected to Control Tower. Regarding the technical team for deployment and maintenance, we had an architect each for security, networking, and AWS cloud, along with one manager and one engineer for implementation—so, in total, five people.

I believe it's free of charge or comes at a very low cost. It's an additional feature. Even if there is a fee, it's minimal. AWS seems to assist customers in gaining a comprehensive view of their security setups within AWS. Using Control Tower is highly recommended, especially as your company grows and involves Active Directory, various departments, and different architectural aspects. It becomes more advisable to leverage Control Tower rather than managing these aspects manually, especially for larger organizations.

Overall, I rate the solution a nine out of ten. 

AWS Control Tower helps to save a lot of work and manage multiple accounts. 

The tool's setup is very technical. Its pricing can be cheaper. 

I have been working with the product for three years. 

AWS Control Tower's stability is excellent. 

The product is very scalable. My company has two users for the product. 

I rate AWS Control Tower a ten out of ten since it is easy and automated.