Head of Platform Engineering at Ascend Group Co., Ltd.
Real User
Top 5
2025-07-31T06:09:39Z
Jul 31, 2025
I believe AWS Control Tower could be improved. I compare it with Huawei Cloud's enterprise project, which is a similar concept but different implementation. In Huawei Cloud, you partition in one single account, but in AWS, you have to separate many accounts. You end up with maybe 20 or 30 accounts if you try to separate. It has limitations; you pay a fixed amount for 15 accounts, but if you exceed that, you have to pay more. It could be useful for implementing a Cloud Center of Excellence (CCOE) for multiple organizations, but for one organization, I would advise against it; it is too much overhead and adds hidden costs. There are limitations on the Landing Zone feature as well. If we implement AWS Control Tower, we need to implement Landing Zone and the security policy, guardrails, and Account Factory; it is not one single product. Using another cloud's enterprise project, you can just create the project and manage it already. It requires some learning curve to get hands-on. For pricing and licensing of AWS Control Tower, it has hidden costs. The Control Tower itself does not cost much, but the child accounts created from AWS Control Tower add costs for checking all configurations, logging, and metrics.
There is a sync issue within the organization. It is important that the system syncs automatically instead of requiring me to manually choose sync options.
There aren't any additional features that I feel are missing. However, it's worth noting that Control Tower seems to function as a layer utilizing standard AWS products in the background. Occasionally, the interface may appear less streamlined, with changes in layout based on the underlying products being used. While this doesn't impact functionality, having a more standardized user interface, irrespective of the background products, could enhance the user experience.
The sole drawback is its restriction to enable only one Control Tower. This limitation hinders its effectiveness, particularly for organizations or management accounts with multiple subsidiaries that require more than one.
It is undoubtedly a growing service, and it's evident that AWS is continuously working to improve it. However, some challenges do arise when it comes to migrating existing accounts that are not yet under Control Tower into the system. This process often involves creating specific roles manually, and it can be somewhat tedious and there isn't a readily available set of guidelines for this process. It requires some searching and digging through to find the necessary information. It is essential to clarify that this isn't necessarily a drawback of the service, but having a clear and concise set of predefined guidelines from AWS for moving existing accounts under AWS Control Tower would be highly beneficial as it would simplify the process and make it more user-friendly.
It could be improved by having a more intuitive graphical interface. It could also include other coding languages like PowerShell and Python, as it would be beneficial for DevOps recommendations. Having the capability to create architectural designs in a diagram format while creating the landing zone would help showcase the design to higher-level stakeholders.
AWS Cloud Engineer/Cloud Architect at Landmark Technologies
Real User
Top 5
2023-09-15T20:07:35Z
Sep 15, 2023
You don't do anything when you set up these landing zones, such as the AWS Organization single sign-on. Everything is preconfigured, and you just have to do automation. Everything is established in the environment. If Control Tower could do this, it would be much better where all the security tools are already in it. I know AWS has its security tools, like Security Hub and Cloud Check, with minimal configuration. It would be much better if you set up the landing zone, which is the master account in the foundation of the environment, and all these tools are included. You should just get to go in and go, "Okay, I need this at this particular time." You should get to go in and do it. There should be more automation security tools in the Control Tower.
Infrastructure analyst specialized in cloud computing at IT2GO Solutions
Real User
2023-03-08T16:59:05Z
Mar 8, 2023
The integration with other AWS functions has room for improvement. I would like the ability to integrate other options or functions into the organization. The initial setup is a bit complex and has room for improvement.
AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and enables governance using guardrails you can choose from a pre-packaged list.
I believe AWS Control Tower could be improved. I compare it with Huawei Cloud's enterprise project, which is a similar concept but different implementation. In Huawei Cloud, you partition in one single account, but in AWS, you have to separate many accounts. You end up with maybe 20 or 30 accounts if you try to separate. It has limitations; you pay a fixed amount for 15 accounts, but if you exceed that, you have to pay more. It could be useful for implementing a Cloud Center of Excellence (CCOE) for multiple organizations, but for one organization, I would advise against it; it is too much overhead and adds hidden costs. There are limitations on the Landing Zone feature as well. If we implement AWS Control Tower, we need to implement Landing Zone and the security policy, guardrails, and Account Factory; it is not one single product. Using another cloud's enterprise project, you can just create the project and manage it already. It requires some learning curve to get hands-on. For pricing and licensing of AWS Control Tower, it has hidden costs. The Control Tower itself does not cost much, but the child accounts created from AWS Control Tower add costs for checking all configurations, logging, and metrics.
There is a sync issue within the organization. It is important that the system syncs automatically instead of requiring me to manually choose sync options.
AWS should provide more resources, examples, and tutorials. Mastering the technology will be more wonderful, but it takes some time to moderate.
There aren't any additional features that I feel are missing. However, it's worth noting that Control Tower seems to function as a layer utilizing standard AWS products in the background. Occasionally, the interface may appear less streamlined, with changes in layout based on the underlying products being used. While this doesn't impact functionality, having a more standardized user interface, irrespective of the background products, could enhance the user experience.
The tool's setup is very technical. Its pricing can be cheaper.
The sole drawback is its restriction to enable only one Control Tower. This limitation hinders its effectiveness, particularly for organizations or management accounts with multiple subsidiaries that require more than one.
It is undoubtedly a growing service, and it's evident that AWS is continuously working to improve it. However, some challenges do arise when it comes to migrating existing accounts that are not yet under Control Tower into the system. This process often involves creating specific roles manually, and it can be somewhat tedious and there isn't a readily available set of guidelines for this process. It requires some searching and digging through to find the necessary information. It is essential to clarify that this isn't necessarily a drawback of the service, but having a clear and concise set of predefined guidelines from AWS for moving existing accounts under AWS Control Tower would be highly beneficial as it would simplify the process and make it more user-friendly.
It could be improved by having a more intuitive graphical interface. It could also include other coding languages like PowerShell and Python, as it would be beneficial for DevOps recommendations. Having the capability to create architectural designs in a diagram format while creating the landing zone would help showcase the design to higher-level stakeholders.
You don't do anything when you set up these landing zones, such as the AWS Organization single sign-on. Everything is preconfigured, and you just have to do automation. Everything is established in the environment. If Control Tower could do this, it would be much better where all the security tools are already in it. I know AWS has its security tools, like Security Hub and Cloud Check, with minimal configuration. It would be much better if you set up the landing zone, which is the master account in the foundation of the environment, and all these tools are included. You should just get to go in and go, "Okay, I need this at this particular time." You should get to go in and do it. There should be more automation security tools in the Control Tower.
There could be more features for security and automation in the product.
While using the solution recently, it broke a certain activity. So, AWS Control Tower needs to consider making the solution better.
The integration with other AWS functions has room for improvement. I would like the ability to integrate other options or functions into the organization. The initial setup is a bit complex and has room for improvement.