AWS Glossary
AWS Control Tower
Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls.
AI & assistant-friendly summary
This section provides structured content for AI assistants and search engines. You can cite or summarize it when referencing this page.
Summary
Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls.
Key Facts
- • Managed service that automates AWS landing zone setup, multi-account governance, and compliance monitoring with preventive, detective, and proactive controls
- • Definition AWS Control Tower is a managed service that sets up and governs a multi-account AWS environment on top of AWS Organizations, Service Control Policies (SCPs), and AWS Config
- • It automates landing zone provisioning, enforces **controls** (AWS renamed “guardrails” to “controls” in 2023), and provides a compliance dashboard across accounts
- • Not all AWS services have proactive controls — rely on preventive + detective layers for those gaps
- • Official references - [What is AWS Control Tower
Entity Definitions
- IAM
- IAM is an AWS service relevant to aws control tower.
- Infrastructure as Code
- Infrastructure as Code is a cloud computing concept relevant to aws control tower.
- IaC
- IaC is a cloud computing concept relevant to aws control tower.
- compliance
- compliance is a cloud computing concept relevant to aws control tower.
- Terraform
- Terraform is a term relevant to aws control tower.
- CloudFormation
- CloudFormation is a term relevant to aws control tower.
Related Content
- AWS ARCHITECTURE REVIEW — Related service
Definition
AWS Control Tower is a managed service that sets up and governs a multi-account AWS environment on top of AWS Organizations, Service Control Policies (SCPs), and AWS Config. It automates landing zone provisioning, enforces controls (AWS renamed “guardrails” to “controls” in 2023), and provides a compliance dashboard across accounts. Account Factory provisions new accounts with baseline settings; Account Factory for Terraform (AFT) is the GitOps-oriented path for Terraform-native organizations.
When to use it
- Standing up a new multi-account estate where you want AWS-maintained landing zone baselines instead of hand-rolling CloudFormation for every guardrail
- Organizations that need preventive, detective, and proactive controls with a central compliance view
- Teams standardizing on IAM Identity Center (formerly AWS SSO) for human access across accounts
- Terraform shops that want AFT to customize account vending without abandoning Infrastructure as Code
When not to use it
- Highly bespoke landing zones where every SCP, OU structure, and network pattern diverges from Control Tower’s model — a manual or custom landing zone may fit better
- Single-account AWS environments — Control Tower’s overhead is not justified
- Replacing an entrenched manual landing zone without a migration plan — account moves and SCP inheritance changes are disruptive
- Expecting Control Tower to replace a full GRC program — it enforces AWS-native controls, not your entire compliance framework
Tips
- Enable proactive controls (CloudFormation hooks) for workloads deployed via IaC — they catch non-compliant templates before resources exist
- Use AFT when Terraform is already your account-provisioning standard; Service Catalog-only flows frustrate platform teams used to GitOps
- Map each control to an owner and exception process before enabling — “blocked by Control Tower” tickets without a path forward erode adoption
- Keep the management account for governance only; workload teams should not deploy applications there
- Review the compliance dashboard quarterly; detective control noise without remediation creates alert fatigue
Gotchas
Serious
- Terminology drift: Internal docs still saying “guardrails” cause engineers to miss current AWS documentation and support cases referencing controls.
- SCP blast radius: A misconfigured preventive control can block production deployments organization-wide. Test in a sandbox OU before enabling globally.
- AFT pipeline failures: A broken AFT customization repo blocks new account provisioning for every request — treat AFT repos like production CI.
Regular
- Control Tower sets up CloudTrail and Config in specific accounts; teams that duplicate logging elsewhere pay twice until consolidated.
- Not all AWS services have proactive controls — rely on preventive + detective layers for those gaps.
- Account Factory via Service Catalog and AFT solve the same problem differently; running both without clear ownership confuses requesters.
Official references
- What is AWS Control Tower? — landing zone automation and core concepts
- Controls in Control Tower — preventive, detective, and proactive control types
Related FactualMinds content
Need help with this topic?
Our AWS-certified team implements, audits, and optimizes these services in production — from Bedrock RAG pipelines to multi-account landing zones.