In today’s scenario there are plenty of customers facing challenges in terms of regulatory and compliance in IT industry. There is various customer onboarding on AWS. There are various compliance and audit which needs to be met for uninterrupted function of the organization.

There are always chances of human error while onboarding of the customer like security, governance, reliability and control. To mitigate these challenges faces by the customer AWS Control tower plays vital role in terms of regulating, controlling and maintaining the compliance.

Before going into deep dive in the AWS Control tower lets have briefing about what is control tower and its functionality.

What is AWS Control Tower?

AWS Control Tower offers a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. AWS Control Tower orchestrates the capabilities of several other AWS services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center (successor to AWS Single Sign-On), to build a landing zone in less than an hour. Resources are set up and managed on your behalf.

In other terms AWS Control tower ease the setup, govern, compliant and security including AWS Best practices strategy. It helps also in defining the AWS Multi Account AWS Strategy and ease the manageability of enterprise accounts and thousands of accounts using automation strategy and mitigating the chances of errors.

Structure of an AWS Control Tower Landing Zone

The structure of a landing zone in AWS Control Tower is as follows:


The parent that contains all other OUs in your landing zone.

Core OU

This OU contains the log archive and audit member accounts. These accounts often are referred to as shared accounts.

Custom OU

The custom OU is created when you launch your landing zone. This and other member OUs contain the member accounts that your users work with to perform their AWS workloads.

AWS SSO directory

This directory houses your AWS SSO users. It defines the scope of permissions for each AWS SSO user.

AWS SSO users

These are the identities that your users can assume to perform their AWS workloads in your landing zone.

Structure of an AWS Control Tower Landing Zone

AWS Control Tower functions using CloudFormation stack lets have a look into below architecture to have a better understanding of AWS Control Tower.




  1. 1. Create an IAM User with Admin Privileges.
  2. 2. Identify the Region in which you want to create a Landing Zone.
  3. 3. Control Tower Requires Three E-mail Id which is used to create following accounts: –
  • Management Account
  • Logs Account
  • Audit Account

Note: – Make sure that this E-mail Id’s has never been used in AWS before.

Steps To Be Followed: -

  1. 1. Open the AWS Management Console for the Payer Account.


  1. 2. Search for the Control Tower from the search bar.
  1. 3. Click on the Set-up Landing Zone.
  1. 4. Select the AWS Home Region for AWS Landing Zone Setup.
  1. 5. Set the option as disabled because if you enable it while setting up control tower you will not be able to enable it for any other region later on, so for best practice we put it as disabled.
  1. 6. If you want to add governance for multiple regions select the regions and add.
  1. 7. After setting up click on Next.
  3. 8. Configure Organization Unit (OUs) and then Next.
  1. 9. Now you can configure shared Accounts.
  3. 10. Add the E-mail Id of for Management account which we have created earlier.
  1. 11. Configure your log archive account and choose the appropriate option new or existing accordingly and if you have any existing account choose the existing option as for our scenario, we are using new.
  1. 12. Configure your audit account and choose the appropriate option new or existing accordingly and if you have any existing account choose the existing option as for our scenario, we are using New.
  1. 13. Configure cloud trail to get AWS Control Tower Aggregates information from all accounts into the organization trail and delivers the logged information to a specified s3 bucket.
  1. 14. Configure KMS encryption you want to enable it for resources in control tower.
  1. 15. Configure S3 bucket for storing logs you can define the retention periods
  1. 16. Now Review all the configuration you have done click on the checkbox and setup the Landing Zone.
  3. 17. It will take around 60 Minutes to complete the Landing Zone Set-up.
  1. Monitoring: –

    Monitoring is the important part of checking the performance of control tower and other AWS Solutions. In AWS there are various monitoring tool available for checking the report of control tower if something went wrong. You can check the monitoring with the help of CloudWatch, CloudWatch events, CloudWatch logs and CloudTrail.

About the Author:

Akanshu Narang is a Functional Analyst in MTSL’s Cloud Native practice. He has work experience in Solution designing, Planning and implementation, Complete end to end transformations of infrastructure, Cost Optimizations, Disaster Recovery Planning, End-to-End migration of On-Premise Data center workloads to cloud, cloud-to-cloud which including target environment Assessment and planning of migration strategy.


Trends and insights from our IT Experts