BIPI
BIPI

Control Tower is great until you've already built something

Cloud Security

Control Tower is the right starting point for a greenfield AWS org. Retrofitting it onto a customised account structure is one of the more painful migrations in cloud security. Decide early.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 15, 2024 · 7 min read

#aws#control-tower#multi-account#cloud-security

We were called in by a media company that had built a custom AWS Organizations setup over four years and was now being told by a new CISO that they had to move to Control Tower. The migration estimate from their integrator was 18 months and 1.2 million pounds. We confirmed the estimate. They paid it because the alternative was a 24-month custom build of the same controls Control Tower provides for free.

Control Tower is AWS's opinionated landing zone: a Security OU with a log archive account and an audit account, a baseline of detective and preventive guardrails, account vending via Account Factory, and a control plane that updates itself. For a greenfield org it is the right answer. For an org that already has a customised structure, the cost of conformance is real and worth pricing carefully.

What you get on day one

A working multi-account structure with the management account isolated from workloads, a centralised log archive with object lock, a security audit account, AWS Config aggregation across the org, a baseline of about 20 mandatory and 200 elective guardrails, and Identity Center wired up. If you are starting from a single account with no governance, all of that is a year of platform engineering you skip.

What breaks during a retrofit

Control Tower expects to own the OU structure, the trails, the Config recorder, and a set of IAM roles in every enrolled account. If your accounts already have those resources configured differently, enrollment fails or silently mis-configures. We have seen Control Tower enrollment overwrite a custom CloudTrail destination, blowing a hole in compliance evidence collection. Existing custom SCPs at the OU level can conflict with Control Tower's mandatory policies and you need to merge them carefully.

  • Pre-existing CloudTrail trails: must be reconciled with the org trail Control Tower creates
  • Pre-existing Config recorders: must be deleted before enrollment in some regions
  • Custom OU structures: typically need to be flattened or restructured to match the Security/Sandbox/Custom layout
  • Federated identity solutions other than Identity Center: parallel-run for months while migrating
  • Cross-account roles created outside Account Factory: need to be re-baselined to the AWSControlTowerExecution model

Day-one moves in a new org

If you are starting fresh, set up Control Tower before the second account is created. Use Account Factory for all account vending; do not let teams create accounts directly through the management console. Enable all mandatory guardrails plus the Strongly Recommended set. Pick a primary region and only enable the regions you need; turning regions on later is easy, off is not.

Customisations are okay, customisations everywhere are not

Customizations for Control Tower (CfCT) lets you layer your own CloudFormation, SCPs, and StackSets on top of the baseline. We have seen this used well: a few additional preventive SCPs, a baseline of monitoring agents, a tagging policy. We have also seen it used to rebuild half the platform inside CfCT, at which point you have all the disadvantages of Control Tower and all the disadvantages of a custom landing zone. If your customisations are pushing past 30 stack instances per account, you are using Control Tower as a wrapper for something else and should reconsider.

Upgrades are the long-term tax

Control Tower lifecycle updates need to run cleanly to keep the landing zone supported. Every 6-12 months AWS pushes a new version, and accounts in 'drift' will fail the update. The platform team needs a quarterly hygiene check that lists drifted accounts, identifies what changed, and either re-conforms the account or makes the drift explicit via CfCT.

Pick Control Tower for the first AWS account, not the fortieth. The clients who get this right end up with a landing zone they barely think about. The ones who customise heavily end up rebuilding it every few years.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.