Control Tower

Control enables you to set up and govern your multi-account AWS environment.

This is a very high level walkthrough of setting up Control Tower.

To keep things clean, I created a brand new account from which to launch Control Tower. This account will become the Control Tower management account and payer account.

You will need an email address for each account that the landing zone creates. For a lab, I found it useful to use the following concepts: Some email providers, including gmail, will accept emails of the format myemailaddress+xxx@gmail.com, where xxx is any string, for example an AWS account name. AWS also accepts this format. This way a single email account can be used.

Select the Control Service and click “Set up a Landing Zone”

You are prompted for a home region. The home region should be the region where you do the most admin work and run your workloads. The audit and other buckets are created in the same AWS Region from which you launch AWS Control Tower. By keeping your workloads and logs in the same AWS Region, you reduce the cost that would be associated with moving and retrieving log information across regions.

Landing Zone will create two more accounts, Log archive and Audit. You supply a unique email for each. You then see the following message:

For each of the accounts, you will receive an email and an SSO portal URL in the format:

https://d-123456789.awsapps.com/start

At the end of the process you will see:

I chose “Configure your account factory”. A service catalog portolio will be created. I then used account factory to set an account called “Dev”.  This will be where I will start creating resources.