We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.
If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”
Essential cookies are necessary to provide our site and services and cannot be deactivated. They are usually set in response to your actions on the site, such as setting your privacy preferences, signing in, or filling in forms.
Performance cookies provide anonymous statistics about how customers navigate our site so we can improve site experience and performance. Approved third parties may perform analytics on our behalf, but they cannot use the data for their own purposes.
Functional cookies help us provide useful site features, remember your preferences, and display relevant content. Approved third parties may set these cookies to provide certain site features. If you do not allow these cookies, then some or all of these services may not function properly.
Advertising cookies may be set through our site by us or our advertising partners and help us deliver relevant marketing content. If you do not allow these cookies, you will experience less relevant advertising.
Blocking some types of cookies may impact your experience of our sites. You may review and change your choices at any time by selecting Cookie preferences in the footer of this site. We and selected third-parties use cookies or similar technologies as specified in the AWS Cookie Notice.
We display ads relevant to your interests on AWS sites and on other properties, including cross-context behavioral advertising. Cross-context behavioral advertising uses data from one site or app to advertise to you on a different company’s site or app.
To not allow AWS cross-context behavioral advertising based on cookies or similar technologies, select “Don't allow” and “Save privacy choices” below, or visit an AWS site with a legally-recognized decline signal enabled, such as the Global Privacy Control. If you delete your cookies or visit this site from a different browser or device, you will need to make your selection again. For more information about cookies and how we use them, please read our AWS Cookie Notice.
To not allow all other AWS cross-context behavioral advertising, complete this form by email.
For more information about how AWS handles your information, please read the AWS Privacy Notice.
We will only store essential cookies at this time, because we were unable to save your cookie preferences.
If you want to change your cookie preferences, try again later using the link in the AWS console footer, or contact support if the problem persists.
AWS Control Tower offers the easiest way to set up and govern a secure, multi-account AWS environment. It establishes a landing zone that is based on best-practices blueprints, and it enables governance using controls you can choose from a pre-packaged list. The landing zone is a well-architected, multi-account baseline that follows AWS best practices. Controls implement governance rules for security, compliance, and operations.
If you want to create or manage your existing multi-account AWS environment with best practices, use AWS Control Tower. It offers prescriptive guidance to govern your AWS environment at scale. It gives you control over your environment without sacrificing the speed and agility AWS provides for builders. You will benefit if you are building a new AWS environment, starting out on your journey on AWS, starting a new cloud initiative, are completely new to AWS, or if you have an existing multi-account AWS environment but prefer a solution with built-in blueprints and controls.
Distributed teams can provision new AWS accounts quickly, while cloud IT has the peace of mind of knowing that all accounts are aligned with centrally established, company-wide policies. AWS Control Tower provides a single location to easily set up your new well-architected multi-account environment and govern your AWS workloads with rules for security, operations, and internal compliance. You can automate the setup of your AWS environment with best-practices blueprints for multi-account structure, identity, access management, and account provisioning workflow. For ongoing governance, you can select and apply prepackaged policies organization-wide or to specific groups of accounts.
AWS Control Tower automates the creation of a landing zone with best-practices blueprints that configure AWS Organizations for a multi-account structure, provide identity management using AWS IAM Identity Center, provide federated access using the IAM Identity Center console, create a central log archive using AWS CloudTrail and AWS Config, enable security audits across accounts using IAM Identity Center, implement network configurations using Amazon Virtual Private Cloud (Amazon VPC), and define workflows for provisioning accounts and associated AWS Control Tower solutions.
You can use AWS Control Tower’s Account Factory to automate the provisioning of AWS accounts that are preconfigured to meet your business, security, and compliance requirements. You can also extend AWS Control Tower governance to an individual, existing AWS account when you enroll it into an organization unit (OU) that is already governed by AWS Control Tower.
AWS Control Tower offers controls for ongoing governance of your AWS environment. AWS Control Tower offers preventive, detective, and proactive controls that help you govern your resources and monitor compliance across groups of AWS accounts. Controls are prepackaged governance rules for security, operations, and compliance that you can select and apply enterprise-wide or to specific groups of AWS accounts. AWS Control Tower automatically implements controls using multiple building blocks such as AWS CloudFormation to establish a baseline, AWS Organizations service control policies (SCPs) to prevent configuration changes, AWS Config rules to continuously detect nonconformance, and AWS CloudFormation Hooks to scan your resources before they are provisioned and make sure that the resources are compliant with that control.
AWS Control Tower offers a dashboard for continuous oversight of your multi-account environment. You get visibility into provisioned accounts across your organization. Dashboards provide reports on controls you have enabled on your accounts, and they give you the status of resources that don’t comply with policies you have enabled through controls.
AWS Control Tower offers a set of AWS- managed controls and enhanced Region deny capabilities to help you meet digital sovereignty requirements faster and with greater confidence. You can select from a group of digital sovereignty controls in the AWS Control Tower control library to implement controls that prevent actions, enforce configurations, detect resource changes for data residency, granular access restriction, encryption, and resiliency capabilities. You can also customize AWS Control Tower’s Region deny control to apply regional restrictions that best fit your unique business needs. These capabilities are designed to make it easier for you to address requirements at scale.
To see a current list of regions where AWS Control Tower is available, please visit the AWS Regional Table .
There is no additional charge to use AWS Control Tower. You only pay for AWS services enabled by AWS Control Tower, such as AWS Service Catalog and AWS CloudTrail. You also pay for the underlying services that deploy controls, such as AWS Config rules that are set up by AWS Control Tower to implement detective controls. See AWS Control Tower Pricing for more information.
AWS Control Tower sets up IAM Identity Center with a native default directory. After the landing zone setup, you can configure IAM Identity Center with a supported directory, such as AWS Managed Microsoft AD, or self-manage your access control.
Yes, to see a list of available APIs, refer to AWS Control Tower API Reference documentation . For all other operations, use the AWS Control Tower console.
AWS Control Tower helps you deploy a multi-account AWS environment based on best practices, but you are still responsible for day-to-day operations and checking compliance status. If you need help operating regulated infrastructure in the cloud, consider a certified MSP partner or AWS Managed Services (AMS). AMS is best suited for enterprises that want to move regulated workloads to the cloud quickly and do not have the required AWS skillsets for compliant operations, or those that want to keep AWS talent focused on application migration and modernization instead of the undifferentiated heavy lifting of infrastructure operations.
AWS Control Tower offers an abstracted, automated, and prescriptive experience on top of AWS Organizations. It automatically sets up AWS Organizations as the underlying AWS service to organize accounts and implement preventive controls using service control policies (SCPs). Using AWS Organizations, you can further create and attach custom SCPs that centrally control the use of AWS services and resources across multiple AWS accounts.
You can also use your existing AWS Organizations management account with AWS Control Tower and set up a landing zone with new or existing organizational units (OUs) and accounts. New OUs and accounts created using AWS Control Tower become part of your existing Organizations structure and billing. For existing accounts currently managed in Organizations, you can enroll them in new OUs created using AWS Control Tower individually or through script.
AWS Control Tower and AWS Security Hub are complementary services. AWS Security Hub is used by security teams, compliance professionals, and DevOps engineers to continuously monitor and improve the security posture of their AWS accounts and resources. AWS Security Hub performs security best practice checks against the AWS Foundational Security Best Practices standard and other industry and regulatory standards, and it allows you to aggregate security findings from more than 80 partner products. AWS Control Tower is used by cloud administrators and architects to set up and govern a secure, multi-account AWS environment based on AWS best practices . AWS Control Tower applies mandatory and optional high-level rules, called controls, that help enforce your policies. AWS Control Tower also helps ensure that your default account configurations are in alignment with the AWS Foundational Security Best Practices using the AWS Security Hub controls. You should use the AWS Control Tower preventive controls in combination with the AWS Security Hub security best practice detective controls, as they are mutually reinforcing and help ensure that your accounts and resources are in a secure state.
AWS Control Tower automatically sets up AWS Service Catalog as the underlying AWS service to enable provisioning of new accounts through an account factory . While AWS Control Tower provides central governance at an account level, AWS Service Catalog can further provide granular governance at a resource level. AWS Service Catalog also lets you provision infrastructure and application stacks that have been preapproved by IT for use inside your accounts.
You can use AWS Control Tower to set up and govern your AWS environment, and then use AWS Systems Manager to handle its ongoing day to day operations. AWS Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. With Systems Manager, you can group resources (such as Amazon EC2 instances, Amazon S3 buckets, or Amazon RDS instances) by application, view operational data for monitoring and troubleshooting, and take action on your groups of resources.
AWS Control Tower allows you to customize new and existing AWS accounts when you provision their resources from the AWS Control Tower console. After you set up account factory customization, AWS Control Tower automates this process for future provisioning. Your customized accounts are provisioned in account factory . Predefined blueprints, built and managed by AWS Partners, are also available. AWS Control Tower provides additional solutions, such as Customizations for AWS Control Tower (CfCT) and Account Factory for Terraform (AFT), to help you easily add customizations to your AWS Control Tower accounts using an AWS CloudFormation template, service control policies (SCPs), or Terraform. Accounts are created with all the standard AWS Control Tower governance benefits but allow you to add customizations to meet any additional standard procedures or guidelines that you require.