BYTE the Cloud

Chris 0:00
All right, everyone get ready, because today we are going deep on AWS Control Tower.

Kelly 0:05
Ooh, I like this one.

Chris 0:07
You know, setting up a secure multi account AWS environment for a large company. It's a lot, right? Yeah, can be a real headache. But Control Tower, it's like having an AWS expert, like,

Kelly 0:18
right there with you, like, on speed dial,

Chris 0:20
exactly, helping you set up everything securely and efficiently from the get go. Love it. So let's dive in. Okay, so

Kelly 0:27
Control Tower is a service that sets up what we call a Landing Zone, a Landing Zone which is basically a pre configured, secure, multi account AWS environment, all built on best practices. Best Practices got it. It really takes the pain out of setting up and managing all those accounts, yeah,

Chris 0:44
especially if you've got multiple teams with different needs and permissions Exactly, exactly. That's super helpful, especially for Well, someone like me who loves automation, right, and really hates doing things manually. I hear you. So can you give me a real world example of where Control Tower would be like a lifesaver,

Kelly 1:02
okay? Picture, this A Fintech startup, right? They're experiencing like explosive growth, okay? They're adding developers, constantly launching new products. Makes sense, and their cloud infrastructure is like expanding like crazy, yeah, without Control Tower, they would be scrambling just to configure security and compliance for every new account right, leaving them super vulnerable to errors and security risks. Oof, yeah, that's

Chris 1:31
a recipe for disaster. It is. It is the Control Tower helps them establish a solid foundation and scale securely without, like, you know, pulling their hair

Kelly 1:39
out, without the stress. Yeah, exactly. Or think about a large enterprise, okay, that's migrating to the cloud, right? They have, like, really complex IT environment with different departments, each with their own needs, right? Control Tower helps them manage this, like sprawling cloud environment, effectively, okay, reducing inconsistencies and the risk of security breaches across those teams. Okay,

Chris 2:03
yeah, I'm starting to see the appeal here. Good. So how does Control Tower actually work? Like, what are the core features that make it so powerful?

Kelly 2:11
So Control Tower has two main mechanisms for enforcing security and compliance, okay, guardrails and Detective controls. Think of guardrails, like those automated rules that keep you from, you know, going up track. They're implemented as service control policies or SCPs. SCPs, and they prevent users from accidentally doing things that could compromise security or compliance.

Chris 2:36
So guardrails are preventative, like a safety net, exactly, okay. What about detective controls? Then

Kelly 2:41
detective controls are more like, um, security cameras, okay, constantly monitoring your environment for anything you know suspicious, right? They use AWS Config and Lambda functions to constantly check if everything's in line with best practices, right? And they'll send you alerts if they spot anything you know fishy. Got

Chris 3:00
it. So it's a combination of prevention and detection, right, working together to keep the environment secure and compliant. That's reassuring. So what are some of the other benefits of using Control Tower?

Kelly 3:10
Well, I think the biggest one is time savings. Okay? You don't have to manually configure security and compliance for every single account, right? So that means you can focus on building and innovating rather than getting bogged down in repetitive tasks. Makes sense, plus it drastically reduces risk. Okay, those guardrails prevent misconfigurations, and the detective controls catch any potential issues before they blow up, before they become big problems. Yeah,

Chris 3:36
okay, that's good. Fewer sleepless nights for cloud engineers.

Kelly 3:40
Then absolutely, absolutely

Chris 3:41
another benefit you said, is the centralized dashboard. Yeah, yeah. Can you tell me a little more about that? So

Kelly 3:47
it gives you, like, a single pane of glass right to monitor and manage your entire AWS environment. That makes it way easier to spot and address potential issues quickly and efficiently. So

Chris 4:01
it's basically like having an air traffic controller for your cloud infrastructure.

Kelly 4:05
I like that analogy,

Chris 4:06
but you mentioned earlier that Control Tower isn't like a magic bullet, right, right? What are some of the limitations that we should be aware of?

Kelly 4:14
Yeah, it's important to remember that Control Tower is a tool, right? And it's only as good as the policies and configurations that you define. Okay? It doesn't automate every single aspect of cloud governance, right? You'll still need to define your own policies, decide which guardrails to enable, how to respond to those alerts and how to manage access control.

Chris 4:34
So it's a powerful tool, yeah, but you still need to bring your own expertise, definitely an understanding of your organization's specific needs exactly. It's about leveraging the tool effectively, yes, to streamline your process and enhance your cloud governance practices.

Kelly 4:49
Exactly. Okay, I

Chris 4:50
got it now. I know you're prepping for those AWS certifications always. So let's shift gears and focus on the exam prep. Portion. Okay, sounds good. Are you ready to tackle some practice questions? Bring

Kelly 5:03
it on. Let's see what kind of questions might pop up on the exam. All right, here's your first question. Okay, you are designing an AWS environment for a company with multiple departments that need separate AWS accounts. There you need the solution that will help you set up these accounts quickly and securely, enforce company wide policies and provide a central dashboard for monitoring and management. Which AWS service is the best choice for this scenario?

Chris 5:29
Well, based on what we've discussed, it sounds like AWS Control Tower is the perfect fit for this okay? Why? Well, it's designed for multi account environments, right? And its guardrails and Detective controls would definitely help enforce policies and monitor compliance.

Kelly 5:46
Okay, that right. You nailed it. Control Tower is indeed the best choice for this scenario, all right, but let's analyze why the other options might be incorrect. Okay. What about AWS Organizations? AWS

Chris 5:58
organizations is like the foundation for Control Tower, right? Yeah, it allows you to manage multiple accounts, but it doesn't offer the same level of automation or those pre configured security and governance features that Control Tower provides. No

Kelly 6:11
precisely organizations is more of a basic framework, right? Control Tower builds upon it, adding those enhanced security and governance capabilities got How about AWS Config? AWS

Chris 6:22
config helps you manage resource configurations, yes, but it doesn't handle multi account setups or offer that automated governance that Control Tower does exactly.

Kelly 6:31
Config is a powerful tool for auditing and managing resources, but it's not a complete solution for setting up and governing a multi account environment like Control Tower is right? So much more specific. Ready for another question? Absolutely. Bring it on. All right, here we go. Okay, you are using AWS Control Tower to manage your company's AWS environment, right? You need to prevent developers from creating S3, buckets that are publicly accessible.

Chris 6:57
Okay? So we need to stop developers from accidentally making sensitive data public, right? We can't rely on them to remember to configure the settings correctly every time. No, no. So I think the best approach would be to implement a preventative guardrail that blocks the creation of S3 buckets with public access permissions. Right? Control Tower has pre configured guardrails for common security best practices like this, right?

Kelly 7:20
You are absolutely correct. Using a preventative guardrail is the most secure and efficient way to handle this. Okay, great. Why do you think manually reviewing S3 bucket configurations would be a bad idea?

Chris 7:31
Manually checking every bucket would be a nightmare, especially as the environment grows. Right? It's just not scalable or reliable, exactly.

Kelly 7:39
It's not a practical solution in a dynamic cloud environment, yeah. And what about relying on detective controls to alert you after a public bucket is created? That's

Chris 7:49
reactive, not preventative, right? You'd get an alert, but the damage would already be done, exactly.

Kelly 7:53
It's

Chris 7:54
much better to stop it from happening in the

Kelly 7:56
first place. Excellent analysis. Let's try another one. Okay, your company is using Control Tower Okay, and they need to make sure all new EC2 instances have specific security settings like disabling root login and enabling detailed monitor. What's the most efficient way to do that?

Chris 8:14
Could we use service control policies to restrict EC2 launches okay to only those that meet those security requirements. Since SCPs are the foundation of Control Towers, guardrails, right? It seems like a good fit. You're

Kelly 8:27
on the right track, okay, but it's important to remember that SCPs are primarily preventative. Okay? They can stop actions from happening, but they don't actively modify existing resources. So

Chris 8:38
an SCP could prevent the launch of non compliant instances, yes, but it wouldn't automatically fix existing ones, exactly I see, right? So what would be a more effective approach? In

Kelly 8:50
this case, a combination of preventative and Detective controls would be the most robust solution. Okay,

Chris 8:56
so like a multi layered approach, yeah, so use SCPs to prevent the launch of non compliant instances, yes, but also leverage detective controls to identify any existing instances that don't meet the standaRDS Exactly. So we could use AWS Config rules to continuously monitor our EC2 instances for compliance, yeah, and then trigger automated actions to fix any issues that are found

Kelly 9:19
exactly. That's the beauty of Control Tower. Yeah, it allows you to layer your security approach using both preventative and Detective controls.

Chris 9:28
This is really making things click for me. I'm starting to understand how Control Tower can tackle these real world security and compliance challenges. That's great

Kelly 9:36
to hear. Let's keep the momentum going with another question. Imagine your company just started using Control Tower, right? They've got their Landing Zone set up and some guardrails in place. Makes sense. Now they want to give developers limited access to resources, okay, but still make sure they follow the rule, what's the best way to manage developer access in this scenario?

Chris 9:59
This. Is about finding that balance between security and developer productivity

Kelly 10:04
precisely. We

Chris 10:05
want to empower them, but also make sure they don't accidentally break things exactly. So where would you start with managing developer access in the Control Tower environment?

Kelly 10:15
Well, since we're already using Control Tower, we should take advantage of its access control capabilities. Makes sense. We could create separate AWS accounts for different dev teams, okay, allowing us to apply granular permissions at the account level. That's a smart move. Separate accounts provide isolation, right? And help prevent accidental or unauthorized access across teams. Yeah, that makes sense. But what about the specific permissions within those accounts,

Chris 10:41
we could define IAM roles, okay with the principle of least privilege in mind, right? Granting developers just enough access to do their jobs, yes, but not enough to make risky changes. Excellent.

Kelly 10:54
Least privilege is key in cloud security, right? But how can we ensure that these IAM rules and permissions align with the guardrails established in Control Tower.

Chris 11:04
That's where things get interesting. We need to make sure that the IAM permissions we grant don't conflict with the restrictions imposed by Control Towers guardrails. You're

Kelly 11:13
spot on. Okay? So how would you approach this alignment? We

Chris 11:16
could start by carefully reviewing the existing guardrails and documenting the actions they restrict right then, when we're setting up IAM roles for developers, yeah, we need to consider these restrictions right and ensure their permissions don't allow them to bypass any guardrails. That's a

Kelly 11:34
solid approach. Yeah, it involves collaboration between security and development teams to ensure everything aligns with the security and compliance policies. Makes sense. Ready for one last question before we wrap up this part, absolutely.

Chris 11:47
I'm feeling way more confident about my understanding of Control Tower. Fantastic.

Kelly 11:52
Here it is. Okay. Your company is using Control Tower, right? And they've just implemented a new security policy requiring all S3 buckets to be encrypted at rest, okay, they need to find any existing buckets that don't comply. All right, what's the best way to do that? Using Control Tower.

Chris 12:09
This sounds like a job for Detective controls, right? You

Kelly 12:11
are absolutely right. Detective controls are designed to monitor and alert on those deviations from policy. Okay, so how can we use them within Control Tower to find the non compliant buckets. Well, Control Tower

Chris 12:23
integrates with AWS Config, yes, and config is all about assessing and managing resource configurations, right? We could create a config rule that specifically checks for S3 bucket encryption, okay? Config would then continuously monitor our buckets and alert us to any that aren't encrypted. That's

Kelly 12:42
the perfect solution. By creating that config rule, you can proactively identify non compliant resources and take steps to remediate them. Great.

Great work. Thanks.

Chris 12:53
This has been a really insightful session so far. Good, good. Certainly feel like I can confidently tackle any Control Tower related question that comes my way. I'm

Kelly 13:01
glad to hear that. Now, let's take a short break, and we'll come back for the final part of our deep dive, where we'll explore some more advanced Control Tower concepts. Okay,

Chris 13:09
so ready to jump back in. Let's do it and explore some of those more advanced Control Tower concepts. Yeah,

Kelly 13:14
you know, we've talked a lot about guardrails, right? But they're not like, set it and forget it controls. Okay? You can customize them to fit your organization's specific needs.

Chris 13:24
Oh, okay, so we're not stuck with just the pre configured guardrails. Nope,

Kelly 13:27
not at all. Right. Control Tower provides a great foundation, but you can tailor them or even create your own to match your unique requirements. Got and remember that guardrails are built on service control policies, yeah, SCPs, which define the maximum permissions for accounts in your eight ws organization. So by,

Chris 13:46
like, tweaking those SCPs, yeah, we can fine tune the guardrails to enforce more specific

Kelly 13:52
restrictions Exactly. Okay. So for example, let's say your company requires all S3 buckets to have a specific naming convention. All right, you could create a custom SCP that enforces this by blocking any bucket creation requests that don't follow the rules.

Chris 14:07
That's a that's a really practical example. Yeah. So we can use STPs to enforce a wide range of policies beyond the the pre configured guardrails, right? What about detective controls? Can we customize those too?

Kelly 14:19
Absolutely. Remember, Detective controls are powered by AWS Config rules, which define the desired configuration state for your resources. So we

Chris 14:28
can create config rules that check for specific configurations yes and alert us if any resources are non compliant Exactly.

Kelly 14:34
Imagine you need to make sure all your EC2 instances have a specific security group attached. You can set up a config rule to monitor that, and it'll trigger an alert if an instance is launched without it got it gives you a chance to take action. This

Chris 14:48
is, this is really showcasing the power and flexibility of Control Tower. Yeah, it seems like it integrates with, like a lot of other AWS services. It does. You tell me a little more about those. Integrations sure

Kelly 15:00
we touched on AWS Config, yeah, but Control Tower also plays nicely with services like CloudTrail and Lambda. CloudTrail is a lifesaver for security auditing and compliance, because it logs all API activity in your AWS account.

Chris 15:15
So with CloudTrail, we can track who did what and when in our environment

Kelly 15:20
exactly, and Control Tower ensures that all API activity is logged, providing a comprehensive audit trail for your entire organization. Makes

Chris 15:29
sense. That's essential for meeting those regulatory requirements, improving you're following the rules exactly,

Kelly 15:34
exactly. Now, how

Chris 15:35
does Lambda fit into all of this?

Kelly 15:37
So Lambda lets you run code without managing servers, right? Making it perfect for automating tasks. Okay, you can use it to extend Control Towers capabilities, all right. So, for example, you could have a Lambda function that automatically fixes non compliant resources. Oh, interesting. So let's say that config rule detects an unencrypted S3 bucket, right? A Lambda function could automatically encrypt it.

Chris 16:01
Okay? So it takes action. Yeah, it takes action. Wow, that's that's powerful, yeah? So we can use Lambda to enforce policies and react to events detected by Control Towers. Detective controls Exactly,

Kelly 16:12
and that's just scratching the surface. Yeah, you can use Lambda to integrate Control Tower with tons of other AWS services, okay, and build custom solutions for your specific needs. This

Chris 16:24
is going way beyond just like setting up Landing Zones, right? Control Tower really is a platform for implementing robust cloud governance and automation. It is. Now, before we wrap up, I want to make sure I'm, like, really prepared for those AWS certification questions. Okay, got any like, any more challenging scenarios for me, of

Kelly 16:43
course, let's say you're working for a company that needs to enforce a specific password policy for all IAM users across their organization. They want things like minimum password length, complexity requirements and password rotation. Yeah, the good stuff. How would you tackle that, using Control Tower? Hmm,

Chris 17:03
well, Control Tower has some pre configured guardrails for IAM, yes, but enforcing, like, a very specific password policy, yeah, might need a more custom approach, right, right

Kelly 17:13
on. We can leverage AWS Organizations for this, okay, specifically a feature called organizations SCPs, right, which lets you define policies that apply to all accounts in your organization. So

Chris 17:25
we could use SCPs to, like, restrict actions related to password management and enforce our specific requirements

Kelly 17:34
exactly. You could create an SCP that blocks any password creation or update okay, that doesn't meet the length, complexity and rotation rules that

Chris 17:43
makes sense, yeah, but wouldn't that SCP apply to everyone, even administrator accounts? Great point.

Kelly 17:48
You might want to exclude certain users or roles from that policy,

Chris 17:53
right? Admins might need more flexibility, exactly. So how do we apply the policy selectively?

Kelly 17:58
We can use a combo of SCPs and IAM permissions. Okay, so create a separate IAM group for users subject to the password policy and apply the restrictive SCP to that group. Yeah, that lets other users or roles have more relaxed settings. Clever,

Chris 18:13
a layered approach that enforces the policy but maintains flexibility where it's needed, right? Okay, I think my brain is officially in exam prep mode. Good. Hit me with another scenario. All

Kelly 18:24
right. Imagine you're a cloud architect working on a migration to AWS. Makes sense. Your company's using Control Tower, and you need to ensure all new accounts created for those migrated apps adhere to a baseline set of security and compliance configurations. Okay, how would you do that? This

Chris 18:42
sounds like a perfect use case for Control Towers. Account factory feature, right? You got it. We can use it to pre configure those accounts with the necessary settings. Account

Kelly 18:51
factory is like a blueprint for new accounts. You can define things like the AWS services that should be enabled, the IAM roles and policies that should be created, the network configurations, such as VPC settings and security groups, okay? And the compliance standaRDS that need to be met, wow, that's that's pretty comprehensive. It is okay, and it's a lifesaver for organizations that are constantly creating new accounts, like during migrations or when onboarding new teams.

Chris 19:19
Okay? So account factory helps us, like, streamline account creation, yeah, and ensure consistency and security across the board. Exactly. It's

Kelly 19:27
all about that standardization and

Chris 19:28
automation. Awesome. Ready for one last challenge, absolutely. Okay,

Kelly 19:31
all right, your company needs to log all API activity related to sensitive services like I am S3 and KMS, okay, they also need to keep those logs for a specific period, right for auditing purposes. Got it. How would you implement this logging and retention requirement with Control Tower?

Chris 19:50
We talked about CloudTrail earlier for logging, API activity, yes, since Control Tower is built on AWS Organizations, right, we could leverage that to enable cloud. CloudTrail logging for all the accounts in our organization. Great.

Kelly 20:02
Start that way. You're covered for all accounts present and future. Okay, but remember, the requirement is to log specific, sensitive services, right? Not all API calls exactly you need to filter the CloudTrail logs. Okay, so how do we do that? CloudTrail lets you create trail event selectors that define what gets logged, right? You could set those up to just focus on I am S3 and KMS activity, perfect.

Chris 20:26
Now, how do we handle that retention requirement? Configure CloudTrail

Kelly 20:29
to send the logs to an S3 bucket, okay, and then apply a life cycle policy to that bucket to enforce how long the logs are kept. So

Chris 20:38
we're using CloudTrail for logging, yes, S3 for storage, yep, and a life cycle policy for managing the retention right. And by centralizing this in organizations, it applies consistently across all accounts. You nailed it.

Kelly 20:51
This deep dive has been a great overview of AWS Control Tower and its many capabilities it really has. Remember, it's a powerful tool, yeah, but it's up to you to define the policies and configurations that make it work for your organization.

Chris 21:05
Absolutely, I feel much more equipped to tackle any Control Tower challenges that come my way, both on the job and on those AWS certification exams. Thanks for all the insights and expertise. You're very welcome.

Kelly 21:17
And to all our listeners, thanks for joining us on this deep dive into AWS Control Tower. Keep exploring, keep learning and keep pushing the boundaries of cloud computing.