AWS Control Tower makes multi-account AWS management easy
- Guardrails make securing accounts easy and quick.
- AWS SSO allows us a central point for controlling users and groups across each account.
- Centralized logging serves as a single point to monitor each environment.
- Landing zones allow us to apply templates for each account and customize each one from a central point as well.
Cons
- The AWS SSO GUI is not very intuitive and determining how to apply policies to users without creating redundant logins has been a challenge.
- The default guardrails do not fully encompass all the security checks that we needed.
- There does not appear to be any way to control roles at the IAM level from the control tower account through the GUI.
- Some features on AWS accounts still require logging into the individual account with the root user and cannot be done from AWS Control Tower.
- SSO and Federated services
- Landing Zones and guardrails
- Central logging
- AWS Control tower allowed us to drop several third-party vendors for security appliances and logging, which saved us considerable funds.
- AWS Control tower reduced the amount of time we spend deploying AWS accounts.
- AWS Control tower reduced the amount of time we have to spend on quarterly security audits.