TrustRadius: an HG Insights company

AWS Control Tower

Score9.3 out of 10

10 Reviews and Ratings

Get a Demo

What is AWS Control Tower?

The vendor presents AWS Control Tower as the easiest way to set up and govern a new, secure multi-account AWS environment. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while knowing new accounts conform to company-wide policies.

Categories & Use Cases

Reviews

What users are saying about AWS Control Tower.
View all reviews

AWS Control Tower in multi AWS account scenarios

Incentivized
Arkadiusz GóralView profile
Lead Engineer in Information Technology at Dense Neuron (11-50 employees employees)

Use Cases and Deployment Scope

AWS Control Tower allows me to provision predefined compliant and secure AWS accounts in an automated fashion

Pros

  • AWS Control Tower integrates with AWS organizations
  • AWS Control Tower provides Account Factory to provision preconfigured AWS accounts
  • AWS Control Tower helps to isolate workloads and billing via AWS accounts separation
  • AWS Control Tower supports data residency controls out of the box
  • AWS Control Tower supports post provisioning actions to newly provisioned AWS accounts: for example it can trigger enabling VPC flow logs in the new account

Cons

  • If possible it would be nice to see an automated option to close AWS accounts created with the Account Factory

Most Important Features

  • Multi account support
  • Integration with various services - Cloud formation / stack/stackset concepts
  • SSO integration
  • Preconfiguration of newly created accounts
  • Provisioning new AWS accounts without need to use credit card for each of the new accounts - all works on a credit card used to set up the master account.

Return on Investment

  • It helped to separate billing for dev/prod/uat workloads, making it easier to control how much developers are spending.

Alternatives Considered

AWS Organizations

Other Software Used

HashiCorp Terraform, Google Cloud Platform, Google Kubernetes Engine

Usability

Control tower is a must for separation of concerns

Incentivized
kevin mcgillicuddy
IT Infrastructure Supervisor in Information Technology at Sight and Sound Theatres (201-500 employees employees)

Use Cases and Deployment Scope

We started using AWS Control Tower to split up our workloads into separate accounts to follow the AWS well-architected framework. AWS Control Tower makes it easy to create new accounts and drive policies across them all. So our root account handles creating other accounts for us and ensures they all have logging and our security practices in place.

Pros

  • Easily create new AWS accounts.
  • Easily secure and manage AWS accounts.
  • Landing zone with SSO is a huge win for larger teams.

Cons

  • Can be slow at times to reflect changes.
  • The GUI in the console is not always the most user-friendly and errors can be non-descript.
  • Cannot change some key info about an account from AWS Control Tower once it's provisioned.

Most Important Features

  • Security
  • Central logging
  • SSO support

Return on Investment

  • Less time manually deploying accounts which was error prone.
  • Central logging allowed us to have 1 place to view logs.

AWS Control Tower makes multi-account AWS management easy

Incentivized
Alex Kranz
Senior System Administrator in Information Technology at Bridgeline Digital (51-200 employees employees)

Use Cases and Deployment Scope

We have multiple companies along with multiple clients that require separate AWS accounts. With AWS Control Tower it makes it simple and easy to have a central point to monitor and control all the AWS accounts.

Pros

  • Guardrails make securing accounts easy and quick.
  • AWS SSO allows us a central point for controlling users and groups across each account.
  • Centralized logging serves as a single point to monitor each environment.
  • Landing zones allow us to apply templates for each account and customize each one from a central point as well.

Cons

  • The AWS SSO GUI is not very intuitive and determining how to apply policies to users without creating redundant logins has been a challenge.
  • The default guardrails do not fully encompass all the security checks that we needed.
  • There does not appear to be any way to control roles at the IAM level from the control tower account through the GUI.
  • Some features on AWS accounts still require logging into the individual account with the root user and cannot be done from AWS Control Tower.

Most Important Features

  • SSO and Federated services
  • Landing Zones and guardrails
  • Central logging

Return on Investment

  • AWS Control tower allowed us to drop several third-party vendors for security appliances and logging, which saved us considerable funds.
  • AWS Control tower reduced the amount of time we spend deploying AWS accounts.
  • AWS Control tower reduced the amount of time we have to spend on quarterly security audits.

Other Software Used

Microsoft Azure Active Directory, Microsoft System Center Endpoint Protection, Elasticsearch, MongoDB, WooRank, Hawksearch, iAPPS Commerce, AWS Certificate Manager, AWS Trusted Advisor, Amazon GuardDuty, AWS CloudTrail

AWS Control Tower: an AWS Framework that might be more than you need

Incentivized
Verified User
Contributor in Engineering (1001-5000 employees employees)

Use Cases and Deployment Scope

AWS Control Tower allows you to set up a baseline environment, in the parlance of Control Tower, this is called a landing zone. The value adds of this product is that the default baseline environment that is set up by AWS Control Tower includes AWS best practices by default. This includes best practices from AWS Well-Architected Framework. In our case, we were interested in experimenting with a lower overhead setup for an ancillary AWS account.

Pros

  • I like being able to see policy-level summaries of my AWS environment.
  • It is great for moving quickly with minimal risk of severe blunders.
  • Provisioning a new account within the purview of the Control Tower is quick and easy.

Cons

  • This level of abstraction leaves you vulnerable to not knowing exactly what's been created, and that can enable you to mess things up.
  • Because it provisions things on your behalf, you might end up paying for resources you don't need.
  • The import process of existing accounts, which we did not end up pursuing, is tedious and manual.

Most Important Features

  • Low barrier to entry
  • AWS Well Architected Framework best practices built in.
  • Easy to navigate account summary of resources.

Return on Investment

  • It was ultimately a neutral impact for us as we didn't pursue it very far.
  • It would not be the right fit for us given that we have the skills to roll these things on our own.
  • It would have been more expensive than strictly necessary because it provisions resources you don't necessarily need.

Alternatives Considered

AWS Systems Manager

Other Software Used

AWS Systems Manager, AWS Trusted Advisor, AWS Managed Services