AWS Control Tower: How to Manage Cloud Sprawl

By Dan Newton February 7, 2020
cloud computing sprawl

Ask any Atlanta driver about the traffic and they’ll agree: uncontrolled growth can really be a hassle. The same is true for cloud infrastructure. Many organizations move to the cloud and embrace the speed of deployment and innovation. Later, they find they have deployed more resources they did not expect to have. This has been coined “cloud sprawl.” In response to this problem, AWS developed a cloud management tool called Control Tower.

The Fix: AWS Control Tower

Control Tower automates much of what AWS considers best practice for managing an organization’s cloud resources. With Control Tower, a company can set up a new AWS account and account structure that includes guardrails. Guardrails, or policies, enforce rules when an authorized user attempts to perform an action within the account. That can include creating, deleting or modifying a cloud resource.

Examples of Guardrails:

  • Disallow deletion of log archive
  • Disallow configuration changes to CloudTrail
  • Disallow actions as root user

Some of Control Tower’s guardrails are mandatory and others are strongly recommended. An organization can add additional guardrails to fit their needs.

Managing Multiple Accounts

The Control Tower service also provides a framework to manage multiple accounts. The initial process creates several default accounts that are shared. Two of these accounts are Audit and Log Archive, but there are many other best practice configurations. The service also includes a feature called Account Factory. Account Factory allows developers or other authorized users an automated means to create a sandbox account for testing or other purposes. The child accounts created by this process are configured with the same guardrails from the master account and can have additional policy restrictions. By leveraging Control Tower and the recommended policies, an organization can gain greater control of the cloud resources.

Key Control Tower Points to Consider

Currently, Control Tower only works with a new account, meaning it is not possible to use it with an existing AWS account. This will likely be addressed in a future update. Also, for smaller organizations, Control Tower will likely be overkill. An alternative would be to create a similar account structure manually. Then, leverage the CloudFormation scripts to apply the policies and other settings that are part of Control Tower.

As with many technology solutions, there are multiple ways to get the same results. However, there are a few key best practices that all AWS accounts should adhere to:

  • Limit the use of the root user
  • Use multi-factor authentication for elevated user access
  • Tag resources for billing, management, and other automation tasks
  • Create separate accounts to host logs and audit data

Consider leveraging the lessons learned from AWS Control Tower. Create a new account structure or model your current structure on the secure, automated, policy-driven design that Control Tower offers.