🛬 Guidance for AWS Control Tower 🛃

A compelling argument for (and against) using it.

Happy National Engineers Week. This is Unlimited Leave, the AWS Management and Governance newsletter that has been shoveling snow for the last 48 hours. I hope by now you are done focusing on the winter storm Olive can enjoy some Olives in a cocktail. It’s Friday after one hell of a week. You earned it.

This week's topics

  • Why use AWS Control Tower? Ever?

  • Enable Systems Manager by Default on All Instances in the Account

  • Guidance for Establishing an Initial Foundation using Control Tower on AWS

  • It’s happening!

Why use AWS Control Tower? Ever?

I received a direct reply to the “If you build it, they will come?” issue a couple of weeks ago. A reader (Evan) had a question.

Essentially, “Why use Control Tower and is it right for me/us?”

First of all, thank you Evan, and everyone else who has replied or reached out directly providing feedback and encouragement on the content. You have no idea how helpful and motivating your comments are. They are greatly appreciated.

Secondly, no response should go to waste in just an email. While I responded directly to Evan’s question, I promised a deeper explanation in a blog post so that I could share it here.

With his permission, his full question is included in the post and specific parts of my response are included as well.

Enable Systems Manager by Default

By leveraging a single action using Default Host Management Configuration (DHMC), all new AND existing EC2 instances can be configured to have System Manager Enabled. Yuge!!!!

That is of course if the SSM Agent is installed. I suspect those of you with custom or imported images won’t be able to immediately benefit from this. Especially those of you in Local, State, and Federal agencies that still have trust issues and no good way to convince your InfoSec team that the Agent is safe to use. Probably preferred in fact. You know who you are.

The significant benefit to this is the enablement can take place without the requirement to modify the instance profile, likely drifting your infrastructure as code. The configuration is made at the account level. 🙏

Bill is thankful for this one too… Right Bill?

Initial Foundation using Control Tower

A while ago I shared the Cloud Foundation Whitepaper.

Today I’m asking you to take a look at the AWS Cloud Foundation Team's “Guidance for Establishing an Initial Foundation using Control Tower on AWS”

Touted to “help customers quickly and securely deploy workloads across a centrally governed environment” - this guidance is exactly the type of content that will be covered in what I discuss in the next section.

This guidance covers the planning and execution of properly setting up a new AWS Organization. It references things like the Name/Alias convention for accounts and root emails, tagging strategy, all the way to the hardening of individual accounts, and Organizational Units.

While this prescriptive guidance lays out all of the why, the how is what AWS SAs, TAMs, and AMs care about when it comes to supporting their customers.

Starting with these items in mind really helps reduce the questions and overhead that as your organization scales, might require some deeper knowledge, support, and understanding from the AWS teams themselves.

I agree with a lot of this content and the reasoning behind it. I plan on diving more into this and sharing commentary in the future.

The Greenfield Organization Content is happening.

Here is the poll one last time to snag any stragglers. Again, if you are viewing on mobile or for the first time, look for the 4 different responses between the pipes (’|’).

I’m looking to create a multi-module course with content on deploying a new Greenfield AWS Organization with Control Tower from the beginning.

For more details on what that will look like, please review this past post.

I’ve reached the percentage of total subscribers whom I wanted to see cast a vote. The response is very heavy in the direction of “interested”.

So it’s happening. I’ve begun building out the platform and material. I hope to have an update within the next 2-3 issues of the newsletter. I think you will be happy with what is in store.

Thank you to those for your support and additional comments/feedback in the poll responses.

Review past issues HERE | Share with others HERE
Disclaimer: The resources and topics shared within this newsletter are for informational use only. Any resources deployed or tools implemented are done so at your own risk. Do your research and testing before the implementation of any resource or service deployed for any workload.