Control Tower
Owner | |
---|---|
Verification | |
Tags | |
Last edited time |
Setup a secure & compliant multi-account AWS environment based on best practices
Auto policy management (Guardrails), violations & remediation, compliance dashboard.
Account Factory using Service Catalog to provision new accounts
Guardrails to detect and remediate policy violations with ongoing governance
Mandatory: auto created by control tower
Strongly recommended - based on AWS best practices
Preventive - using SCP’s - block action
Detective - use config to verify compliance (MFA enabled ? )
Elective - enterprise use (disallow delete action without MFA in S3)
Resource Access Manager (RAM)
Enables you to share specified AWS resources that you own with other AWS accounts.
To enable trusted access with AWS Organizations:
- From the AWS RAM CLI, use the
enable-sharing-with-aws-organizations
command.
- Name of the IAM service-linked role that can be created in accounts when trusted access is enabled:
AWSResourceAccessManagerServiceRolePolicy
.