AWS Control Tower is a managed service that provides the easiest way to set up and govern a new, secure, multi-account AWS environment based on best practices established through AWS’ experience working with thousands of enterprises as they move to the cloud.

This lab gives you a high-level overview of the deployment of the AWS Control Tower service. We will walk through the implementation of the service and what to expect during the installation.

You initiate the AWS Control Tower deployment from the AWS Management Console with few clicks and a form to fill. It takes 60-90 minutes to launch an AWS Control Tower on a new AWS account. Hence we recommend to deploy the AWS Control Tower Section upfront before attending the class if possible.

Deploy AWS Control Tower

In this section, we will deploy the AWS Control Tower service. The following resources are provisioned on the successful launch of the service:

  • 2 organizational units (OU) are created: Security for the Control Tower shared accounts and Sandbox as a default location for any user created AWS accounts.
  • 2 AWS accounts in the Core OU: Log archive and Audit. These are used centralized logging and auditing respectively.
  • 28 preventive guardrails to enforce policies and 16 detective guardrails to detect violations.
  • A native cloud directory with preconfigured groups and single sign-on access using AWS SSO.
  • Account Factory Portfolio to deploy new AWS accounts within AWS Control Tower using AWS Service Catalog.

We recommend performing the installation ahead of the session as the initial setup could take 60-90 minutes. If you are using an account which already got an AWS Control Tower installed by somebody else, we recommend reiewing below steps to get familiar with installation. You will not be able to drive thru all the steps mentioned below:

  1. Log in to the AWS Management Console of the account where you plan to deploy AWS Control Tower. This account will be referred to as the Management account.
  2. Select the service Control Tower under Management & Governance.
  3. Make sure you are in one of the 15 supported regions. Refer to the AWS Control Tower User Guide for the current list of supported regions. Keep in mind that the region selected here is the HOME REGION and cannot be changed once Control Tower is installed.
  4. On AWS Control Tower home page, select Set up landing zone button.

    Note: If you are using a brand new AWS account with no prior history, you may receive an error message indicating that AWS Control Tower detected issues with your AWS account environment that prevent successful setup. To resolve this, launch a Free tier eligible EC2 instance such as a t2.micro, wait 10-15 minutes then retry the setup.
  5. In the Set up landing zone page you will be prompted for various inputs and acknowledgement:

    Step Section Input Description
    Step-1 Pricing Learn more List of services that you will pay for basws on your usage.
    Step-1 Home Region AWS Region selector This is the default region where resources in your shared accounts will be provisioned, for example, your S3 bucket for your log archive. You CANNOT change after setting your landing zone.
    Step-1 Additional AWS Regions for governance Select additional Regions Select the regions you want to govern in addition to the Home region. Typically, you’ll select regions you plan to run workloads in.
    Step-2 Foundational OU Security (default) Security is the default OU name for your shared accounts. OU names must be unique and can be edited after you set up your landing zone.
    Step-2 Additional OU Sandbox (default) Sandbox is the default OU name for your additional OU. OU names must be unique and can be edited after you set up your landing zone.
    Step-3 Log archive account Log archive(default) The log archive account is a repository of immutable logs of API activities and resource configurations from all accounts
    Step-3 Audit account Audit(default) The audit account is a restricted account for your security and compliance teams to gain read and write access to all accounts
    Step-3 KMS Encryption - optional Checkbox Create and manage cryptographic keys, and control your resources in AWS Control Tower.
    Step-4 Service permissions Learn more about permissions AWS Control Tower requires creation of three roles to launch a landing zone. AWS Control Tower splits permissions into three roles as a best practice to restrict access to the minimal sets of actions and resources
    Step-4 Service permissions Learn more about guidance We strongly recommend that you follow the guidance below when you use AWS Control Tower. This guidance may change as we continue to update the service
    Step-4 Service permissions Checkbox I understand the permissions AWS Control Tower will use to administer AWS resources and enforce rules on my behalf. I also understand the guidance on the use of AWS Control Tower and the underlying AWS resources
  6. To proceed with the installation, click on Set up Landing Zone. You will be redirected to the AWS Control Tower Dashboard. The installation progress is shown in the blue bar on top of the Dashboard.

  7. Check the appropriate email inbox(es) for the following emails from or

    Subject To: Action
    AWS Organizations email verification request Management account email address Click on Verify your email address. Once verified, you can now invite existing AWS accounts to join your organization.
    Invitation to join AWS Single Sign-On Management account email address Click on Accept invitation, You will be redirected to enter a New password for the AWS SSO user, Confirm the password, and click on Set new password. You will then be redirected to log into the AWS SSO user portal with these credentials. (You may want to bookmark the portal url for later)
    AWS Notification - Subscription Confirmation Audit account email address Click on Confirm subscription. The Audit account user email will receive a SNS subscription confirmation email for every region that you selected in Step 5.
  8. Wait for the blue progress bar with % complete to disappear on top of the AWS Control Tower dashboard. Once completed, you should see a green banner indicating that your landing zone has been setup successfully.

Please refer to AWS Control Tower Documentation for the latest information.


Copyright 2021, Amazon Web Services, All Rights Reserved.