This post is jumping the gun a little bit in that I’m planning to do a short blog series about AWS Organizations and landing zones in the near future. As I’m ramping up to start that series, I wanted to pass along something I didn’t see until digging around a bit recently, which is a new release of AWS Control Tower.
I will post further about Control Tower later in the series, but for those who aren’t aware of Control Tower at all, it is a relatively new AWS product that is essentially a managed service for a new landing zone environment. It is meant to be used for brand new AWS greenfield environments and it automates the deployment of a new multi-account organizational structure within AWS. It provides a dashboard for the organization where you can apply guardrails to all of your accounts for security compliance. It also allows for the creation of new accounts that inherit these guardrails, as well as RBAC via AWS SSO, among many other features.
There are certainly reasons that this service is beneficial to organizations looking to start fresh within AWS and why multi-account architectures are considered a best practice for those scenarios. I will dig deeper into that for my next post, but in the meantime wanted to focus on the recent additions to Control Tower.
Control Tower originally went GA in June of 2019, and as of Sept 6, 2019 is showing a new change that added new preventative guardrails into the service. Digging a bit into the differences from prior to this update it can be determined that the new guardrails include:
- Disallow Creation of Access Keys for the Root User
- Disallow Cross-Region Replication for Amazon S3 Buckets
- Disallow Amazon EBS Volumes That Are Unattached to an Amazon EC2 Instance
- Disallow Amazon EC2 Instance Types that are not Amazon EBS-Optimized
- Disallow Public Access to Amazon RDS Database Instances
- Disallow Public Access to Amazon RDS Database Snapshots
- Disallow Amazon RDS Database Instances that are not Storage Encrypted
- Disallow Delete Actions on Amazon S3 Buckets Without MFA
- Disallow Access to IAM Users Without MFA
- Disallow Console Access to IAM Users Without MFA
- Disallow Amazon S3 Buckets that are not Versioning Enabled
A good chunk of these are specific to RDS and IAM – MFA. Regardless, it is good to see that AWS is taking priority in expanding the reach of Control Tower. There are certainly some instances where functionality is a bit lacking, but as more customers adopt the service and come up with recommendations as to how to make it better (creating custom guardrails should be a big one!) I’d expect to see more updates like this ahead of re:Invent later this year.