AWS Control Tower

Concepts Covered

• AWS Control Tower
• Landing zones
• Account Factory
• Controls and guardrails
• Preventive, detective, and proactive controls
• Security OU
• Log archive account
• Audit account
• Drift detection
• AWS Organizations relationship
• SAA-C03 exam traps

1. Plain-English Mental Model

AWS Control Tower is a managed way to set up and govern a multi-account AWS landing zone.

The simple model is:

Control Tower -> Organizations + IAM Identity Center + Service Catalog + controls + shared accounts

A landing zone is the governed foundation where accounts, OUs, identity access, logging, audit, and baseline controls are set up consistently.

If AWS Organizations is the account hierarchy, Control Tower is the prescriptive setup and governance layer around that hierarchy.

It helps teams stop creating accounts by hand and start vending accounts through a standardized process.

2. Why This Service Exists

Multi-account AWS is powerful but easy to assemble badly.

Teams can create accounts manually, forget required logging, skip security baselines, assign inconsistent access, and drift away from policy over time. The organization may technically have multiple accounts, but no reliable landing zone.

Control Tower exists to provide a faster, opinionated path to a governed multi-account environment.

It orchestrates several AWS services. It uses Organizations for accounts and OUs, IAM Identity Center for user access, Service Catalog for Account Factory, CloudFormation StackSets for deployment, and controls to enforce or detect governance requirements.

For SAA-C03, Control Tower appears when the question asks for a landing zone, account vending, multi-account best-practice setup, guardrails, drift detection, shared logging or audit accounts, and least operational overhead for governance.

3. The Naive Approach And Where It Breaks

The naive landing zone is a wiki page:

create account -> remember logging -> remember security roles -> remember baselines

This breaks because every account becomes slightly different. One has CloudTrail configured correctly. Another does not. One has the right security roles. Another has local admin exceptions. One account is in the right OU. Another was moved manually.

Another naive pattern is treating Organizations alone as a complete landing zone. Organizations gives the hierarchy and policies, but it does not automatically create every best-practice baseline, account vending workflow, or drift dashboard by itself.

Another mistake is modifying Control Tower managed resources manually. That can create drift or unknown states.

Control Tower is useful when consistency matters more than hand-built flexibility.

4. Core Primitives

A landing zone is the governed multi-account environment.

The management account administers the landing zone.

The Security OU commonly contains shared accounts such as Log Archive and Audit.

The Log Archive account stores centralized logs.

The Audit account supports security and compliance access.

Account Factory is the account vending mechanism. It provisions accounts with pre-approved configuration.

Controls, formerly also called guardrails in many materials, express governance rules. They can be preventive, detective, or proactive.

Drift means the environment has moved away from the expected Control Tower configuration.

CloudFormation StackSets are used behind the scenes to deploy resources across accounts and Regions.

5. Architecture Use Cases

Use Control Tower to establish a new AWS environment for an organization that expects more than a handful of accounts.

Use it to standardize account creation:

team requests account -> Account Factory -> account provisioned into OU -> controls applied

Use controls to prevent or detect policy violations across OUs.

Use the shared Log Archive and Audit account model for stronger separation between workload teams and audit evidence.

Use the dashboard to monitor account enrollment, controls, and noncompliant resources.

Use Control Tower when a question says "set up a secure multi-account environment based on AWS best practices" and wants low operational overhead.

7. Security Model

Control Tower security depends on Organizations, IAM Identity Center, IAM roles, CloudTrail, Config, controls, and shared accounts.

The management account remains highly sensitive. It should not run ordinary workloads.

The Log Archive and Audit accounts should be protected because they contain security evidence and investigation access.

Controls can apply at OU scope, affecting all accounts in that OU.

Preventive controls commonly use SCP-style restrictions. Detective controls often rely on configuration detection. Proactive controls can check resources before provisioning in supported workflows.

Do not manually delete or modify Control Tower managed roles, stack sets, policies, or shared account structures unless using supported methods.

8. Reliability And Resilience

Control Tower improves governance reliability by making the baseline repeatable.

New accounts receive consistent setup. Controls are applied at OU level. Drift detection helps identify when accounts or policies have moved away from the expected state.

The risk is treating Control Tower as magic. It does not design every workload for high availability. It creates the governed account foundation.

If Control Tower managed resources drift or are deleted, account provisioning and governance can break.

Keep landing zone updates deliberate. Understand how accounts are enrolled, how OUs are registered, and how controls affect workloads.

9. Performance And Scaling

Control Tower scales account governance, not request serving.

Its performance value is in reducing the effort to create and govern accounts consistently.

At scale, teams should think about account request workflows, OU design, control rollout, delegated administration, and integration with infrastructure-as-code pipelines.

Account Factory makes account creation a standardized process rather than a manual ticket plus checklist.

Too many OUs and controls can become operationally difficult. Design the landing zone around real policy boundaries.

10. Cost Model

Control Tower itself is not usually the main direct cost driver, but the services it configures can create cost.

Centralized logging, AWS Config, CloudTrail, Security Hub, GuardDuty, storage, StackSets, and related services may all contribute.

That cost buys governance evidence, security visibility, and consistency.

The alternative is not free. Manually created accounts without baseline logging or controls can create incident and compliance cost.

In exam scenarios, Control Tower is often the low-operational-overhead answer for landing zones.

12. SAA-C03 Exam Signals

"Set up a multi-account landing zone" points to Control Tower.

"Govern accounts with guardrails or controls" points to Control Tower.

"Account Factory" points to Control Tower.

"Provision new AWS accounts with standardized baselines" points to Control Tower.

"Detect drift from landing zone best practices" points to Control Tower.

"Only consolidate billing" points to AWS Organizations, not necessarily Control Tower.

"Grant user access across accounts" points to IAM Identity Center, often used by Control Tower.

13. Common Exam Traps

Do not confuse Control Tower with Organizations. Control Tower builds on Organizations.

Do not use Control Tower as a workload monitoring replacement.

Do not assume Control Tower makes every application highly available.

Do not manually modify Control Tower managed resources and expect no drift.

Do not forget Log Archive and Audit accounts in the landing zone mental model.

Do not use Control Tower when the question only asks for one consolidated bill.

15. Related Topics

Review AWS Organizations, Service Control Policies, AWS IAM Identity Center, AWS CloudTrail, and AWS Config.

Official AWS references:

• What is AWS Control Tower?
• How AWS Control Tower works
• About controls in AWS Control Tower
• Provision and manage accounts with Account Factory
• Detect and resolve drift in AWS Control Tower