How AWS Control Tower Lowers the Barrier to Enterprise Cloud Migration

Scaling AWS cloud migration to the enterprise just got a whole lot less scary. Let’s give a warm welcome to AWS Control Tower.

If there was one announcement at AWS re:Invent 2018 that made us do the happy dance for our enterprise clients, it was the announcement of AWS Control Tower. It’s a new central control center that allows enterprises to have a single jump-off point for multi-AWS account management across teams, departments, and international borders.

Why? Because it will help prove the value of the cloud to our clients faster.

When we talk about enterprise cloud service and infrastructure migration with clients, and how to do it effectively, we come across the same questions:

• How can we ensure it’s secure?
• How can we ensure it’s easy, adaptable and scalable?
• How can we ensure compliance and meet auditing requirements?
• How can we effectively manage multiple teams’ configurations

Above all, how can we do it quickly?

Too often we see enterprises take months to get the basic building blocks in place to enable them to experiment with new ways of working in the cloud.

No longer.

The deep benefit of AWS Control Tower is that it allows developers to start being creative in the cloud almost at the click of a button while giving managers the confidence that everything is secure, compliant and in line with AWS best-practice.

A Common Enterprise AWS Cloud Migration Pattern

What do we often see in terms of enterprise AWS cloud migration?

There will be a pilot team, who tests out migrating to an AWS cloud or hybrid solution. This goes well, at which point several other teams will also implement similar solutions, perhaps working to an overarching and evolving setup and configuration blueprint, but, at times, simply developing their own, based on the experiences of the teams before them.

What this leads to (beyond a handful of teams) is a patchwork of solutions across an enterprise. Even for organizations with a set of rules to develop team AWS implementations, management and monitoring of the team accounts as a whole is not defined (or if it is, it’s a custom, in-house solution). Migration to the cloud here is piecemeal and inefficiently (and often ineffectively) managed at the enterprise level.

In effect, it’s a pilot team, and then a pilot group of teams – without any systems in place to facilitate an enterprise-wide rollout.

Traditionally, at this point, organizations draw up their own overarching architecture for management, monitoring, setup processes, along with a standard configuration model for teams to build on.

To do this with more repeatable systems, enterprises may already be using products like:

• AWS Identity and Access Management (IAM) for user access and permissions;
• AWS Service Catalog for an approved list of AWS services;
• AWS Config for resource monitoring;
• and perhaps even AWS Organizations for policy-based account management.

But this can take months in a bureaucratic environment. AWS Control Tower goes a step further, providing a central control point to orchestrate all of this securely. It offers management, governance, monitoring, and provisioning across AWS cloud teams. It’s specifically designed for large enterprises with an existing mix of different developer, DevOps, systems, and engineering teams, and new teams coming online regularly. It’s the type of tool that allows you to effectively manage hundreds or even thousands of these teams, not just three or four.

AWS Control Tower In a Nutshell

AWS Control Tower allows you to create, manage and monitor any number of AWS accounts securely, utilizing best-practice design patterns. It’s how to scale AWS to the enterprise efficiently: in a repeatable manner with central control and monitoring, while ensuring built-in security and compliance of all team implementations.

AWS Control Tower removes the need to build a custom in-house management system of AWS accounts and rollouts (and/or a patchwork of AWS enterprise control products), saving you the time of developing a custom solution. It even allows for the implementation of your own virtual private network for AWS resources with Amazon VPC.

Control Tower allows organizations to:

• Setup multiple AWS configurations using infrastructure-as-code, utilizing best practices and blueprints
• Do identity management with Single Sign-Ons
• Perform central logging
• Perform security audits with Identity & Access Management
• Create workflows for account provisioning
• Ensure compliance to set rules with Guardrails

In short, it’s secure build and automation for enterprise AWS account control and rollout.

Isn’t It the Same as Landing Zone?

Previously, we have talked about an AWS Landing Zone setup, and how it allows customers to set up a set of AWS accounts from scratch, without the burden of typical overheads.

With the same tagline for Landing Zone as it is for Control Tower, you might think that Control Tower is just AWS Landing Zone rebranded. However, it goes a little further, giving you a step-by-step process to customize the build and automate the creation of an AWS Landing Zone, securely. This means that you no longer have to have an AWS Landing Zone expert on your team already to set up a Landing Zone yourself.

What’s the Catch?

To effectively set up AWS Control Tower, it’s important to define clear guidelines for the enterprise about cloud governance, management, and processes. If you don’t have a firm cloud strategy, we recommend having a read of Amazon’s post on the subject – Using a Cloud Center of Excellence (CCOE) to Transform the Entire Enterprise – it’s not a bad starting point.

The other catch? At the time of print, AWS Control Tower isn’t available for full release. However, you can sign up for the preview version here, or check out AWS Landing Zone in the meantime.

Contino is a leading global DevOps and cloud transformation consultancy with global clients such as Allianz, Lloyds, Barclays, Adidas and HM Government.