AWS re:Inforce 2019: Using AWS Control Tower to Govern Multi-Account AWS Environments (GRC313-R)

AWS re:Inforce 2019: Using AWS Control Tower to Govern Multi-Account AWS Environments (GRC313-R)



all right good afternoon everyone I hope you can all hear me if anyone can hear me raise their hands awesome welcome to the session my name is Chandler trinket Roman and the director of new enterprise initiatives at AWS and joining me this session is Mardi Sajjad pool he's a principal business development manager and today we are going to talk about using AWS control tower to set up and go oh and your multi account abuse environments so typically enterprises have had to deal with traditional compromises they had to make between balancing the needs of the developers with the needs of central cloud IT teams also called cloud center of excellence in many enterprises developers want the agility they want to innovate on AWS they really like the speed and flexibility that it gives offers and they really don't want IT in the way but if you looked at the needs of cloud IT they they want to establish central policies so they can have the governance in place and it's usually a trade off right and enterprises really do not like being forced into making a compromise between the needs of developers and the needs of IT and not anymore so with a double use control tower now there's a wave where enterprises can cater to the needs of business agility as well as governance control so with control tower IT and business sorry your builders can have the agility that they need while central policies for security compliance operations and spend management can be governed centrally IT can have business developers can have the self-service access that gives them the speed and agility so what is control tower control towers a new service we just announced general availability two days ago it's a service that provides you the easiest way to set up and govern your multi account AWS environments at scale yet control tower you can enable provision and operate your raid abuse environment with the business agility and the governance control that you need in your enterprise so now let's look at the three components for the three benefits that control tower offers the first thing is enabling for governance right so when you set up your multi account environment you already know that you you're going to have a growing footprint on AWS with thousands of resources dozens of accounts and dozens of teams accessing your multiple accounts so you really want to enable all your accounts for governance so control tower enables four main things to help with governance the first thing is setting up an AWS landing zone and I'll talk about what a landing zone means in a bit and the second thing it does is to centralize your Identity and Access Management and this is a big benefit to drink it all in a centralized place versus distributing your Identity and Access Management into multiple accounts with multiple I end users and it allows you to establish guardrails for governance and that's enabling your environment for the policies that you want to implement the posture of and automating compliant account ruining and now we look into all of these in more detail and once you set it up you can manage all of this continuously and it's it's a big it's an ongoing enable meant not just a one-time thing where allows you to find you and how you set your things up so what is the landing zone a landing zone at the end of it is is a multi account environment that's based on best practices and what control tower does is it reconfigures the landing zone for you and it automates the creation of a landing zone with just a few clicks versus spending weeks or months is it learning about the best practices and spending all therefore putting it all together a landing zone automates a lot of things under the covers so you really don't need to work with the complexity of setting multiple services up which are needed for governance the first thing it does is provisions AWS organizations for a multi account structure that provides the foundation for how you want to organize all your accounts in your enterprise and then the identity and federated access management is this provision using AWS SSO and I'll talk about these and more detail in a break and then it sets up a central log archive using services like cloud trail and config and what it pretty much does is enables cloud trail to log all your account activity and control Tova managed accounts and config to record all your resource configurations and automatically sets up every account to send these logs to central log archive which is constructed in this central log archive of all so you really really don't need to worry about having all your new accounts being set up for logging and once you set up the central log archive this becomes a single source of truth for all your security and account activity logs within your enterprise and these are these are accounts that you should consider locked for special roles and special people in your organization that you give access to likewise there's a cross account audit access and that's enabled by an audit account and think about cases where you have security professionals or auditors within your organization needing access to all accounts that are going to be provisioned by by your developers with an organization and control tower automatically sets up read access or administrative grade class access into each of these accounts and we have pre-configured groups which I'll walk walk you through in a bit I'm just by assigning users to these carefully managed groups you are setting up all your accounts for central audit access or with Reed or great glass administration into these accounts and upon provisioning is a it's a big need for enterprises where they typically deal with ticketing systems and a central team approving requests by developers who want to create accounts for their applications and then having to worry about standardization of these accounts with configurations that comply with their corporate policies control tower provides you with an account Factory which is a template where you define basic network configuration settings for how your accounts you'd like to be standardized with and then it's automatically published to a Service Catalog where your end-users can configure and position accounts and this automates Darkon provisioning workflow which is typically cumbersome you know multiple organization last but not least we have centralized monitoring and notifications setup through cloud watch and SNS notifications where you alerted with security and network related activities that were within your organization so what is the multi-account architecture that we can figure out of the box I mentioned it of these organizations as provision for you and we take your existing account that you sign into control tower and that becomes a master account which then creates an organization for you and out of the box we create two organizational units one what we call as a poor organizational unit and if anyone's wondering what an organizational unit is it's it's it's it's a container to group accounts and the drooping is both for account organization and facilitating easy enablement of policies at a level which then all underlying accounts can inherit so the core who you has the accounts that control tower pre creates which are the audit account and the log archive account and the organization of the core or you and customer you is the default container where your inducer provisioned accounts go and we expect you to create more organizational units depending on how you want to organize your end-user provisional points and there are multiple best practices to do that organizing the be you or by function or by projects or by Application Lifecycle like the pre prod fraud and this there's no one way to do it I talked about how Identity and Access Management is automatically configured for you and what control tower does is provision aw SSO which provides a default directory where you can manage your users and groups on the cloud and SSO by by its nature also provides federated access management and every account that's provision within your organization is now going to be automatically set up with federated access management for the groups and the users that you configure and will show you in the demo how control tower sets up a lot of pre-configured groups and these are some examples where you have control tower administrators they are the ones that are going to be enabling guardrails and configuring the con factory working with other security and compliance professionals within the organization and we have the auditor read group in order to write drew Service Catalog inducers which becomes the default group where your end users get access to the account factory and they can configure in coalition accounts and these come with pre-configured permission sets as well depending on what roles have been defined you have admin read-only and right and these are all set up automatically for you so you really don't need to worry about the basic groups that come out of the box but you can go into SSO and free to configure more groups and use those depending on how you want to provide access and define different specialized roles within your organization and if you're wondering if you have Active Directory that you want to integrate with you can go into AWS SSO and configure SSO to work with your Active Directory both on-premises or managed from the cloud using Active Directory connector and AWS directory service now once you've set your basic multi-account environment in place the next is ongoing governance and this is where control tower introduces a notion of control tower guard rails which are pre-configured governance rules which are available to you out of the box and these are curated dateable use governance rules and policies that we have collected working with many of our enterprises who are wanting these to be set up by default and compared to the granular policies that you're all familiar with which a CPM or resource policies like s3 buckets guardrails and control tower are expressed in plain English and that makes it very easy for you to understand the intent of a guardrail and then quickly enable it on your organizational units and typically you want to enable these even before accounts are provisioned in your organization and that gives you the confidence that as ingrain accountants are provisioned within your organization they are going to be falling in compliance so we really don't need to detect and worry about remediation after the plan guardrails come with two behaviors depending on what they are preventive guardrails by definition can establish an intent within the towns and then prevent the configuration from drifting and we do it through service control policies that control tower attaches in the in AWS organizations depending on which over you you select a guardrail to be enabled and when a preventative guardrail is enabled all the accounts underneath inherit them and we we kind of ensure that these stay in compliance and there's a different behavior we call them detective guardrails which are built using AWS config jewels and think about these as constantly monitoring your environment or non-conformance based on what the configurable is set up to detect and then when resources are non-compliance it's going to be yellow ding you in the dashboard and you also get SNS notifications so you can go and remediate them we offer guidance in terms of what we consider default or mandatory guardrails when you set up control tower set of guardrails are just going to be enabled on your organizational units the customer you and the pole review by default so you really don't have to worry about those governance policies being in effect and I'll give you some examples of that on our bed and then there are other guardrails that are available to you that we strongly recommend and those you should consider as optional and depending on your corporate policy you are free to enable them on specific reviews and these are some examples of godrays @ga we have 26 guardrails out of the box and we have a road map where we are gonna be making more guardrails available to you and God will span multiple categories I am security network security data security somewhen compliance and operations and these are some examples of the guardrails that you can quickly enable on your organizational units as one example disallowing public read or write access on your s3 buckets IgA is available to you as a detective guardrail and then you can enable it and quickly know which buckets have been enabled for public read or write at her and then you get notified in the dashboard and you quickly react to that and at the end you see a drift guardrail and think about those as what a control tower administrator could possibly do one of the tenets of control towers to be transparent which means the underlying services that are set up by control tower are still accessible to you you can go to these services like AWS organizations and config rules and do additional things that you want to do as one example we talked about the out-of-the-box guardrails but then if you want to have a granular SCP be put in place you're free to go to AWS organizations and add a CPS to the way you the only guidance that we offer us do not edit the control tower managed ACP that put in place to incorporate the mandatory broad rings that we have in place for preventive behavior the drift there talks about for the resources that control tower sets up in other services we can detect when an administrator control the administrator can knowingly go and do certain things in these underlying services and we will alert you in the control tower dashboard and using a sinister notification that certain roofs have happened and so you need to be aware of it and fix it if certain things need fixing and we have seven preventive guardrails to prevent in addition to the detection that we do all right I talked about how control tower facilitates upon provisioning within your organization so the cone Factory is the feature for you to do that sort of the box and upon factory exists and think about it as a template where you can go configure things like if you're going to allow public subnet within your account or if you're going to want to determine or limit the maximum number of private subnets and there's an IP address management that's built in as part of the account factory and and those are all configurable by the control to admin inside of control tower and once you do all that the account factory is automatically published to a service catalog which is been provisioned automatically team and that completes the enablement piece of the governance that I talked about let's look into how provisioning then happens within your organization and this is where the Service Catalog comes in now your end-users that you've given access to using the pre-configured rule that says Service Catalog and users are now gonna have access to a Service Catalog and what's the Service Catalog think about it is a central place where there are pre-approved resources for your teams and builders in your team to configure and provision so this catalog allows products to be published to it or you can manage a collection of products define a portfolio and publish it as a portfolio which then can give access to specific teams and the products inside those can be administered and these are the different steps the control tower administrator this configuring an account factory is then publishing it as a product or service catalog and I already talked about how inducers get access to it and Service Catalog administrator can do other things too and there are application stacks and infrastructure stacks that you want to make available to your developers that are pre-approved so you can eliminate the undifferentiated heavy lifting there every developer in your organization needs to do to build an app because there's a lot of usage patterns that can just be authored by someone pre-approved by IT and then made available to attend the process so the model then is once these are available your end users can go directly to Service Catalog they will find that an account factory as a product and they can configure it using the same parameters that you can figure out which is Network Factory and they can specify which organization unit this account should go under and that's important because that determines the guardrails that are going to be inherited by the follow directly right and the baselines defined in account factory or automatically applied to the account and then once inside an account they do so they're going to have additional access to additional products your Service Catalog administrator may have packaged and made available and and this model of central team pre approving accounts and resources and portfolios of products and making it available is a win when going back to the business agility and the governance control I talked about the end users still have access to all of your AWS services and guardrails are going to be in place for what about things they do but if they want to leverage these additional Service Catalog products and portfolios they're free to do that as well right so last but not least before we get into the demo as the operational side of things so once you set up and once resources are being provisioned in of this organization let's talk about how control tower provides an ongoing governance model I mentioned how cloud watch and SNS notifications are automatically set up for you and depending on which account you can figure for your order to account you're going to get SMS notifications for important alerts and events that happen within the organization and for all the detective rules that are put in place using config rules you're going to get compliance notifications directly in a dashboard and in SMS notifications that you can quickly respond to and we'll show you in the demo how the dashboard makes it easy for you I talked about how for audit purposes auditors that you give access to are able to get into accounts with read axis and then audit for resource configurations who has access to what and how which guard rails have been enforced on those accounts in control tower lets you act on things because of how we automatically configure it with SSO anything you see in the dashboard that displays an account or the set of resources that are not in compliance you can quickly go using SSO inside that account and take remediation actions right I think that you can act on all those operational issues right away and I talked about the dashboard which brings it all together or frame continuous visibility into an entire environment this is what a dashboard looks like I'm not going to dwell too much on to it because we have a real demo that we waiting to show you but it just gives you a list of your snapshot of your environment and the actions you need to take with that let's quickly look into a demo right thanks Chandra so my name is Martita Jodhpur I'm part the BD team for a control tower and service catalog I'll kind of go through a quick demo of what control tower looks like if you setup the first time you go to the control tower you will have to set up give it to emails you'll set up a bunch of accounts once it takes about an hour for it to set up all the accounts that it's setting up for you and then it'll give you a kind of message like the green one up there like I set up the landing zone control tower is available to you and it's Chandra I mentioned before you have a master account which is the account I'm logged into right now and will create two other accounts which is the audit account and the log archive account which both are created once it's created and then once once control tower is up and running and you'll have a bunch of guardrails available to you so if you scroll down the first thing you see if you see the menu on the left hand side this is a dashboard capability that Chandler just showed you a quick screenshot of it gives you a bunch of recommended actions so you can take creating uou through control tower you can configure the account factory you can create new accounts also directly from here and I'll show you that in a second you can label more guardrails on the accounts that you have under control tower management and then you can review at user access for a for a for a WSS or so and then look at all the other configurations you have so I can minimize this and just go straight to kind of what my control tower environment looks like so in this environment I have seven Oh use that I've setup and I have eight de DPS accounts that are under management now this just depends on how many OU's or accounts you configure through control tower with the account factory I have about 23 guardrails enabled so I have 17 preventive ones and six detective ones enabled and I'll show you how I'll enable a guardrail on on and given all your guardrails are applied at the öyou level but they apply to every account which is under that oh you and in you account you create will get that with the guardrails which are assigned to that oh you at that point in time now you can click on any of these links and it will take you for example to the oh you page which you can also see on the left hand side it's the equivalent of that same thing with accounts same thing with the guardrails but I'll first go through the dashboard and then I'll go through all the many options on the left-hand side so then I could scroll down further I could see what's non-compliant in my environment so I have a bunch of non-compliant resources that control tower has identified as being non-compliant the one I'll focus on specifically is the one at the bottom and if you remember there was an encryption requirement that Chandler mentioned earlier which is let's say if we have a volume that's not encrypted it's the EBS volume that's not encrypted it is attached in ec2 instance you want to be able to detect that so here's an example of a volume that is detected and it can scroll to the right and I could see which region it belongs to so it belongs to us East one I can see the account name so this is CG demo account creation one and then I could see which oh you it belongs to so it's belongs to the CG demo or you and I can also see the guardrail which it's violating or it's an out of compliance with so now I have a good snapshot of what's out of compliance within my control tower environment and I could dive a little deeper into seeing what what is a specific volume it gives me the specific volume and I could go even deeper than that and see what what's the actual rule that's being triggered from control tower what's the configural that's being triggered to do that I could scroll down further and I can see all of the OU's that I have so I have a bunch of OU's here that I've created I could scroll to the right and I'll see for example the city demo oh you show up and the city demo oh you is non-compliant it means that there's an account within control tower that is non-compliant so then the oh you will show up as non-compliant so then I can go and see what's going on within that environment I could scroll down further and I could see there counts that are under control tower management and you can see the first three accounts if you see there on the right hand side where it says owner the owner is a degress control tower those are your baseline core accounts that control tower sets up for you when you set up control tower and they're kind of controlled by control tower and they do also have guardrails applied to them so if you remove a guardrail or something goes wrong you can also get non-compliance with those accounts as well could look down further and you can see the other accounts that I've created and you can see the CT demo account creation one is one of the ones that's in non-compliance the other not compliance guardrail that I'm missing is also the NFA for the root user which I don't have enabled which is how you see CT account creation to show up in there as well so I can scroll and see what are the other accounts that I have in my environment and and what their compliance status is the next thing I could do is scroll down in the dashboard and see what are the guardrails that have enabled so here's the guardrails that I've enabled I could scroll to the right and see what all the guardrails are as Chandra I mentioned before right there's preventive and detective guardrails so the preventive guardrails think of them as they're implementing something like an SCP think of the detective ones as like a a TBS config rule that's being applied to it and you can actually see the details of it when we go to the guardrail on detail page so I can scroll and see what are the different guardrails I have enabled within my environment now now they have a dashboard view let's say I want to kind of zoom in into what's the specific account configuration I want to add a no you I'm gonna do other things within from control tower so I'll click on the accounts page and you can see here all the accounts that I have created through control tower and I can click on any of these accounts and kind of dive a little deeper into how its configured and kind of let's think of it from a operator point of view if I'm an operator I would be able to see what's configurable to the account I don't have to be an AWS expert to figure all of this out I could just click on it and I can get some information associated with it so I can see what the account ID here is I could see which oh you it belongs to what's the compliance status associated with it and who created the account was a control tower or was it some some end-user within the environment so in this particular case if you see here the account was not created through control tower what's the email account associated with it and all the other information associated with it so I can scroll down I can see what are the non-compliant resources within this particular accounts I can see the volume I could see that all the accounts have the enable MFA for the root user turned on for this particular account it does do checks on a per region basis so control tower comes with four regions today so US East one u.s. East to u.s. west to and and Dublin are enabled so then I can scroll down further and I could see what are the guardrails which are specifically applied to this account these are the guardrails that are applied to the oh you which this account belongs to so for example I could scroll down and see that I have the disallowed public right access to s3 buckets I have the enable encryption for EBS volume is attached do you see two instances and that's the one that's being violated at this point in time so now I could go and say let's say I want to click on that particular guardrail and take a look at what that guardrail configuration looks like so I'll click on it here and I can go if you see on the left hand side I'm now in the guardrail screen I'll go back there and I'll show you some some more details associated with it so you can see the details of the guardrails what's the guardrail name what's the behavior associated with it what's the guidance around it so there's mandatory and strongly recommended the mandatory ones are applied by default to their accounts the strongly recommended ones you can apply to euro use at will and you can take them out as well so you can disable guardrails as well within it we're going to know you and it gives you a little summary on it I can get more information around that guardrail I can click on the info screen and get some more details around what what's there you notice I want to show them the facts yeah yep and then I could scroll down further I could see what the guardrail is made of so it's an AWS config rule that's that's being applied I can click on that link and I can actually see the yeah mol associated with that 80 bits config rule that's being applied to the to the tall accounts within that oh you I could scroll down further from there and I could see what are the non-compliant resources that show up for that particular guardrail so in this screen I can see which ones are not being applied to it which which particular resources are in violation of this guardrail and now I could scroll down further and as I mentioned before right guardrails are applied at the öyou level so I could see what are all the guardrails that are applied although use that have this guardrail applied to them I could disable the guardrail for a given Oh use I can just click here and disable the guardrail it will take a few minutes for it to completely disable and move away from the screen and I could also enable the guardrail on on a given account as well and it could scroll down further and I could get more details what are the specific accounts to which this guardrail has has applied to so I can see all these these are all the accounts which have this guardrail on it and one one of them has that guardrail which is a non compliance remember the city of creation account creation too was in non-compliance when I showed it to you earlier but this is only specific to this guardrail so for that particular guardrail that account is in compliance all right so going back to the account screen I can also provision a new account so I can click on this which takes me to two atps service catalog and it takes me to a product to enable me to allow me to create a new account I'll get to that when I click on the account factory I a menu option and I'll show you how you can configure some of the options associated with with creating an account as well but this also gives you a quick access to be able to create a new account which is under control tower management I can click on all use and I can see what are all the OU's that are managed by control tower so here's a list of all users I have created here I can scroll down and see what though use are I could delete a know you from here so I could just get rid of a do you I have so I for example get rid of the CT demo one if you see the core and the root one are obviously grayed out because those are the ones that you need as baselines to be able to leverage it in that environment I can also create a know you from here so you go through all right all right and now I created a new oh you and I can create new accounts and associate them to that oh you when I go through the account Factory you can dive a little deeper into each or you as well so I can click let's say on CT demo which is the one I have a non compliant resource associated with and I can see the öyou information pop up for that account what are the accounts that are associated to this given oh you this owe you is in non-compliance because there's one account at least one account there which has a guardrail which is being which has been violated in stop meeting the guardrail requirements I could scroll down further I could see what are the exact accounts that are associated to that particular OU's I have three accounts that are associated to this given or you and then I can scroll down and see what are the guardrails that have enabled for this particular oh you so these are all the guardrails that I have here now I want to be able to add a guardrail to this the set of all you so Chandra I mentioned earlier like you can add an s3 bucket check so me to make sure that none of us three buckets are publicly accessible so I'll go there and I'll show you you can click on the and enable that enforce that on on the given oh you you would do that through the guardrail screen so I click on the guardrails and this this list here gives you all of your guardrails that are made available to you these are not all the guardrails that you have applied so all the guardrails are made available to you are listed here and you can scroll down and see what are the different kind of what's the guidance associated with them what's the category they fall into is Chandra I mentioned it before what's the behavior associated with it are they preventive or they detective and then I can double click on each one of them and dive a little deeper so let's go here and click on the list and I can see for example here I have just a lot of public read access to s3 buckets I'm gonna click on that particular guardrail I'll get the same screen associated with it with a guardrail screen I can scroll down and see you know what are the different what how is this guardrail made its made as an AWS config roll I can click on any of this configure all get all of the information associated with it and then scroll down and enable see I don't have any non-compliant resources but I scroll down I see that there's only two OU's associated with it and I can add another oh you to it as well so I'll be able to let's say for example add CG demo as a guardrail to this one so I'll click here and I'll enable the guardrail the way it implements the guardrail is it's actually launching a stack set in the background you can go into the cloud formation templates in the confirmation screen here and you can see that it's actually a sent opening it's actually applying this guardrail to that given account when we go through the users and access an database as a sole section actually I should log into that account I can log into the accounts which are under CT demos oh you and actually see that that confirmation template run and that accounts so that's all made visible to you so you'll be able to see what's going on within your environment now let's click on users and access so this is where you would set up the AWS SSO configuration if you use AWS SSO it has some built-in groups that you'll be able to leverage to be able to create that environment so I can see here that I have a portal that's associated with it this is the login portal for SSO so I can click on it and it takes me to that page I would be able to put my information now I'm logged in as I'm logged in to the control tower master account so I will have access to all of the accounts now depending on what kind of configuration or group you should use assigned to a user you'd be able to get different types of accounts so if I log in as an account which was provisioned here I would be able to only see that account so for example if I use CT account creation one I would only see that account from the SSO page and be able to log into it so here's a set of user set of permission sets that we make available for you so there's the atps administrator access there's a two Bs organizations full access there's power users and there's service catalog and user access to be able to take advantage of the account factory and provision products and then you have different groups that you also create within a degree SSO so that you can assign to different users that you create so you can create a account factory user you can create a log archive admin and all these different types of users within SSO and you can manage them as well from here so I can go into AWS SSO and I will be able to manage those users or create new ones so within this directory I'll see what what are the different users I have listed here and I could create a new user so let me just create a new user here I'm gonna make this user a control tower admin for now and then I'm gonna add the user and I could use this user when I create a new account or a provisioned account I'll be able to take advantage of at night have all of them named after me at this point but I will use the email when I create the account so now let's click on the account factory I create a new user I went through all the guardrails I applied some new guardrails to that given oh you that I had and I want to be able to configure how my accounts will look like so here you can be able to set up some configuration items associated to to those accounts that you provision so if you'll see here I can click on edit and you can see that if I create a new account I can set up how the VPC would look like within that account what are the subnets associated what's the IP range was going to be associated with it and in which regions I want to be able to create those V pcs I can create a baseline V PC I can have this as my site or range and then within that environment I'll be able to within those two regions that will create a V PC with those with those cider ranges so I can click on cancel here and go back to the provision new account so I'll go to the account factory and I will launch this product which creates a new accountant so it can scroll down [Applause] you know ask me some some parameters for me to be able to create it so here I will use my email that I just the username that I just created and I will pick the oh you that's associated with it so I will pick let's say the CT demo you once I pick this oh you all the guardrails associated with this particular oh you will get us associated directly to this account so they will have all of the cartwheels associated with it and then I click on next and I will be able to launch it and we'll take a little bit of time for it to be created I'll show you what it looks like once it's created so I can click on launch and it will start creating the account applying all the guardrails associated with it let's see okay this is kind of what the output looks like once it creates the account it gives you the account ID the email associated with it and the SSO portal for you to be able to log into it some additional things you can see on control tower page is the three kind of baseline accounts that it creates it creates a master account the one I'm logged into and it has an oligarch Ivan an audit account that Chand are mentioned so you click on for example the log archive one and I could see where's the s3 bucket where everything is being logged into and I can click on the audit account as well and get some details associated with the audit account next since I've logged in and I'm logged in as a master I will be able to log in to some of these accounts and show you what what those accounts look like so for example I'll be able to log into the audit account from here and I'll go directly to the console so it makes it very easy for me to be able to administer accounts that I already have in place so this is the audit account I'm gonna get kicked out of the master account now be able to see what's going on within within the audit account and be able to leverage it I could go to confirmation and see what are the guardrails that are being actually applied to that accounts I click on for example here and I'll see all the stack sets which were and the guardrails will be different confirmation stacks that are running on this account and I can see what's going on within the account any a sub account I log into I would be able to see the same kind of information that was a quick overview of control tower anything you want to add to that John during step a lot of things to the tech I'm gonna skip this pricing control tower there's no additional charge to use in control tower you just pay for the underlying services that control tower enables and the resources that are consumed based on the amount of accounts you provision in your org and what detective guardrails you're gonna be deploying preventive guardrails that use a CPS come for free because there's no charge for that control towers available today in four regions and we have a plan to expand control turbo and more regions very quickly and and this is just a summarization of everything you heard and saw today if you are wanting to set up a brand new with this environment with best practices and standardize your contra visioning control tower saves you significant time and effort and this is snapshot of all the features that you saw and in the general with that Marty and I are gonna stay up for a while if you have more questions we have p2 would be happy to answer them thank you [Applause]

One thought on “AWS re:Inforce 2019: Using AWS Control Tower to Govern Multi-Account AWS Environments (GRC313-R)

  1. Spent too much time on demo/explain the guardrails, while too little on demoing & explain SSO, federation, service catalog, account factory.

Leave a Reply

Your email address will not be published. Required fields are marked *