Landing Your AWS Journey With Control Tower

AWS Mar 07, 2021

Congratulations! You have started your journey into the cloud and have chosen AWS as your cloud provider, and you have decided to go all-in on AWS. Great! So what now? What should your first step be? Whether you have a brand new start-up or you are an enterprise migrating to the cloud, all organizations can benefit from implementing a well architected multi-account architecture from the beginning of their cloud journey. AWS has a good solution for this in AWS Control Tower. In this post I will do a quick walk through on how to get started with AWS Control Tower on your new AWS account and setup a foundation for your organization to build upon.

Control Tower Service

You can think of AWS Control Tower as an orchestra director that leverages various AWS services to create a foundation for your multi-account architecture. Prominent amongst these services are: AWS Organizations, AWS Single Sign-on and AWS Service Catalog. Using AWS Control Tower to setup your accounts foundation offers you a secure and compliant way to manage your AWS environments at scale.

Getting Started

Before you get started with Control Tower you should carefully plan and understand the various components that make up the Control Tower solution. Here are some highly recommended readings that I suggest you take a look before jump starting into Control Tower, which will help to bring awareness about best practices.

Once you have strategized and planned your account rollout strategy, getting started with Control Tower hands-on is actually pretty straight forward, and like every other service in AWS, you start by first selecting your region (in my case I chose Oregon) and launching the service from the AWS Console:

Once you are in the AWS Control Tower service page, you will see the landing page. There you can simply click on the Set up landing zone button to get started:

Setting Up Your Landing Zone

Now you will need to configure your landing zone by entering some data about your initial setup. You can follow the form and fill out the rest. The account where you are creating the landing zone will also become the maintenance account for the Organization that Control Tower will create on your behalf. The actual Set up landing zone form is just a bit long, so I will post it here in two sections, but you will see it as one page. First section simply shows you what region you are setting up Control Tower in:

The next part of the form's section asks you to fill in the email addresses for the Log and Audit accounts, which will be created along with your initial Control Tower activation. These accounts will be part of the Core OU, also know as Core Organization Unit, which is a pillar of a well architected AWS multi-account strategy for your AWS Control Tower landing zone. Now, for the next step in the workflow, click on Set up landing zone to launch the set up:

Launching Your Landing Zone

After launching your landing zone, you will see a progress screen similar to this one:

As you can see from the message at the top of the screen, this process takes some time, with the current estimate set to ~60 minutes. You can therefore take a break here, and get yourself some coffee while Control Tower does its thing. Once Control Tower successfully sets up your Landing Zone, you will see this screen:

Now you are ready to add additional accounts as needed via Control Tower. Notice that an Organization is also setup for you, along with Preventive and Detective guardrails. You can find more information about Control Tower guardrails in the official docs:


In this post we briefly went over what Control Tower is and how you can get started and set up your own Landing Zone leveraging the Control Tower service. There is a lot of aspects that you need to consider when designing a multi-account architecture, and Control Tower allows you to get started with best practices baked in from the start. Hopefully this will help you as you get started in your AWS cloud journey.

Until next time, happy clouding.

Juan Pablo Velasco

I am a consultant, programmer, security advocate and all around techie currently interested in all things Identity & Security.

Great! You've successfully subscribed.
Great! Next, complete checkout for full access.
Welcome back! You've successfully signed in.
Success! Your account is fully activated, you now have access to all content.