Bird's eye view of high-rise landscape over which binary codes fly.

AWS Control Tower: revolutionizing landing zones

Explore AWS Control Tower's reimagined Landing Zone: simplifying AWS services, customizations, and enablement choices

May 15 2023Artur Schneider

Mastering AWS Landing Zones with Control Tower

Amazon Web Services (AWS) offers extensive resources, services, and applications for a global customer base. A key aspect of adopting cloud services is creating a secure, well-organized environment. AWS Control Tower significantly streamlines this process, altering the AWS Landing Zone approach for customers. This blog explores AWS Control Tower, its features, and its impact on customers' Landing Zone experiences. 

What is AWS Control Tower?

Innovation chart

AWS Control Tower is a managed service that provides an automated and structured method to set up a multi-account AWS environment. It simplifies creating and managing AWS accounts and organizing them using AWS Organizations. In addition, AWS Control Tower establishes a well-architected baseline environment, adhering to best practices and ensuring consistent security and compliance across all accounts. 

Is AWS Control Tower a Game Changer? 

Setting up an AWS Landing Zone takes significant time and requires immense administrative effort to define the security and compliance rules, including account creation. AWS Control Tower revolutionizes the AWS Landing Zone approach by simplifying account creation and management. It automates setting up and organizing multi-account AWS environments and provides a single dashboard for monitoring and management. In addition, by implementing security and compliance best practices through predefined guardrails, AWS Control Tower ensures consistent security across all accounts and covers both preventive and detective controls. 

Furthermore, AWS Control Tower integrates seamlessly with AWS Organizations, allowing customers to create organizational units (OUs) for efficient account grouping and management. This hierarchical structure simplifies resource management and enables centralized billing, making it easier for customers to track and optimize their cloud spend. 

AWS Control Tower also provides a foundation for customization and extensibility, allowing customers to tailor their environments to their needs. For example, they can add new services, configure additional guardrails or integrate with third-party tools. In addition, by streamlining the AWS Landing Zone setup process, AWS Control Tower accelerates cloud adoption so that customers can focus on deploying and scaling their applications instead of spending time setting up infrastructure. 

Key AWS Services in AWS Control Tower 


AWS Control Tower leverages several AWS services to deliver its streamlined multi-account management capabilities. Some of these services play essential roles in the AWS Control Tower environment, as outlined here: 

  • AWS Organizations: Forms the foundation for creating a hierarchical structure of accounts using OUs, simplifying management and resource allocation. 
  • AWS Single Sign-On (SSO): Integrates with Control Tower to provide a unified authentication and authorization experience across accounts. 
  • AWS Service Catalog: Powers the Account Factory for standardized account provisioning with custom templates. 
  • AWS Config: Implements Guardrails, ensuring resource configurations align with security and compliance policies. 
  • Amazon CloudWatch: Provides logging, monitoring, and alerting capabilities to maintain visibility and control over the infrastructure. 
  • AWS CloudTrail: Integrates with Control Tower for a comprehensive audit trail, ensuring accountability and supporting compliance requirements. 

Modify AWS Control Tower  

Customizations for AWS Control Tower architecture diagram

Customizations for Control Tower  

One of the key customization features for AWS Control Tower is the Customization for Control Tower (CfCT); it allows you to apply tailored governance, security, and compliance rules to your AWS Control Tower environment by integrating with AWS CloudFormation StackSets and AWS Organizations Service Control Policies (SCPs). The customized configuration has to be defined in a manifest file and can be triggered either as a source from S3 or via AWS CodeCommit. This solution offers you the advantages of programmatic management of your guardrails and reusability. Additionally, you can also manage this at a central location, reducing management overhead. 

Account Factory Customization 

Another powerful customization feature AWS Control Tower offers is the Account Factory Customization (AFC). This is a service that automates the process of creating new AWS accounts and applying baseline configurations. The underlying service is the AWS Service Catalog. With Account Factory Customization, you can modify the account creation process to suit your organization's specific requirements. Customers can create custom blueprints to specify configurations or resource creations. AWS Partners provide partner blueprints for Control Tower like DataDog with their integration blueprint.  

Enabling AWS Control Tower in a greenfield environment 

A Greenfield environment refers to a new, uncharted territory where there are no pre-existing AWS accounts or resources. To set up AWS Control Tower in a Greenfield environment: 

  1. Sign in to the AWS Management Console with the account to use as the management account. 
  2. Navigate to the AWS Control Tower console. 
  3. Click "Set up your landing zone" to begin. 
  4. Provide required information, such as your organization's email address and preferred AWS SSO identity source. 
  5. Review proposed OUs and default baseline policies, then click "Set up landing zone" to deploy. 
  6. AWS Control Tower creates OUs, accounts, and SCPs. (Note: This may take up to an hour.) 
  7. After the landing zone setup is complete, create and manage multiple accounts via the AWS Control Tower console. 

 Enabling AWS Control Tower in a brownfield environment 

A Brownfield environment refers to an existing AWS environment with pre-configured accounts and resources. To enable AWS CT in a Brownfield environment, follow this steps: 

  1. Assess your environment: Review AWS accounts, OUs, and resources for compliance with AWS Control Tower best practices. 
  2. Prepare management account: Designate a management account, complying with Control Tower requirements. 
  3. Set up AWS SSO: Enable and configure AWS SSO for account access management. 
  4. Enroll existing accounts: Ensure existing AWS accounts meet prerequisites before enrolling them in AWS Control Tower. 
  5. Configure AWS Control Tower Guardrails: Apply appropriate guardrails to maintain compliance across your environment. 
  6. Optional - Migrate resources to the landing zone: Move existing resources to the new landing zone created by AWS Control Tower. 
  7. Monitor and manage your environment: Use the console to manage accounts, OUs, and guardrails, and review the compliance status regularly. 


AWS Control Tower has transformed the AWS Landing Zone approach for customers, providing a simplified, streamlined way to set up a secure, compliant, and well-architected multi-account AWS environment. By automating account creation and management, implementing security and compliance best practices, and integrating seamlessly with AWS Organizations, AWS Control Tower empowers customers to focus on their core business objectives and accelerate cloud adoption.  
With these advanced customization options, AWS proactively responds to the needs of mature AWS Landing Zones users, providing them with the customizations they are familiar with from classic landing zone architectures. In the future, multi-tenant management of multiple AWS Control Tower Landing Zones would be desirable to provide better manageability of multiple AWS Control Tower environments for enterprise companies or MSPs.

As T-Systems, we are proud to be an AWS Service Delivery Partner for AWS Control Tower, providing managed services tailored to your AWS Control Tower environments. Our experts can help you optimize your cloud infrastructure, ensuring that it remains secure, compliant, and aligned with your business goals. By partnering with T-Systems, you can leverage our extensive knowledge and experience to make the most of your AWS Control Tower investment, allowing you to concentrate on what truly matters – driving innovation and growth in your organization.  

About the author
Artur Schneider – Senior Cloud Consultant

Artur Schneider

Senior Cloud Consultant, T-Systems International GmbH

Show profile and articles

You might also be interested in

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.