White lines and dots infront of a blue background

Simplify multi-account governance with AWS Control Tower

Extend T-System's Control Tower Automation to deploy a secure, resilient and customised Landing Zone

October 12 2021Andrej Maya

A seamless multi-account AWS landscape

If you are about to start your cloud journey on AWS or already running your multi-account environment on top of your self-created Landing Zone solution, AWS Control Tower could provide you with a standardized Landing Zone managed by AWS, based on best practices gathered by AWS from hundreds of Landing Zone setups. 

Getting started with AWS Control Tower

View of high rise buildings with clouds refelcting in the windows

After deciding to go with AWS Control Tower, you’re probably wondering how to automate and customize this service, so it fits the specific requirements of your organization.

T-Systems’ AWS Control Tower Customization consultation service helps you address common design decisions around AWS Landing Zone implementation, and provides you with a ready-to-use framework to start the automation of all required Landing Zone components.

T-Systems is now a Built on Control Tower (BoCT) and AWS Well-Architected Management & Governance Lens (AWS M&G Lens) partner. We can help you to create a secure environment, catering to your specific needs along the way. The AWS Control Tower consultation service will help you develop a seamless and automated process for account provisioning and migration.

Process Diagram of AWS Control Tower

AWS Control Tower process 

How you can benefit from AWS Control Tower Customization?

•    Manage accounts over an API: API-driven approach lets you integrate the Account Factory with your 3rd party clients
•    Extend Account Lifecycle: Landing Zone allows customers to customize and extend account lifecycle, especially suspension
•    Implement Security Best Practices: Standard preventive and detective guardrails will be applied along with API authentication and WAF
•    Integrate into CI/CD pipeline: CI/CD Pipeline with tests, validation, and security scanning of Infrastructure-as-Code (IaC)

How does T-Systems’ Built on Control Tower solution work?

The main goal of the T-Systems Built on Control Tower consultation service is to provide customers with an integrated account lifecycle management system where AWS accounts can be created, updated, and decommissioned.

The engagement starts with a detailed demo where T-Systems will create an account over an API, update the metadata of the account, and subsequently decommission the account with a corresponding clean-up. 

As a next step, T-Systems will gather the customer requirements and map those to existing components of the framework. In this phase, T-Systems will run multiple workshops to establish a common understanding of the proposed framework.

After the detailed requirements have been captured, T-Systems will implement the extensions to the framework and deploy the infrastructure in the client’s AWS Organization. This activity will be accompanied by further integrations with surrounding services, such as 3rd party IdP or ITSM systems.

In parallel, T-Systems will consult the customer about security and governance best practices on AWS and implement corresponding guardrails.

Key activities within the AWS Control Tower offering

Two men shaking hands white sitting at a desk with a laptop on it

•    Hands-on demo: Give customer a deep technical understanding of the solution – as detailed as possible
•    Requirements engineering: Review the current state of existing architectures and project requirements following project plan creation
•    Multi-account design: Build a ground base of multi-account setup with appropriate OUs and corresponding SCPs
•    Landing Zone customization: Adapt and extend account factory based on project requirements

•    Landing Zone deployment: Deploy tailored solution to the customer’s AWS Organization by integrating with surrounding services
•    Operational enablement: Hand over existing operational runbooks and run training programs to establish a DevOps model on the customer side
•    Security and Governance empowerment: Establish Security and Governance metrics and install centralized views

Customer contribution

•    AWS access: Customer must provide T-Systems consultants with access to AWS environment for the duration of the engagement
•    Customer engagement: The customer must make technically responsible staff available for different workshops on a weekly basis
•    Development environment: Customer must provide a code versioning system and a CI/CD infrastructure where the final solution will run
•    Testing and sign-off: Customer will review the documentation and code in addition to performing tests and operating the solution

Start your journey now!

If you are about to implement your AWS Landing Zone backed up by a Multi-Account Strategy within your Cloud Center of Excellence (CCoE), AWS Control Tower is the right choice for that. However, AWS Control Tower is a standardized service: it gives you a solid starting point for your journey, but you will need to progress from there by creating add-ons and customized automations to create a solution that will fulfill the specific requirements of your organization or industry. 

T-Systems will accompany you along the way and apply all the best practices that we have learned and implemented in multiple enterprise-grade project environments. If you want to learn more about this solution, please contact us via AWS-Info@t-systems.com

About the author
Andrej Maya – Lead Solution Architect

Andrej Maya

Lead Solution Architect, T-Systems International GmbH

Show profile and articles

You might also be interested in:

Do you visit t-systems.com outside of Germany? Visit the local website for more information and offers for your country.