There are a plethora of security-based marketplace appliances and 3rd party tools. But can this be done using the native AWS security suite? Creating a strong security foundation is now at the fore-front of the newest wave of cloud governance in AWS. New features such as AWS Landing Zones, Control Tower & Organizations, governance & security are entering the account scalability discussion at an exponential rate, especially for enterprise-level shops that have copious amounts of accounts & no operational overhead to control them.


AWS Landing Zones

First are the AWS Landing Zones. We can now quickly set up and configure AWS environments via blueprints, which are best practices for configuring and managing policies. They can provide identity management and federate access, centralize logging, establish cross-account security audits, harden and implement networking designs and defining workloads. Not only are AWS Landing Zones the basic guidelines for security measures, but they also allow for:

  • Automated multi-account automation
  • Best practices designed as code (including updates directly from AWS); for example, automated CloudTrail setup, GuardDuty setup and VPC design (this can also include the Shared VPC model for pushing out shared subnets from a centralized VPC, limiting the VPC template footprint across your environment).
  • DevOps optimized practices: Infrastructure-as-Code with the use of infrastructure-driven templates and continuous delivery.

Other features include high adaptability by utilizing the distribution of:

  • Templates
  • Modularity
  • Single Sign-On
  • Central management of access rights via. For example, Okta (you will have to set your IDP in IAM).


Here is a landing zone example:

Control Tower

Next is Control Tower. Control Tower automates the set-up of a well-architected multi-account environment based on best practices and has a customizable dashboard to evolve past reactive security to a more proactive approach, finding vulnerabilities before they occur. Control Tower can revolutionize an enterprise’s visibility into cloud-centric security and automates the creation of the landing zones themselves. This is based on best practices set by industry standard in multi-account topology to create “guardrails” by which to automate governance. In addition, there are the ever-evolving suite of features listed here.

Here is the basic summary:

AWS Organization & OU Organization

The last key service of security-driven governance is AWS Organization & OU management. The beautiful thing about this governance-centric service is the ability to pull in AWS Organizations, Service Control Policies and AWS networking topology to create an ecosystem based around governance & security from a master account top-down approach. Here is the basic organization structure:

The key is maintaining the service exploration but also applying governance and proper service adoption methods. By using service control policies to deny permissions/services, we can drop new accounts in OU that will absorb the default service control policy of that OU as well as distributed network designs.

By utilizing and expanding these three AWS services, one will have a security-driven governance model that can scale out as many AWS account as needed.


If you are interested in learning more about automating your AWS Cloud security or would like assistance in setting up your AWS environment, reach out to BlueChipTek’s Cloud Services.