Related information

Tutorials and labs Networking Security, identity, and logging Deploying resources and managing workloads Working with existing organizations and accounts Automation and integration Migrating workloads Related AWS services AWS Marketplace solutions

This topic lists common use cases and best practices for AWS Control Tower capabilities and additional enhancements. This topic also includes links to relevant blog posts, technical documentation, and related resources that can help you as you work with AWS Control Tower.

Tutorials and labs

AWS Control Tower lab – These labs provide a high-level overview of common tasks related to AWS Control Tower.
On the AWS Control Tower dashboard, choose Get personalized guidance if you have a use case in mind but you're not sure where to start.
Try visiting a curated list of YouTube videos that explain more about how to use AWS Control Tower functionality.

Networking

Set up repeatable and manageable patterns for networks in AWS. Learn more about design, automation, and appliances that are commonly used by customers.

AWS Quick Start VPC Architecture– This Quick Start guide provides a networking foundation based on AWS best practices for your AWS Cloud infrastructure. It builds an AWS Virtual Private Network environment with public and private subnets where you can launch AWS services and other resources.
Self-service VPCs in AWS Control Tower using AWS Service Catalog– This blog post describes a way to set up Account Factory so you can provision accounts with customized VPCs.
Implementing Serverless Transit Network Orchestrator (STNO) in AWS Control Tower – This blog post demonstrates how to automate network connectivity access across accounts. This blog is intended for AWS Control Tower administrators, or those responsible for managing networks within their AWS environment.

Security, identity, and logging

Extend your security posture, integrate with external or existing identity providers, and centralize logging systems.

Security

Automating AWS Security Hub Alerts with AWS Control Tower lifecycle events – This blog post describes how to automate Security Hub enablement and configuration in an AWS Control Tower multi-account environment on existing and new accounts.
Enabling AWS Identity and Access Management – This blog post describes how to enhance your organizational security visibility by enabling and centralizing IAM Access Analyzer findings.
AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can use it to share configuration information in a secure location, for use by AWS Systems Manager and by AWS CloudFormation. For example, you can store a list of Regions in which you want to deploy conformance packs.

Identity

Link Azure AD user identity into AWS accounts and applications for single sign-on – This blog post describes how to use Azure AD with IAM Identity Center and AWS Control Tower.
Manage access to AWS centrally for Okta users with AWS IAM Identity Center – This blog post describes how to use Okta with IAM Identity Center and AWS Control Tower.

Logging

AWS Centralized Logging Solution – This solutions post describes the Centralized Logging solution which enables organizations to collect, analyze, and display logs on AWS across multiple accounts and AWS Regions.

Deploying resources and managing workloads

Deploy and manage resources and workloads.

Getting Started Library integration – This blog post describes Getting Started portfolios you can use.
Continuous deployment of Cloud Custodian to AWS Control Tower

Working with existing organizations and accounts

Work with existing AWS organizations and accounts.

Enroll an account – This user guide topic describes how to enroll an existing AWS account in AWS Control Tower.
Bring an account under AWS Control Tower – This blog post describes how to deploy AWS Control Tower into your existing AWS organizations.
Extend AWS Control Tower governance using AWS Config conformance packs – This blog post describes how to deploy AWS Config conformance packs to assist with bringing existing accounts and organizations into governance by AWS Control Tower.
How to Detect and Mitigate Guardrail Violation with AWS Control Tower – This blog post describes how to add controls and how to subscribe to SNS notifications so that you can be notified by email of control compliance violations.

Automation and integration

Automate account creation and integrate lifecycle events with AWS Control Tower.

Lifecycle events – This blog post describes how to use lifecycle events with AWS Control Tower.
Automate account creation – This blog post describes how to set up automated account creation in AWS Control Tower.
Amazon VPC flow log automation – This blog post describes how to automate and centralize Amazon VPC Flow Logs in a multi-account environment.
Automate VPC tagging with AWS Control Tower lifecycle events– This blog post describes how to automate resource tagging for VPCs, by means of lifecycle events in AWS Control Tower.
Automated account management – This blog post describes how to automate account management tasks after your AWS Control Tower environment is set up.

Migrating workloads

Use other AWS services with AWS Control Tower to assist in workload migration.

CloudEndure migration – This blog post describes how to combine CloudEndure and other AWS services with AWS Control Tower to assist in workload migration.

AWS Control Tower acts as an orchestration layer for AWS Organizations. Therefore, by means of the AWS Organizations console and APIs, you have access to over 20 other AWS services that work with AWS Control Tower. These additional services are not accessible directly through the AWS Control Tower console.

For a full list of services available to AWS Control Tower by means of AWS Organizations, see AWS services that you can use with AWS Organizations.
To enable multi-account capabilities for these related AWS services, you must enable trusted access. For more information, see Using AWS Organizations with other AWS services.

Note
Remember that AWS IAM Identity Center, AWS Config, and AWS CloudTrail are set up for you in AWS Control Tower and fully integrated. You do not need to modify your trusted access or delegated administration settings for these services.
Some AWS services available through AWS Organizations can use delegated administration, including AWS Systems Manager and AWS Firewall Manager. For more information, see Configuring a Delegated Administrator, and Enabling a delegated administrator account for Firewall Manager. Also see this video, Set up security groups with AWS Firewall Manager.

AWS Marketplace solutions

Discover solutions from AWS Marketplace.

AWS Control Tower Marketplace – AWS Marketplace offers a broad range of solutions for AWS Control Tower to help you integrate third-party software. These solutions help solve key infrastructure and operational use cases including identity management, security for a multi-account environment, centralized networking, operational intelligence, and security information and event management (SIEM).

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Baseline API examples

Release notes