Setting up AWS Control Tower with security and compliance in mind
A prescriptive guide to help administrators enhance their Control Tower setup with easy steps
Published May 27, 2025
Last Modified Jun 4, 2025
AWS Control Tower is a service that enables you to enforce and manage governance rules for security, operations, and compliance at scale across all your organizations and accounts in the AWS Cloud. It provides a straightforward way to set up and govern an AWS multi-account environment, following prescriptive best practices. Customers new to AWS want to implement it without any hassle or concerns about selecting the right options with no errors and a swiftly deployment.
In this blog, AWS administrators will learn how to effectively setup AWS Control Tower in 10 easy steps, including the creation of required AWS accounts, encryption of the AWS Control Tower environment, automatic enablement of security governance with strongly recommended controls enabled, and an example of Account Factory customization (AFC) blueprints. in addition, we will provide an error avoidance guidance including other best practices.
By following the recommended steps below, an AWS Control Tower will be ready for AWS accounts to be provisioned and new workloads deployed with a minimum set of governance controls in place. The following diagram represents the end state.
The steps required to setup Control Tower are listed below. This prescriptive approach has been proven work for most customers and can be tweaked as needed, however provides an effective way to deploy it following best practices while getting the environment ready for your first workload deployment.
Step 1: Define the email addresses for all required accounts
Every new AWS account needs a root user (email address) which has a lot of responsibility and rights over the account. We recommend that these email addresses to be distribution lists rather than personal emails. This will eliminate account access lockout in case a person leaves the organization.
Every new AWS account needs a root user (email address) which has a lot of responsibility and rights over the account. We recommend that these email addresses to be distribution lists rather than personal emails. This will eliminate account access lockout in case a person leaves the organization.
Make sure to make these email distribution lists accessible by authorized users only.
AWS Control Tower setup will require the following set of email addresses:
- Management Account - Root user
- Audit/Security Tooling - Root user
- Log Archive - Root user
Step 2: Create AWS Control Tower management account
It is recommended that AWS Control Tower is deployed in an AWS account with no workloads running on it. A new AWS account needs to be created on the AWS console page.
It is recommended that AWS Control Tower is deployed in an AWS account with no workloads running on it. A new AWS account needs to be created on the AWS console page.
Every AWS account must have a valid payment method associated (Credit Card/ACH/others) which can be later changed to invoice through a Billing or Account Support Request.
NOTE: Recently created AWS accounts have service limits that can cause errors during AWS Control Tower activation. To avoid any issues, please wait for 24hrs before start the AWS Control Tower provisioning process. Make sure to request the Quota increase for # of accounts under management of AWS Organizations from 10 to a more suitable amount.
Step 3 (Optional): Setup KMS key to be used by AWS Control Tower for logs encryption
All logs used in S3 are encrypted buy default using S3-SSE (documentation). This section is optional and only for organizations with specific compliance requirements.
All logs used in S3 are encrypted buy default using S3-SSE (documentation). This section is optional and only for organizations with specific compliance requirements.
AWS Control Tower requires special KMS Key Policy in order to be able to use the key for logs encryption.
Default KMS key policy is not sufficient and will lead to Control Tower deployment failure.
In order to set up AWS Control Tower with KMS logs encryption, create a new single region symmetric KMS key in and account that is going to be Control Tower Management account with the this KMS Key Policy.
Once KMS key with correct key policy is created you can proceed to Landing Zone Setup.
Default KMS key policy is not sufficient and will lead to Control Tower deployment failure.
In order to set up AWS Control Tower with KMS logs encryption, create a new single region symmetric KMS key in and account that is going to be Control Tower Management account with the this KMS Key Policy.
Once KMS key with correct key policy is created you can proceed to Landing Zone Setup.
Step 4: Enable Control Tower
Once the pre-requisites listed above are met, follow the process to deploy AWS Control Tower.
The following list is the prescriptive steps:
Once the pre-requisites listed above are met, follow the process to deploy AWS Control Tower.
The following list is the prescriptive steps:
- Select the correct region to deploy the AWS Control Tower management.
- Go to AWS Control Tower - Click on the “Set up your landing zone”
- Select the regions to be governed and (optional) any deny access regions.
- Review the Organization Units (OUs) and Accounts to be created by Control Tower: We recommend changing default “Audit” account name to “Security Tooling and Auditing”
- Optional: Activate Log encryption using KMS, if needed
Step 5: Configure MFA on the AWS Accounts
At this point you should have 3 AWS accounts created. Enabling MFA on your AWS root account is crucial for enhancing the security of your account, as it requires not only a password but also a second form of authentication, typically a time-based one-time password (TOTP) generated by a hardware or software token. The steps are documented here.
At this point you should have 3 AWS accounts created. Enabling MFA on your AWS root account is crucial for enhancing the security of your account, as it requires not only a password but also a second form of authentication, typically a time-based one-time password (TOTP) generated by a hardware or software token. The steps are documented here.
Step 6: Setup single sig-on using AWS IAM Identity Center
Setup AWS Directory Service or a third party federated identity provider to enable users access to accounts using one set of credentials. In addition, setup delegation so that AWS Control Tower can integrate with this service running on the “Shared Services” account.
Customize the access portal URL for a friendly name following the the documentation.
Setup AWS Directory Service or a third party federated identity provider to enable users access to accounts using one set of credentials. In addition, setup delegation so that AWS Control Tower can integrate with this service running on the “Shared Services” account.
Customize the access portal URL for a friendly name following the the documentation.
IAM Identity Center comes with Permission Sets that map to IAM managed policies (Administrator, Read-Only, PowerUser, Audit, etc). Although AWS recommends least privilege access, customers should align the concepts of account isolation boundaries, account purpose, and the permission sets.
| Environment Purpose | User Groups | IAM Identity Center Permission Set | AWS Managed Policy |
|---|---|---|---|
| Sandbox/Playground | Developers | Administrator | AdministratorAccess |
| Development | Developers | Power Users | PowerUserAccess |
| Test/Validation/UAT | Developers | <new permission set> | |
| Production | Operations | Power Users | PowerUserAccess |
| Production | Developers | No Access | No Access |
| All | Security and Audit | Administrator | AdministratorAccess |
| Shared Services | Security and Audit | Administrator | AdministratorAccess |
| Network | Network Administrators | Administrator | AdministratorAccess |
Step 7: Design and Configure OU and Accounts, w/ Account Delegation
The AWS security Reference Architecture provides the following prescriptive guidance:
The AWS security Reference Architecture provides the following prescriptive guidance:
- Create the OU “Infrastructure”
- Optional: Create a “Network” account if you have more strict networking needs
- Setup the required VPCs and AWS networking services
- Create the and “Shared Services“ accounts
- Setup Service Catalog Delegation to “Shared Services” account (documentation)
- Setup IAM identity center to the “Shared Services” account (documentation)
- Create the OU “Workloads”
- Create the OU “Production” under Workloads OU
- Create the OU “Non-production” under Workloads OU
- On the created “Audit and Security Tooling” account
- Setup organization delegation for the services you plan to use:
- Amazon Security Hub (highly recommended)
- Amazon GuardDuty
- Amazon Inspector
- Amazon Detective
- AWS IAM Access Analyzer
- AWS Firewall Manager
- Amazon Macie
Step 8: Activate Guardrails/Controls
Controls assist you in expressing policy intentions. For example, if you enable the detective control Detect Whether Public Read Access to Amazon S3 Buckets is Allowed, the control will detect if an S3 bucket is granted public read access and mark this resource non-compliant.
Controls assist you in expressing policy intentions. For example, if you enable the detective control Detect Whether Public Read Access to Amazon S3 Buckets is Allowed, the control will detect if an S3 bucket is granted public read access and mark this resource non-compliant.
A control applies to an entire organizational unit (OU), and every AWS account within the OU is affected by the control.
To enable controls through AWS console navigate to Control Tower -> Controls Library.
We recommend enabling most if not all strongly recommended controls.
Strongly recommended controls are owned by AWS Control Tower. They are based on best practices for well-architected multi-account environments. These controls are not enabled by default.
To enable controls through AWS console navigate to Control Tower -> Controls Library.
We recommend enabling most if not all strongly recommended controls.
Strongly recommended controls are owned by AWS Control Tower. They are based on best practices for well-architected multi-account environments. These controls are not enabled by default.
If your organization has to comply with data residency requirements, you may want to apply controls that enhance data residency protection. These controls are not enabled by default.
On the user interface controls can be enabled one-by-one. You can bulk-enable controls via Cloud Formation or via CLI commands to AWS API. Please note there is a limit of 10 concurrent control-related operations at a time.
E.g. to bulk-enable subset of strongly recommended controls you could use bash script:
Another useful automation (VPC template and Networking account) be used post AWS Control Tower installation AWS Control Tower Lifecycle Automation solution for VPC Flow Logs provides configuration in new and existing accounts by adding a TAG.
Step 9: Implement a blueprints for Account Factory Customizations (AFC)
Setup Customizations following the documentation.
A simple way to get started is to download, customize, and import a sample blueprint to your service catalog:
Setup Customizations following the documentation.
A simple way to get started is to download, customize, and import a sample blueprint to your service catalog:
Step 10: Provide the security team with their credentials and enable key security services
The key step after implementing AWS Control Tower for security and governance, is to provide those team members with the right AWS access and services configured for them to perform their job functions. That is documented in the blog.
The key step after implementing AWS Control Tower for security and governance, is to provide those team members with the right AWS access and services configured for them to perform their job functions. That is documented in the blog.
Implementing AWS Control Tower is a pivotal step towards ensuring a swift, scalable, and secure foundation for your cloud infrastructure. By following the prescriptive guidance outlined in this blog, you can streamline the deployment process, establish governance policies, and enhance overall security posture within your AWS environment.
Remember, the key to a successful AWS Control Tower implementation lies in understanding your organizational needs, customizing controls to align with policies, and continuously monitoring and optimizing the environment. Regularly review and update your governance policies to adapt to changing requirements and emerging threats.
As you embark on your journey with AWS Control Tower, stay informed about updates and new features to leverage the full potential of this powerful service. By doing so, you not only establish a secure and well-managed AWS environment but also position your organization for agility and innovation in the ever-evolving landscape of cloud computing. Swiftly implementing AWS Control Tower is not just a technological upgrade; it's a strategic move towards a resilient and future-ready cloud infrastructure.
In addition to the guidelines in this blog, there are public frameworks and assets that dive deep into AWS Control Tower implementation recommendations, additional account factory customization options, and integrations with identity service providers.
Renato Fichmann
Renato is an AWS Senior Solutions Architect with over 20 years of IT experience, most of it in IT managed services (ITSM) related roles, with a focus on resiliency, governance, and cloud operations. Besides participating in blogs, Renato is a re:Invent speaker in the subjects of cloud governance, observability, and security. Renato holds ITIL and TOGAF certifications, is an AWS Solutions Architect Professional and AWS Security Specialty certified.
Renato is an AWS Senior Solutions Architect with over 20 years of IT experience, most of it in IT managed services (ITSM) related roles, with a focus on resiliency, governance, and cloud operations. Besides participating in blogs, Renato is a re:Invent speaker in the subjects of cloud governance, observability, and security. Renato holds ITIL and TOGAF certifications, is an AWS Solutions Architect Professional and AWS Security Specialty certified.