Blog Automation & Orchestration AWS Continuous Compliance Financial Management

Integrating and AWS Control Tower

Joseph Spurrier

5 min read

Puzzle piece hero image

Last updated on February 4th, 2023 at 3:02pm

February 2021 Update: Since we first announced our integration with AWS Control Tower in June 2020, we’ve worked with the AWS Control Tower team to expand the integration in reverse to allow customers who provision an account through AWS Control Tower to automatically enroll the account with and place it in the Account Cache. We’ve also been listed as an AWS ISV partner solution on the AWS Control Tower Marketplace page. On this page, you can find an implementation guide, architecture diagram, and a data sheet to show how to configure our products to work together. Learn more in this AWS Marketplace blog post.

AWS Control Tower 101

AWS Control Tower was first announced at AWS re:Invent in December 2018 to help new customers better set up and manage multi-account AWS environments. Since then, AWS has augmented this free service to allow organizations to bring in existing AWS accounts. The service now includes 40 out-of-the-box mandatory, strongly recommended, and elective guardrails. AWS Control Tower also helps customers configure a Landing Zone architecture and best practices to setup networking, security, and basic authentication across their AWS cloud environment.

How the Integration Works

The process to integrate and AWS Control Tower is very simple. First, enable the AWS Control Tower service. Then, deploy our CloudFormation template (available from our Support Center) in your AWS Master Payer account. The template sets up a Lambda function that performs the enrollment. It also sets up a CloudWatch Event Rule that triggers the Lambda function when a new AWS account is created.

The Integration Value

By integrating with AWS Control Tower, you can take advantage of consistent VPC configuration, centralized audit and logging via CloudTrail, and Service Control Policies (SCPs) to prevent users from violating key AWS best practices every time a new AWS account is created.

AWS Control Tower also ensures that Config and CloudTrail are enabled by default in every region to allow customers the ability to detect if configuration drift occurs. helps extend these AWS Control Tower benefits through our robust API and Cloud Rules library. This gives enterprises complete end-to-end automation of their account creation workflows along with additional policy and account configurations based on industry compliance and organizational standards.

The Integration in Practice

Here's a look at how this integration can be used in the real world.

Let’s say I’m leading the cloud operations team for a small Australian healthcare company. To comply with the Privacy Act of 1988, the company is required to audit all actions that users perform within every AWS account. The company must also ensure that healthcare data is only stored or processed inside of data centers residing within the country.

Once I enable AWS Control Tower, it automatically configures CloudTrail to record all user actions performed within every AWS account to the Log Archive account within the Landing Zone. Since there is currently only one AWS region in Australia (ap-southeast-2 in Sydney), I also need to ensure that S3 cross-region data replication is not allowed to avoid copies of data being stored outside the country. If every AWS account within the company stores healthcare data, the AWS Control Tower “Disallow Cross-Region Replication for Amazon S3 Buckets” Elective Guardrail can be enabled. However, if there are only specific AWS accounts that store healthcare data, I can use Cloud Rules to apply a similar policy across the relevant departments and accounts that store healthcare data. This approach gives more flexibility. Plus, I can provide exemptions for just specific roles (i.e., Administrators) to permit modifying the S3 bucket cross-region replication setting.

In addition, I can use Cloud Rules to apply IAM policies to the same departments and accounts to enforce the use of the Sydney region for the other AWS services beyond S3 that should be used to process healthcare data.

Going Beyond the Integration offers many ways that customers can expand AWS Control Tower capabilities to further accelerate automation and make their lives easier in the cloud.

For enterprises with a cloud presence that spans multiple AWS payer accounts and regions like GovCloud, C2S, SC2S, or for enterprises using multiple cloud service providers, provides a single pane of glass to view, manage, and automate those environments where AWS Control Tower is not yet available.

Additionally, our unified support across the three pillars of cloud governance offers customers a complete solution to meet the requirements of the AWS Governance at Scale framework. Some examples:

For existing customers, you can learn more about our integration with AWS Control Tower in our Support Center. Not yet a customer? Contact us for a demo of our integration, plus all our great features to support cloud governance.

About the Author

Joseph Spurrier

Joe was previously the CTO at Kion.

Start your cloud operations journey.

Request a demo today,