AWS DevOps Masterclass: Multi-Account AWS Architectures and Control Tower
An enterprise-grade guide to designing, provisioning, and governing scalable multi-account AWS environments using AWS Organizations, Control Tower, and Account Factory for Terraform (AFT).
Table of Contents
- 1. Introduction to Multi-Account Strategy
- 2. What You Will Learn
- 3. Prerequisites
- 4. Why the Single-Account Model Fails at Scale
- 5. AWS Organizations: The Foundation
- 6. AWS Control Tower Architecture
- 7. Enterprise Organizational Unit (OU) Design
- 8. Landing Zone Mechanics and Core Accounts
- 9. Guardrails, Service Control Policies (SCPs), and AWS Config
- 10. Account Factory for Terraform (AFT)
- 11. Production Code Examples and Configurations
- 12. Step-by-Step Account Provisioning Workflow
- 13. Enterprise Identity and Access Management (IAM Identity Center)
- 14. Centralized Monitoring, Observability, and Billing
- 15. Common Pitfalls and Anti-Patterns
- 16. Troubleshooting and Operational Runbooks
- 17. Technical Interview Questions & Answers
- 18. Frequently Asked Questions (FAQs)
- 19. Summary and Next Steps
1. Introduction to Multi-Account Strategy
In the early days of cloud adoption, organizations often started their AWS journey with a single AWS account. While this approach works for small startups or proof-of-concept projects, it quickly becomes an operational, security, and financial bottleneck as the organization grows. Modern enterprise cloud architecture demands a robust, scalable, and secure multi-account strategy.
A multi-account AWS architecture is an enterprise design pattern where an organization distributes its workloads, environments, and business units across multiple, distinct AWS accounts. These accounts are centrally managed, governed, and secured under a single umbrella organization using services like AWS Organizations and AWS Control Tower.
By isolating workloads into separate accounts, enterprises can establish rigid security boundaries, isolate network traffic, simplify billing allocation, and grant development teams autonomy without risking the stability of production systems. This lesson details how to design, deploy, and manage a multi-account AWS landing zone using AWS Control Tower, Service Control Policies (SCPs), and modern Infrastructure as Code (IaC) tools like Terraform.
2. What You Will Learn
- The architectural and operational limitations of single-account AWS deployments.
- How to design an enterprise-grade Organizational Unit (OU) structure based on AWS best practices.
- The inner workings of AWS Control Tower, Landing Zones, and the Account Factory.
- How to write, test, and deploy robust Service Control Policies (SCPs) to enforce compliance.
- How to automate account provisioning using Account Factory for Terraform (AFT).
- Best practices for centralized logging, security auditing, and identity management using AWS IAM Identity Center (formerly AWS SSO).
- Troubleshooting operational failures in AWS Control Tower and account customization pipelines.
3. Prerequisites
To get the most out of this masterclass lesson, you should have the following foundational knowledge:
- AWS Foundations: A solid understanding of core AWS services (IAM, VPC, S3, CloudTrail, AWS Config).
- Infrastructure as Code: Familiarity with Terraform syntax (HCL) and basic CloudFormation concepts.
- DevOps Principles: Understanding of CI/CD pipelines, version control (Git), and automated testing.
- Enterprise Networking: Basic knowledge of routing, CIDR blocks, DNS, and hybrid connectivity (Transit Gateway, VPN).
4. Why the Single-Account Model Fails at Scale
Attempting to run an enterprise-scale operation inside a single AWS account introduces severe architectural risks. Let's analyze the primary vectors where single-account models fail:
A. Blast Radius
In a single AWS account, a misconfigured IAM policy, a compromised API key, or a runaway script can destroy the entire cloud footprint. For example, if a developer accidentally runs a script that deletes all resources with a specific tag in a development environment, and that environment shares an account with production, a minor coding error can cause catastrophic, business-ending downtime.
B. API Rate Limits and Service Quotas
AWS enforces soft and hard limits on API requests per account per region (e.g., DescribeInstances throttle limits). In a shared account, busy CI/CD pipelines running automated tests in development can exhaust the account's API rate limits, causing critical production autoscaling events or deployments to fail due to API throttling.
C. Security and Access Control Complexity
As the number of users and applications grows, IAM policies inside a single account become extremely complex. Writing policies that allow Developer A to modify only App A's resources while preventing them from touching App B's resources requires highly complex IAM conditions, resource-level permissions, and path-based boundaries. This complexity inevitably leads to human error and privilege escalation vulnerabilities.
D. Billing and Cost Allocation
While AWS tags help allocate costs, they are easily missed, deleted, or misconfigured. In a single account, determining exactly how much data transfer, NAT Gateway usage, or CloudWatch logging cost belongs to a specific business unit becomes a complex exercise in data analysis. Separate accounts provide clean, non-repudiable billing boundaries.
| Dimension | Single-Account Approach | Multi-Account Approach (Control Tower) |
|---|---|---|
| Blast Radius | Global. One compromise impacts all workloads. | Isolated. Compromise is restricted to a single account boundary. |
| API Limits | Shared. Dev workloads can throttle Prod scaling. | Distributed. Each account has its own API quota pool. |
| Access Control | Extremely complex IAM policies with high risk of error. | Role-based federation per account; simpler, cleaner IAM. |
| Billing | Complex tagging strategies and cost allocation formulas. | Native, account-level cost tracking and Consolidated Billing. |
| Compliance | Difficult to isolate regulated data (PCI, HIPAA). | Regulated workloads isolated to dedicated, audited accounts. |
5. AWS Organizations: The Foundation
AWS Organizations is the foundational service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. It provides the programmatic infrastructure required to scale your AWS environment.
Key Components of AWS Organizations
- Management Account: The parent account of the organization. It is used for consolidated billing, creating new accounts, and deploying organization-wide services. *Security Best Practice: Do not run application workloads in the management account.*
- Member Accounts: All other accounts in the organization. These accounts contain your workloads and resources.
- Organizational Units (OUs): Logical containers for accounts within an organization. OUs allow you to group accounts with similar security and operational requirements, enabling you to apply policies collectively.
- Service Control Policies (SCPs): A type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in your organization, including the root user of member accounts.
+-----------------------------------------+
| Management Account |
| (Consolidated Billing) |
+--------------------+--------------------+
|
v
+--------------------+--------------------+
| Root OU |
+--------------------+--------------------+
|
+------------------------+------------------------+
| |
v v
+-----------+-----------+ +-----------+-----------+
| Security OU | | Workloads OU |
+-----------+-----------+ +-----------+-----------+
| |
+--------+--------+ +--------+--------+
| | | |
v v v v
+------+------+ +------+------+ +------+------+ +------+------+
| Log Archive | | Security | | Development | | Production |
| Account | | Tooling Acc | | Account | | Account |
+-------------+ +-------------+ +-------------+ +-------------+
How AWS Organizations Processes SCPs
SCPs function as filters. They do not grant permissions; instead, they define permission boundaries. For an action to be allowed in a member account, it must be explicitly allowed by both the IAM policy in that account and the SCPs applied to that account (or its parent OUs).
When evaluating permissions, AWS starts at the Root OU, evaluates the SCPs applied there, moves down the OU hierarchy to the specific account, and finally evaluates the account's internal IAM policies. If any SCP along the path explicitly denies an action, the action is blocked, overriding any local IAM policies.
6. AWS Control Tower Architecture
While AWS Organizations provides the raw APIs to manage accounts and policies, setting up a fully compliant, secure, and monitored multi-account environment manually is a massive engineering undertaking. AWS Control Tower automates this process by orchestrating multiple AWS services (AWS Organizations, AWS Service Catalog, AWS IAM Identity Center, AWS Config, AWS CloudTrail) to establish a secure "Landing Zone."
A Landing Zone is a well-architected, multi-account AWS environment that is highly secure, pre-configured with industry-standard compliance guardrails, integrated with centralized logging and identity federation, and ready for immediate application deployment.
Core Pillars of AWS Control Tower
- Multi-Account Management: Automates account creation using the Account Factory, built on AWS Service Catalog.
- Identity and Access Management: Integrates natively with AWS IAM Identity Center to manage centralized user access and single sign-on across all accounts.
- Governance and Guardrails: Establishes preventive and detective rules to govern your environment, continuously monitoring for drift and compliance violations.
- Centralized Logging and Auditing: Consolidates AWS CloudTrail and AWS Config logs from all accounts into a highly secured, read-only S3 bucket within a dedicated Log Archive account.
7. Enterprise Organizational Unit (OU) Design
A poorly designed OU structure leads to policy fragmentation, security gaps, and operational friction. Based on AWS Well-Architected guidelines, an enterprise OU structure should be designed around functional boundaries, security profiles, and lifecycle stages.
Recommended Enterprise OU Blueprint
- Root: The top-level container. Only global SCPs that apply to every account should be attached here.
- Security OU: Contains accounts dedicated to security infrastructure, monitoring, and compliance.
- Log Archive Account: Central repository for all CloudTrail, VPC Flow Logs, and AWS Config logs.
- Security Tooling Account: Central point for security operations, hosting AWS Security Hub, Amazon GuardDuty, IAM Access Analyzer, and incident response tools.
- Infrastructure OU: Houses shared infrastructure services.
- Network Account: Manages Transit Gateways, Direct Connect connections, public/private DNS zones, and centralized firewalls.
- Shared Services Account: Hosts shared development tools, artifact repositories (e.g., Nexus, Artifactory), and directory services.
- Workloads OU (nested by environment or business unit):
- Prod OU: Highly restricted, production workloads subject to strict compliance and change management.
- Non-Prod OU: Development, testing, and staging environments where developers have more flexibility but are still governed by basic guardrails.
- Sandbox OU: Unconnected environments for developers to experiment. Sandbox accounts should have strict spending limits, no connectivity to corporate networks, and automated cleanup scripts to destroy resources weekly.
- Suspended OU: A holding area for accounts that are marked for decommissioning. Strict SCPs are applied here to deny all inbound and outbound traffic and prevent resource creation.
Root
βββ [Security OU]
β βββ Log Archive Account
β βββ Security Tooling Account
βββ [Infrastructure OU]
β βββ Network Account
β βββ Shared Services Account
βββ [Workloads OU]
β βββ [Prod OU]
β β βββ App-A Production Account
β β βββ App-B Production Account
β βββ [Non-Prod OU]
β βββ App-A Development Account
β βββ App-A Staging Account
βββ [Sandbox OU]
β βββ Developer Sandboxes
βββ [Suspended OU]
βββ Decommissioned Accounts (Locked down)
8. Landing Zone Mechanics and Core Accounts
When you launch AWS Control Tower, it provisions a set of core accounts and resources. Understanding the internal mechanics of these accounts is critical for maintaining operational integrity.
The Control Tower Management Account
This is your organization's root account. It hosts the Control Tower dashboard, the AWS Service Catalog Account Factory, and AWS IAM Identity Center. It orchestrates the creation of member accounts and is the billing payer account. Access to this account must be highly restricted, requiring multi-factor authentication (MFA) for all users, with break-glass roles monitored by real-time alerts.
The Log Archive Account
This account acts as the centralized log vault for your entire AWS footprint. AWS Control Tower configures AWS CloudTrail and AWS Config in all managed accounts to deliver their logs directly to an Amazon S3 bucket in this account.
- Immutability: S3 Object Lock should be enabled in compliance mode to prevent logs from being deleted or modified, even by root administrators.
- Encryption: All logs are encrypted using AWS KMS customer managed keys (CMKs) with policies that allow cross-account writing but restrict read access to security auditors.
The Security Tooling Account
Designed for security administrators, this account aggregates security alerts and compliance data. AWS Control Tower configures this account as the delegated administrator for:
- AWS Organizations: Enabling security tools to inspect organization-wide configurations.
- AWS Security Hub: Aggregating security findings from all accounts.
- Amazon GuardDuty: Centralizing threat detection and intelligent security monitoring.
- AWS Config: Consolidating compliance state tracking through a centralized aggregator.
9. Guardrails, Service Control Policies (SCPs), and AWS Config
AWS Control Tower implements governance through "Guardrails." Guardrails are high-level rules that express business and security objectives in plain English, which Control Tower translates into technical implementations using either preventive SCPs or detective AWS Config rules.
Preventive Guardrails (Implemented via SCPs)
Preventive guardrails stop actions before they occur. They are enforced at the API level. If an API call violates a preventive guardrail, AWS blocks the action and returns an "Access Denied" error.
Example: "Disallow changes to AWS Config configuration." This is implemented as an SCP that denies config:DeleteDeliveryChannel, config:StopConfigurationRecorder, and related APIs across all member accounts.
Detective Guardrails (Implemented via AWS Config Rules)
Detective guardrails do not block actions. Instead, they continuously monitor resources for compliance. If a resource violates a detective guardrail, AWS Config flags the resource as "Non-compliant" and alerts administrators via Amazon SNS and EventBridge.
Example: "Detect whether public read access to Amazon S3 buckets is allowed." This is implemented via an AWS Config managed rule (s3-bucket-public-read-prohibited) that evaluates S3 bucket policies and ACLs across the organization.
Guardrail Classification
Control Tower categorizes guardrails into three guidance levels:
- Mandatory: Automatically applied when you set up Control Tower. These guardrails protect the integrity of the landing zone itself (e.g., preventing the deletion of CloudTrail logs).
- Strongly Recommended: Guardrails that reflect common enterprise security practices (e.g., requiring encryption on EBS volumes, blocking public S3 buckets).
- Elective: Optional guardrails targeting specific regulatory requirements or operational standards (e.g., restricting resource creation to specific AWS regions).
10. Account Factory for Terraform (AFT)
While AWS Control Tower's built-in Account Factory (via Service Catalog) works well for manual or semi-automated account provisioning, mature DevOps organizations require a fully automated, GitOps-driven pipeline. AWS provides Account Factory for Terraform (AFT) to bridge this gap.
AFT is an AWS-provided, open-source Terraform module that sets up a deployment pipeline for provisioning and customizing AWS accounts. It allows platform engineering teams to define new accounts as code in a Git repository. When a developer submits a Pull Request to add a new account, merging that PR triggers a series of automated steps that provision the account via Control Tower and apply custom Terraform configurations.
AFT Architecture and Request Flow
+---------------------------------------------------------------------------------+
| AFT Management |
| |
| +--------------------+ +--------------------+ +-------------------+ |
| | AFT VCS Repo | ---> | AFT State Machine | ---> | Control Tower | |
| | (Account Request) | | (Step Functions) | | Account Factory | |
| +--------------------+ +--------------------+ +---------+---------+ |
+--------------------------------------------------------------------|------------+
|
v
+---------------------------------------------------------------------------------+
| Target Account |
| |
| +--------------------+ +--------------------+ +-------------------+ |
| | Global | <--- | Account | <--- | Provisioned | |
| | Customizations | | Customizations | | Account | |
| +--------------------+ +--------------------+ +-------------------+ |
+---------------------------------------------------------------------------------+
How AFT Works:
- Account Request: A platform engineer defines an account request in Terraform and commits it to the
aft-account-requestGit repository. - Pipeline Trigger: The Git commit triggers a webhook that launches the AFT pipeline, orchestrating AWS Step Functions.
- Control Tower Provisioning: The Step Functions call the AWS Service Catalog API to trigger Control Tower's Account Factory, creating the raw AWS account.
- Global Customizations: Once the account is created, AFT automatically executes a Terraform pipeline that applies "Global Customizations" (e.g., provisioning standard IAM roles, security groups, and monitoring agents) to the new account.
- Account Customizations: Finally, AFT applies "Account Customizations" specific to that account type (e.g., provisioning an RDS database or an EKS cluster if specified).
11. Production Code Examples and Configurations
In this section, we provide production-ready, highly secure configurations for implementing multi-account governance and automation.
A. Production Service Control Policy (SCP)
The following SCP enforces critical security baselines: it prevents member accounts from leaving the organization, restricts resource creation to specified regions (Region Lock), blocks the usage of the root user, and prevents anyone from disabling CloudTrail or AWS Config.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyLeavingOrganization",
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
},
{
"Sid": "DenyRootUserAccess",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:PrincipalArn": [
"arn:aws:iam::*:root"
]
}
}
},
{
"Sid": "ProtectSecurityServices",
"Effect": "Deny",
"Action": [
"cloudtrail:StopLogging",
"cloudtrail:DeleteTrail",
"cloudtrail:UpdateTrail",
"config:DeleteConfigRule",
"config:DeleteConfigurationRecorder",
"config:DeleteDeliveryChannel",
"config:StopConfigurationRecorder"
],
"Resource": "*"
},
{
"Sid": "RegionLockout",
"Effect": "Deny",
"Action": "*",
"Resource": "*",
"Condition": {
"StringNotEquals": {
"aws:RequestedRegion": [
"us-east-1",
"us-west-2",
"eu-west-1"
]
},
"Null": {
"aws:RequestedRegion": "false"
}
}
}
]
}B. Terraform Code for AWS Organizations Account Provisioning
If you are not using Control Tower or want to manage accounts programmatically directly via Terraform, you can use the aws_organizations_account resource. This example provisions a new development account, assigns it to a specific OU, and establishes an IAM role for administrator access.
# Configure the AWS Provider pointing to the Management Account
provider "aws" {
region = "us-east-1"
}
# Reference the existing Organizational Unit
data "aws_organizations_organizational_unit" "non_prod" {
parent_id = "r-abc1234" # Your Root OU ID
name = "Non-Prod"
}
# Provision the Development Account
resource "aws_organizations_account" "dev_account" {
name = "app-a-dev"
email = "aws-devops+app-a-dev@enterprise.com"
parent_id = data.aws_organizations_organizational_unit.non_prod.id
# Role name configured inside the new account for management
role_name = "OrganizationAccountAccessRole"
# Allow IAM users in the parent account to assume this role
iam_user_access_to_billing = "ALLOW"
tags = {
Environment = "Development"
Project = "App-A"
ManagedBy = "Terraform"
CostCenter = "CC-9081"
}
lifecycle {
ignore_changes = [role_name, iam_user_access_to_billing]
}
}
# Output the account details for use in downstream pipelines
output "new_account_id" {
description = "The ID of the newly created AWS Account"
value = aws_organizations_account.dev_account.id
}C. AFT Account Request Configuration
This is an example of an account request configuration file that you would place in your aft-account-request repository to provision an account using Account Factory for Terraform.
module "app_b_production_account" {
source = "github.com/aws-ia/terraform-aws-control_tower_account_factory"
# Core Account Details
control_tower_parameters = {
AccountName = "app-b-prod"
AccountEmail = "aws-devops+app-b-prod@enterprise.com"
SSOUserFirstName = "Platform"
SSOUserLastName = "Admin"
SSOUserEmail = "platform-admin@enterprise.com"
ManagedOrganizationalUnit = "Prod" # Must match your Control Tower OU name
}
# AFT Account Customization Variables
account_tags = {
"Enterprise:Application" = "App-B"
"Enterprise:Environment" = "Production"
"Enterprise:Owner" = "Fintech-Team"
}
change_management_parameters = {
change_requested_by = "SRE-Lead"
change_reason = "Provisioning production workspace for App-B fintech APIs"
}
# Custom variables passed to your customization pipelines
custom_fields = {
vpc_cidr_block = "10.240.0.0/16"
enable_shield = "true"
}
}12. Step-by-Step Account Provisioning Workflow
To ensure consistency and security, enterprise organizations must follow a structured workflow when provisioning a new AWS account. Below is the end-to-end process executed by AWS Control Tower and AFT.
-
Requirement Gathering & Approval:
A development team requests a new environment. The platform engineering team reviews the request, determining the appropriate OU, network requirements (CIDR block allocation), and budget limits.
-
GitOps Pull Request:
The platform engineer updates the
aft-account-requestrepository with a new Terraform configuration block (similar to the AFT code example above) and submits a Pull Request. -
CI/CD Validation:
A GitHub Actions or AWS CodePipeline run executes automated lints, validates Terraform syntax, and runs security checks (e.g., using
tflintandcheckov) on the configuration. -
Merge & State Machine Trigger:
Once approved, the PR is merged into the main branch. A webhook triggers the AFT Step Functions in the Management account.
-
Control Tower Account Creation:
The Step Functions call AWS Service Catalog, which invokes AWS Control Tower. Control Tower creates a brand-new AWS account, links it to AWS Organizations, moves it into the designated OU, and registers it with IAM Identity Center.
-
Guardrail and Baseline Application:
Control Tower automatically applies mandatory and inherited guardrails to the new account. CloudTrail and AWS Config recorders are configured and pointed to the Log Archive account.
-
AFT Global Customizations:
AFT runs a global customization pipeline that deploys base-level resources to the new account: IAM roles for security auditing, standard VPC architecture, and security agent configurations.
-
AFT Account-Specific Customizations:
AFT runs the account-specific customization pipeline, deploying resources tailored to the workload (e.g., configuring peering with the central Transit Gateway or deploying an RDS database).
-
Notification & Handoff:
An SNS topic sends a success notification to Slack or Microsoft Teams. The development team receives access details through AWS IAM Identity Center and can log in using their corporate single sign-on credentials.
13. Enterprise Identity and Access Management (IAM Identity Center)
Managing individual IAM users inside multiple AWS accounts is a security nightmare. It leads to credential leakage, lack of centralized visibility, and massive operational overhead. AWS Control Tower integrates natively with AWS IAM Identity Center (formerly AWS Single Sign-On) to resolve this.
Centralized Identity Federation
IAM Identity Center acts as your single point of entry. You can connect it directly to your existing corporate identity provider (IdP), such as Microsoft Entra ID (Azure AD), Okta, Ping Identity, or Google Workspace, using the System for Cross-domain Identity Management (SCIM) protocol.
When a user is added to or removed from your corporate directory, the change automatically syncs to AWS. Users log in using their familiar corporate credentials and MFA, and are presented with a portal showing the specific AWS accounts and roles they are authorized to access.
Permission Sets
Instead of writing local IAM policies in each account, you define Permission Sets centrally in IAM Identity Center. A permission set is a template that defines the IAM policies (managed or custom) that apply to users when they assume a role in a target account.
Common enterprise permission sets include:
- AdministratorAccess: Full access to all AWS resources. Reserved for emergency break-glass scenarios or platform engineering.
- PowerUserAccess: Allows developers to create and manage all resources but prevents them from modifying IAM policies, creating users, or altering security baselines.
- ReadOnlyAccess: View-only access for auditing, troubleshooting, and monitoring.
+---------------------------------------------------------------------------------+
| Identity Provider |
| |
| +-------------------------------+ |
| | Okta / Azure AD / Ping | |
| +---------------+---------------+ |
+----------------------------------------|----------------------------------------+
| SCIM / SAML 2.0
v
+---------------------------------------------------------------------------------+
| AWS IAM Identity Center |
| |
| +---------------------------------------------------------------------------+ |
| | User: alice@enterprise.com | |
| | Groups: Platform-Engineers, Dev-Team | |
| +--------------------------------------+------------------------------------+ |
| | |
| +----------------------+----------------------+ |
| | | |
| v v |
| +----------+-----------+ +----------+-----------+ |
| | Account: App-A-Dev | | Account: App-A-Prod | |
| | Permission Set: | | Permission Set: | |
| | PowerUserAccess | | ReadOnlyAccess | |
| +----------------------+ +----------------------+ |
+---------------------------------------------------------------------------------+
14. Centralized Monitoring, Observability, and Billing
Operating a multi-account environment requires centralized visibility. You cannot log into fifty different accounts to check application health or track down a security threat.
A. Centralized Security Auditing
By using the Security Tooling account as a delegated administrator, you gain a single-pane-of-glass view of your security posture:
- AWS Security Hub: Aggregates findings from GuardDuty, IAM Access Analyzer, Amazon Macie, and AWS Firewall Manager. It scores your entire organization's compliance against frameworks like CIS AWS Foundations Benchmark and PCI-DSS.
- Amazon GuardDuty: Monitors VPC Flow Logs, DNS logs, and CloudTrail events across all accounts. It uses machine learning to detect anomalies, such as Bitcoin mining, unexpected API calls from tor exit nodes, or unauthorized data exfiltration.
B. Centralized Log Aggregation
All log streams (CloudTrail, VPC Flow Logs, Route 53 resolver logs, application logs) should flow into the Log Archive account. From there, you can configure an Amazon Kinesis Data Firehose to stream these logs to a centralized Security Information and Event Management (SIEM) system, such as Splunk, Datadog, or an AWS OpenSearch cluster, for real-time analysis and alerting.
C. Consolidated Billing and Cost Governance
AWS Organizations consolidates all member account billing into the Management account. While this simplifies payment, it requires proactive cost governance:
- AWS Cost Categories: Group your accounts into cost categories based on business unit, department, or project. This allows you to track spending trends across multiple accounts easily.
- AWS Budgets: Define budgets at the organization level or per-account level. Configure alerts to notify your platform team via email or Slack when actual or forecasted spending exceeds 80%, 90%, or 100% of the budget.
- SCP Tagging Enforcement: Apply an SCP that prevents the creation of expensive resources (like EC2 instances, RDS databases, or S3 buckets) unless they are tagged with a valid
CostCenterandOwnertag.
15. Common Pitfalls and Anti-Patterns
Even with AWS Control Tower, organizations frequently make critical architectural mistakes. Avoid these common anti-patterns:
A. Running Workloads in the Management Account
The Management account is the root of trust and holds consolidated billing credentials. Running applications, databases, or CI/CD runners in this account increases the security blast radius dramatically. If a workload in the Management account is compromised, the attacker gains full control over the entire AWS organization.
B. Over-nesting Organizational Units (OUs)
AWS Organizations allows you to nest OUs up to five levels deep. However, nesting OUs beyond two levels makes policy inheritance extremely difficult to understand, debug, and maintain. Keep your OU hierarchy flat and functional.
C. Overly Restrictive SCPs
Applying overly aggressive SCPs (e.g., blocking all IAM actions unless explicitly whitelisted) can paralyze development teams. Developers will find their standard workflows blocked, leading to friction and shadow IT. SCPs should focus on broad governance baselines (e.g., region locking, protecting logging infrastructure) rather than micro-managing developer actions.
D. Ignoring AWS Service Quotas
When provisioning a large number of accounts, keep AWS Service Quotas in mind. Each new account starts with default quotas (e.g., number of VPCs, Elastic IPs, or EC2 instances). If your landing zone automation expects to deploy a standard VPC with 5 Elastic IPs immediately upon account creation, and the default quota is lower, your provisioning pipeline will fail. You must build automated quota request steps into your account customization pipeline.
16. Troubleshooting and Operational Runbooks
Operating an enterprise multi-account landing zone requires clear runbooks for handling common failures. Below are troubleshooting guides for frequent issues.
Scenario A: Control Tower Landing Zone Update Fails
Symptom: When upgrading AWS Control Tower to a new version, the update process fails, leaving the landing zone in a FAILED state.
Root Cause: This is typically caused by manual modifications made to core resources managed by Control Tower, such as deleting the default VPC in a core account, modifying Control Tower-managed IAM roles, or deleting KMS keys used for CloudTrail encryption.
Resolution Runbook:
- Navigate to the AWS CloudFormation console in the Management account.
- Look for failed stacks with names starting with
AWSControlTower. - Inspect the stack events to identify the resource that failed to update. For example, if you see
Role AWSControlTowerExecution not found, a member account administrator may have deleted the execution role. - Recreate or restore the missing resource manually. If an IAM role was deleted, you must manually deploy a CloudFormation template to restore it with the exact name and trust relationships.
- Return to the Control Tower console and click Re-register OU or Update Landing Zone to resume.
Scenario B: AFT Account Customization Pipeline Fails with "Access Denied"
Symptom: The account creation succeeds, but the customization pipeline (Terraform) fails during execution, preventing the base-level resources from being provisioned.
Root Cause: The AFT execution role in the target account (AWSAFTExecutionSingleAccountRole) does not have sufficient permissions to deploy the resources specified in your customization code, or an SCP applied to the target OU is blocking the Terraform actions (e.g., trying to deploy in an unauthorized region).
Resolution Runbook:
- Open AWS CloudTrail in the target member account.
- Filter the event history by the user name
AWSAFTExecutionSingleAccountRoleand look for events with anAccessDeniedstatus. - Analyze the failed event. If the event shows that Terraform failed to create an S3 bucket due to a region restriction, check if your Terraform configuration is pointing to a region that is blocked by your Region Lock SCP.
- If the failure is due to missing IAM permissions in the execution role, update your AFT global customization configuration to grant the necessary permissions to the execution role, push the changes, and trigger the pipeline again.
Scenario C: Resolving "Orphaned" Accounts
Symptom: An account was created but failed during the final steps of Control Tower registration, leaving it in an unmanaged state.
Resolution Runbook:
- Log into the AWS Organizations console in the Management account.
- Locate the unmanaged account and move it manually to the
SuspendedOU to prevent unauthorized resource creation. - If the account is no longer needed, you must close the account. *Note: AWS Organizations allows you to close member accounts directly from the console or via the AWS CLI.*
- Execute the CLI command to close the account:
aws organizations close-account --account-id <ACCOUNT_ID>
17. Technical Interview Questions & Answers
Answer: AWS Organizations is a foundational, API-driven service that allows you to programmatically create AWS accounts, group them into OUs, consolidate billing, and apply Service Control Policies (SCPs). It provides the underlying mechanism for managing multiple accounts.
AWS Control Tower is a higher-level orchestration service built on top of AWS Organizations. It automates the setup of a secure, compliant landing zone by configuring Organizations, setting up IAM Identity Center for SSO, creating core accounts (Log Archive and Security Tooling), and applying pre-defined guardrails (implemented as SCPs and AWS Config rules). Control Tower simplifies the management of AWS Organizations by providing an easy-to-use dashboard and a standardized account provisioning workflow (Account Factory).
Answer: An SCP acts as a permission filter or boundary; it *never* grants permissions. For an action to be allowed in a member account, it must be explicitly allowed by both the SCP applied to that account (and its parent OUs) and the local IAM policy attached to the user or role. If an action is denied by an SCP, no local IAM policy can override itβeven if that policy grants AdministratorAccess. If an action is allowed by an SCP, but not explicitly allowed by a local IAM policy, the user still cannot perform the action.
Answer: The first thing I would investigate is whether a Service Control Policy (SCP) is restricting the action. AdministratorAccess inside the account does not override SCPs because SCPs define the maximum available permissions.
Troubleshooting approach:
- Verify the IAM role or user truly has AdministratorAccess.
- Review AWS Organizations and identify SCPs attached at:
- Root level
- Parent Organizational Units (OUs)
- The account itself
- Check CloudTrail logs for the failed API call.
- Look for an explicit deny condition.
- Verify region restrictions if Region Lock SCPs are implemented.
- Confirm Control Tower preventive guardrails are not blocking the action.
In most enterprise environments, this issue is caused by SCPs that restrict resource creation to approved AWS regions.
Answer:
- Automated Landing Zone deployment.
- Built-in governance and compliance guardrails.
- Automatic configuration of CloudTrail and AWS Config.
- Integrated IAM Identity Center (SSO).
- Automated account provisioning using Account Factory.
- Centralized logging architecture.
- Reduced operational complexity.
- Continuous compliance monitoring.
Without Control Tower, engineering teams must manually build and maintain these capabilities, which increases operational overhead and risk.
Answer:
The Log Archive Account is a dedicated security account used to store immutable audit logs generated across the AWS organization.
Typical logs stored include:
- AWS CloudTrail Logs
- AWS Config Snapshots
- VPC Flow Logs
- Route53 Resolver Logs
- Application Security Logs
The account is designed with strict access controls, encryption, and optionally S3 Object Lock to ensure logs cannot be modified or deleted.
This account supports forensic investigations, regulatory compliance, and incident response activities.
Answer:
AFT is an AWS-supported framework that enables GitOps-based account provisioning and customization for AWS Control Tower environments.
Benefits include:
- Accounts managed as code.
- Automated provisioning workflows.
- Standardized security baselines.
- CI/CD integration.
- Auditability through Git history.
- Reduced manual operations.
AFT allows organizations to scale from tens of accounts to hundreds or thousands of accounts while maintaining governance and consistency.
18. Frequently Asked Questions (FAQs)
FAQ 1: How many AWS accounts should an enterprise have?
There is no fixed number. Large enterprises often operate hundreds or thousands of AWS accounts.
Typical separation includes:
- Production
- Development
- Testing
- Shared Services
- Networking
- Security
- Sandbox
- Business Unit Isolation
The objective is to minimize blast radius and simplify governance.
FAQ 2: Can AWS Control Tower manage existing AWS accounts?
Yes.
Existing AWS accounts can be enrolled into AWS Control Tower using the Account Enrollment process. Once enrolled, Control Tower applies guardrails, governance policies, and monitoring configurations.
FAQ 3: Does AWS Control Tower replace Terraform?
No.
Control Tower provides governance and account lifecycle management. Terraform remains the preferred tool for infrastructure provisioning inside individual AWS accounts.
Most enterprises use:
- Control Tower for governance
- AFT for account automation
- Terraform for workload deployment
FAQ 4: Should production and development environments share an AWS account?
No.
Production and non-production workloads should always be separated into different AWS accounts to reduce security risks, simplify access management, and isolate operational failures.
FAQ 5: What happens if someone deletes a Control Tower managed resource?
Control Tower drift detection mechanisms identify changes to managed resources.
Administrators can use:
- Re-register OU
- Repair Landing Zone
- Landing Zone Update
to restore compliance and recover missing resources.
19. Summary and Next Steps
AWS multi-account architecture is the foundation of enterprise cloud governance. While AWS Organizations provides the underlying account hierarchy, AWS Control Tower delivers a fully managed landing zone that automates governance, security, compliance, identity management, and account provisioning.
Key takeaways from this masterclass:
- Single-account AWS environments do not scale securely.
- AWS Organizations provides centralized governance.
- Organizational Units enable policy inheritance.
- Service Control Policies enforce enterprise-wide restrictions.
- AWS Control Tower automates landing zone deployment.
- Log Archive and Security Tooling accounts are critical security components.
- IAM Identity Center enables centralized authentication and authorization.
- Account Factory for Terraform (AFT) enables GitOps-driven account provisioning.
- Guardrails provide preventive and detective compliance controls.
- Centralized logging, security monitoring, and cost governance are mandatory for enterprise operations.
Mastering AWS Control Tower and multi-account governance is one of the most valuable skills for modern Cloud Architects, Platform Engineers, DevOps Engineers, SREs, and Security Engineers. These patterns are used by large enterprises, financial institutions, healthcare providers, SaaS companies, and government agencies worldwide to operate secure and scalable cloud environments.
Next Recommended Learning Path:
- AWS Landing Zone Accelerator
- AWS IAM Identity Center Deep Dive
- AWS Transit Gateway Architecture
- AWS Security Hub & GuardDuty Enterprise Deployment
- AWS Control Tower Customizations (CfCT)
- Account Factory for Terraform (AFT) Advanced Automation
- Enterprise Cloud Operating Models
- AWS Well-Architected Framework
