Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
How AWS Control Tower Works
AWS Control Tower Landing Zone Structure
Plan your AWS Control Tower landing zone
Ways to Set Up AWS Control Tower
Compare functionality
Limitations and quotas in AWS Control Tower
Limitations in AWS Control Tower
Quotas for Integrated Services
Best practices for AWS Control Tower administrators
Explaining Access to Users
Explaining Resource Access
Explaining Preventive Guardrails
Frequently Asked Questions
What is AWS Control Tower?
What is the difference between AWS landing zone and Control Tower?
What is the AWS Control Tower landing zone?
Last Updated: Mar 27, 2024

AWS Control Tower

Master Python: Predicting weather forecasts
Ashwin Goyal
Product Manager @


Welcome readers! In this blog, we will learn about AWS Control Tower. AWS Control Tower is a service that allows you to enforce and administer security, operational, and compliance governance rules at scale across all of your AWS Cloud organizations and accounts.AWS Control Tower makes it simple to set up and manage a multi-account AWS setup.

A control tower concept, in essence, strives to improve visibility between trade partners, such as corporations, governments, and means of transportation. It's a central data collecting hub that organizes data and distributes it in a standard format to stakeholders.

How AWS Control Tower Works

This section explains how AWS Control Tower operates at a high level. Your landing zone is a well-architected multi-account environment for all of your AWS resources. This environment can be used to enforce compliance standards across all of your AWS accounts.

AWS Control Tower Landing Zone Structure

The following is the structure of a landing zone in AWS Control Tower:

  • Root – All other OUs in your landing zone are contained in this parent.
  • Security OU – The Log Archive and Audit accounts are located in this OU. Shared accounts are a common term for these accounts. When you launch your landing zone, you can give these shared accounts unique names. They cannot, however, be renamed subsequently.
  • Sandbox OU – If you enable the Sandbox OU, it is created when you launch your landing zone. The enrolled accounts that your users utilize to complete their AWS workloads are stored in this and other registered OUs.
  • AWS SSO directory – Your AWS SSO users are stored in this directory. It specifies the rights that each AWS SSO user has.
  • AWS SSO users – Identities that users can use in their landing zone to perform their AWS workloads.
Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

Plan your AWS Control Tower landing zone

When a user completes the setup process, AWS Control Tower creates a landing zone, a critical resource connected with your account that acts as a home for your organizations and accounts.

Ways to Set Up AWS Control Tower

You can create an AWS Control Tower landing zone in an existing organization or start from scratch by building a new organization.

  • Launch AWS Control Tower in an Existing Organization: This section is for customers who already have AWS Organizations that they want to use AWS Control Tower to manage.
  • Launch AWS Control Tower in a New Organization: Customers without existing AWS Organizations, OUs, or accounts should go to this section.

Compare functionality

The differences between adding AWS Control Tower to an existing organization and expanding AWS Control Tower governance to OUs and accounts are summarised below. If you're switching from AWS Landing Zone to AWS Control Tower, there are a few things to keep in mind.

About Adding to an Existing Organization: Within the AWS dashboard, you can add AWS Control Tower to an existing organization. In this situation, you already have an organization created through the AWS Organizations service, but it is not yet registered with AWS Control Tower, and you wish to add a landing zone later.

When you add a landing zone to an existing organization, AWS Control Tower sets up a parallel structure at the AWS Organizations level. It doesn’t change the OUs and accounts within your current organization.

About Extending Governance: Extending governance applies to specific OUs and accounts within a single organization already registered with AWS Control Tower, indicating that it has a landing zone. Extending governance means that the limits of AWS Control Tower are extended to the specific OUs and accounts inside that registered organization. In this situation, you're not launching a new landing zone; instead, you're simply expanding your organization's existing landing zone.


Here's an overview of some of the AWS Control Tower documentation words.

To begin, you should be aware that AWS Control Tower and AWS Organizations share a lot of terminologies, including the phrases organization and organizational unit (OU), which appear throughout this text.

  • Baseline: Setting up the blueprints and guardrails for an account is the baseline. As part of delivering the blueprints, the baselining process also sets up the account's centralized logging and security audit roles. The roles that you assign to each enrolled account contain AWS Control Tower baselines.
  • Drift: A change to a resource that AWS Control Tower has deployed and configured. AWS Control Tower can work correctly with resources that do not wander.
  • Non-compliant resource: A resource that does not comply with an AWS Config rule that defines a detective guardrail.
  • Shared account: The management account, the log archive account, and the audit account are the three accounts that AWS Control Tower creates automatically when you set up your landing zone. You can give the log archive account and the audit account custom names during setup.
  • Member account: A member account belongs to the AWS Control Tower organization. In AWS Control Tower, the member account can be enrolled or de-enrolled.
  • AWS account: An AWS account serves as a resource container and isolation border for resources. Billing and payment can be linked to an AWS account. In AWS Control Tower, an AWS account is distinct from a user account (also known as an IAM account). AWS accounts are created through the Account Factory provisioning process. The account enrollment or OU registration processes can also be used to add AWS Accounts to AWS Control Tower.
  • Guardrail: A guardrail is a high-level regulation that governs your AWS Control Tower environment on a continuous basis. A single rule is enforced by each guardrail. SCPs have preventative guardrails in place. AWS Config rules are used to implement detective guardrails.
  • Nested OU: A nested OU in AWS Control Tower is an OU contained within another OU. A nested OU can have exactly one parent OU, and each account can be a member of exactly one OU. Nested OUs create a hierarchy. When you attach a policy to one of the OUs in the hierarchy, it flows down and affects all the OUs and accounts beneath it. A nested OU hierarchy in AWS Control Tower can be a maximum of five levels deep.
  • Parent OU: The OU is immediately above the current OU in the hierarchy. Each OU can have exactly one parent OU
  • Child OU: Any OU below the current OU in the hierarchy. An OU can have many child OUs.
  • OU hierarchy: In AWS Control Tower, the hierarchy of nested OUs can have up to five levels. The order of nesting is referred to as Levels. The top of the hierarchy is designated as Level 1.
  • Top-level OU: A top-level OU is an OU that's directly under the Root, not the Root itself. The Root 

Limitations and quotas in AWS Control Tower

When using AWS Control Tower, be aware of the AWS service limits and quotas discussed in this chapter.

Limitations in AWS Control Tower

The following section describes known limitations and unsupported use cases:

  • You can change the email addresses of shared accounts in the Security OU, but you'll need to update your landing zone in the AWS Control Tower dashboard to view the changes.
  • OUs in your AWS Control Tower landing zone is limited to 5 SCPs per OU.
  • Existing OUs with more than 300 accounts in AWS Control Tower cannot be registered or re-registered.

Quotas for Integrated Services

The quotas for each service can be found in its documentation.

Best practices for AWS Control Tower administrators

Management account administrators are in charge of explaining why AWS Control Tower guardrails hinder member account administrators from performing certain actions. This item explains some best practices and procedures for transferring this expertise, as well as other helpful hints for properly setting up and managing your AWS Control Tower system.

Explaining Access to Users

Only users with the management account administrator rights have access to the AWS Control Tower console. Only these users have access to your landing zone's administration functions. This implies that the bulk of your users and member account administrators will never access the AWS Control Tower panel, as per best practices. As a management account administrator group member, it is your responsibility to explain the information below to the users and administrators of your member accounts as needed.

  • Explain which AWS resources users and administrators in the landing zone have access to.
  • It lists the preventive guardrails which the user applies to each Organizational Unit (OU) so that the other administrators can plan and execute their AWS workloads accordingly.

Explaining Resource Access

Some administrators and other users within your landing zone may require an explanation of the AWS resources they have access to. This access can take the form of both programmatic and console-based access. In general, both read and write access to AWS resources is permitted. Your users will need some level of access to the individual services they need to accomplish their jobs within AWS.

Some users, such as your Amazon Web Services (AWS) developers, may require knowledge of the resources to which they have access in order to build technical solutions. Other users, such as end-users of AWS-based apps, are not required to be aware of AWS resources within your landing zone.

Explaining Preventive Guardrails

A preventive guardrail guarantees that your company's accounts follow all of your corporate policies. A preventative guardrail's state is either enforced or disabled. Using service control policies, a preventive guardrail prevents policy infractions (SCPs). A detective guardrail, on the other hand, uses established AWS Config rules to notify you of certain occurrences or conditions.

Some of your users, such as AWS developers, may need to be aware of the preventive guardrails that apply to all accounts and OUs they utilize in order to build engineering solutions. According to your organization's information management policy, the following procedure provides some recommendations on how to disseminate this information to the appropriate people.

Frequently Asked Questions

What is AWS Control Tower?

AWS Control Tower is a service that allows you to enforce and administer security, operational, and compliance governance rules at scale across all of your AWS Cloud organizations and accounts.

What is the difference between AWS landing zone and Control Tower?

AWS  Control Tower and AWS Landing Zone both assist businesses in establishing and managing secure multi-account AWS environments. Use AWS Control Tower if you are new to AWS or AWS Landing Zone if you need a flexible landing zone with complete customization choices and control.

What is the AWS Control Tower landing zone?

A landing zone is a secure, multi-account AWS environment built using best practices in security and compliance. AWS Control Tower uses best-practice blueprints for identity, federated access, and account structure to automate the construction of a new landing zone.


In this article, we have extensively discussed the AWS Control Tower, which provides a simple approach to setting up and managing an AWS multi-account setup while following prescriptive best practices.

We hope that this blog has helped you enhance your knowledge regarding AWS Control Tower. Do upvote our blog to help other ninjas grow.

After reading about the AWS Control Tower, are you not feeling excited to read/explore more articles on the topic of AWS Resouces? Don't worry; Coding Ninjas has you covered. To learn, see Operating SystemUnix File SystemFile System Routing, and File Input/Output.

Refer to our Guided Path on Coding Ninjas Studio to upskill yourself in Data Structures and AlgorithmsCompetitive ProgrammingJavaScriptSystem Design, and many more! If you want to test your competency in coding, you may check out the mock test series and participate in the contests hosted on Coding Ninjas Studio! But if you have just started your learning process and are looking for questions asked by tech giants like Amazon, Microsoft, Uber, etc; you must look at the problemsinterview experiences, and interview bundle for placement preparations.

Nevertheless, you may consider our paid courses to give your career an edge over others!

Happy Learning!

Previous article
AWS Compute Optimizer
Next article
AWS Cloud Formation
Live masterclass