AWS Control Tower is AWS's managed landing zone service. This guide covers assessing your AWS environment against Control Tower best practices โ account structure, SCPs, Security Hub and Transit Gateway.
๐ก Quick start: TCOIQ gives you instant AI-powered results in 60 seconds. Free plan available at tcoiq.com. Built by Wekams.
Sets up AWS Organizations, Audit and Log Archive accounts, pre-built SCPs as guardrails, AWS Config rules, CloudTrail across all accounts, and IAM Identity Center for centralised identity.
Mature structure: Management Account (billing only), Security OU (Audit, Log Archive), Infrastructure OU (shared services), Workloads OU (prod, non-prod), Sandbox OU. Most orgs have workloads in management account โ significant risk.
Key SCPs: deny leaving Organizations, deny disabling CloudTrail, deny creating IAM users (force SSO), restrict allowed regions, require S3 encryption, deny public S3 ACLs.
Both should be enabled across all accounts with findings aggregated to Audit account. TCOIQ assesses which standards are activated (AWS Foundational, CIS AWS, PCI DSS) and which critical findings are unresolved.
TGW connects VPCs across accounts through central router. Central inspection VPC with AWS Network Firewall. Workload VPCs as spokes. TCOIQ assesses current topology and recommends target architecture.
AI-powered results in 60 seconds. No consultant needed. Free plan available.
Run AWS LZ Assessment โ