AWS Control Tower Reviews & Insights

AWS Control Tower allows me to provision predefined compliant and secure AWS accounts in an automated fashion

Multi - account scenario is perfect example where AWS Control Tower should be used - to separate workloads in individual accounts. I.E. development and production in different accounts with separate billing

We started using AWS Control Tower to split up our workloads into separate accounts to follow the AWS well-architected framework. AWS Control Tower makes it easy to create new accounts and drive policies across them all. So our root account handles creating other accounts for us and ensures they all have logging and our security practices in place.

AWS Control Tower is great if you have multiple organizations or disciplines inside a company that needs to be separated for billing purposes or separation of concern. Multiple accounts is part of AWS's well-architected framework and are generally a good idea. AWS Control Tower makes central logging easy which enables those logs to be quickly picked up by a logging tool to provide even more reports and insight. For smaller organizations, AWS Control Tower may seem like an over-engineered solution

We have multiple companies along with multiple clients that require separate AWS accounts. With AWS Control Tower it makes it simple and easy to have a central point to monitor and control all the AWS accounts.

If you have more than 3 AWS accounts or strict security requirements (e.g PCI, SOC II) Control Tower is a must. If you only have 1-2 accounts and few users the added complexity of the control tower is likely not worth the time.

AWS Control Tower allows you to set up a baseline environment, in the parlance of Control Tower, this is called a landing zone. The value adds of this product is that the default baseline environment that is set up by AWS Control Tower includes AWS best practices by default. This includes best practices from AWS Well-Architected Framework. In our case, we were interested in experimenting with a lower overhead setup for an ancillary AWS account.

We were wanting to prove the concept of a low touch process for quickly spinning up boilerplate AWS environments. We were able to get started quickly and to ensure that the AWS Well-Architected Framework principles were followed - at least upfront - however, we found that for our use case and expertise level it ultimately wasn't a fit. We have the skills on our team to manage more of this on our own. My recommendation would be contingent on what skills are already available on your team: if you can "do it yourself" you might as well so that you don't pay for resources you don't need and you have finer grain control over what's created.