hamburger icon close icon

AWS Control Tower Data Governance

As an enterprise using AWS, you're probably dealing with a lot of data being used across multiple services and different user accounts. How can you keep track of it all? AWS Control Tower is one-way AWS users can ensure that all accounts and roles, provisioning, and management use technical rule-based policies compliant with company security stances, keeping the AWS environment secure and safe.

This article takes a closer look at AWS Control Tower, how its technical security features can help mitigate data risk in your deployment, and what NetApp Cloud Data Sense can do to help.

What Is AWS Control Tower?

AWS Control Tower is a structure for managing the governance of AWS environments, whether your environment is simple or arbitrarily complex. AWS Control Tower gives organizations a way to govern data throughout their entire AWS deployment, even when multiple user accounts are in use.

AWS Control Tower is also a warning system. Control Tower steps in when it detects breaches of defined data governance rules. Deployments can be automatically blocked if they breach data security rules. Control Tower also generates alerts when configurations are changed, rules broken, or if deployments deviate from best practices.

AWS Control Tower provides users with three main benefits:

  • Quickly set up AWS environments
  • Rule-based security policy automation
  • Rule-based security policy enforcement
  • Visibility into policies throughout the deployment
  • Monitoring throughout the lifetime of deployments

What Is the Difference Between AWS Organizations and AWS Control tower?

This isn’t exactly an either-or situation. AWS Control Tower uses several existing AWS components, one of them being AWS Organizations. Still, it uses a simplified version with custom automation to build a complete multi-account organization structure. Other elements that form part of AWS Control Tower include AWS Service Catalog for the Landing Zone, AWS SSO for authentication, AWS Config for automation, and AWS Cloudtrail for centralized logging.

How Does AWS Control Tower Work?

AWS Control Tower uses a rule-based policy system using predefined or custom rules to control every action that a user can perform within AWS to ensure the outcome is within internal guidelines set by an organization.

The process brings all of your environments under a single AWS Organization, with your accounts under an AWS SSO structure, with centralized logging and configuration storage. AWS breaks this down into four sections: Landing Zone, Guardrails, Account Factory, and Dashboard, and we will detail each section.

The Landing Zone

This self-service console provides a storefront of accounts templates and rule-based security policies that govern what permissions new user accounts can have, what region(s) they can build environments in, and what network configurations they can use. The Landing Zone comprises the two core instruments used to govern: Guardrails, which guide the design, and Account Factory, which is used to create accounts.

AWS Control Tower Guardrails

Guardrails are where you can govern access to your data, putting rules in place that enforce rigid restrictions on what can be accessed and by whom.

Each Guardrail is a simple, single-rule policy applied to an organization unit (OU) within AWS Organizations. AWS provides an extensive collection of Guardrails that are all constructed around AWS best practices. The system Operations (SysOps) team can enable any number of these to form a cohesive security rule-based policy that aligns with applicable global privacy and security regulations as well as company policies.

There are two types of guardrails: Detective and Preventative. Detective guardrails constantly monitor the deployed infrastructure for non-conformance, and Preventative guardrails inhibit the deployment of resources that could breach them.

Guardrails can also be optional and applied selectively to different OU as per requirements, or mandatory, where they form the management of the top OU as part of the Landing Zone.

The most apparent Guardrail for data governance, considering the media reports on recent data leaks, is "Disallow public read access for S3." Other examples of guardrails are "Disallow Cross-Region Replication for Amazon S3 Buckets" and "Disallow Changes to Encryption Configuration for Amazon S3 Buckets." Individually they are simplistic and easy to understand but can be very powerful when forming a more comprehensive rule-based security policy.

Account Factory

The Account Factory contains authorized user templates. The definitions within these templates include allowing preset VPC subnets and AWS regions and Availability Zone configurations. These templates are made available in the Landing Zone Dashboard.

Screen Shot 2021-11-28 at 17.45.37


A current view of your Control Tower managed environment, including the number of accounts provisioned, the guardrails enabled, and a list of all resources which have infringed enabled detective guardrails.

Regulating what and where users can build, including enforcing some best practices and company standards and reporting on non-adherence to others, decreases the risk of data leak within the environments and can somewhat control costs.

Screen Shot 2021-11-28 at 17.46.13

Getting More Control Over AWS with Cloud Data Sense

AWS Control Tower allows you to securely manage your AWS environment, providing a set of rules that ensure AWS environments are built to align with security best practices, adhere to international regulations and company standards, as well as comply with the company’s privacy and security program. It is an effective tool that can keep bad actors at bay and help avoid simple mistakes that can cost money and reputation. But it cannot provide a detailed view of your data security, data risk, or potential cost savings.

There is a more beneficial tool to add in: NetApp Cloud Data Sense. Cloud Data Sense is a data governance tool that uses artificial intelligence to scan, map, and classify all the data in your system whether it’s stored in AWS, on-prem, or any other repository. With the insights from Cloud Data Sense, you can not only identify savings opportunities and optimizations, but may be able to use the tool to locate certain categories of personal information to assist in developing a baseline datamap.

Check out all of NetApp Cloud Data Sense’s benefits:

  • Identify data risks where data access is too open
  • Overall and more detailed views of your data security
  • Show duplicated data
  • Show older data that may no longer be required.
  • Classify data that may not be related to business.

Side by side with AWS Control Tower, NetApp Cloud Data Sense can give you greater control over your data, wherever you have it stored. It’s data governance that goes beyond the cloud.

New call-to-action

Senior Marketing and Strategy Manager