Summary: In Part 1, I explained how organizations can use the AWS Well-Architected Management & Governance Lens to build an agile, reliable, scalable, and secure cloud environment. In the second blog of this series, we will look at how you can deploy custom solutions on the AWS Control Control Tower to manage the security of your multi-account AWS environment.

(This is a series on the AWS Well-Architected Framework. This is Part 2. Read Part 1 here.)

Running many applications and working with large, distributed teams can make cloud setup and governance complex and time-consuming. AWS recommends isolating different environments and applications in different AWS accounts rather than keeping them in a single account to:

  • Create a Firewall between development and production environments: Keeping production and development environments in their dedicated AWS accounts creates a firewall between environments so that even if a security breach happens on the development AWS account, the production environment is kept secure.
  • Simplify configuration requirements: If the production and development environment is on the same AWS account, segregation, and auditing of IAM policies for development and production environments is time-consuming. Isolation of environments would decrease the complexity and allow us to safely administer the IAM access to the production environment and give operational freedom for development accounts to experiment with new AWS services and find better solutions.
  • Increase data security: Moving sensitive information, logging, backups, etc., to a separate AWS account with minimum access allowed will increase the security of data.
  • A flexible way of billing discovery

AWS has simplified managing a multi-account cloud environment with a managed service called AWS Control Tower, which can:

  • Automate the creation of a well-architected multi-account AWS environment
  • Simplify new account provisioning for your AWS organization
  • Centralize logging using AWS CloudTrail and AWS Config
  • Provide preventive and detective guardrails

The security of workloads is a key component of a well-architected cloud environment. While AWS Control Tower automatically collects logs and auditing information from all AWS accounts using Log Archive and stores them in Audit AWS accounts, having a centralized view of the security status and monitoring the entire organization for malicious activities is essential. This can be done by using AWS SecurityHub and AWS GuardDuty respectively. However, as the number of use cases, and consequently, AWS accounts increase, managing the security posture of each AWS account individually can become difficult.

To simplify this, Ibexlabs uses Customizations on Control Tower to implement custom security solutions on AWS Control Tower such as AWS SecurityHub and AWS GuardDuty to seamlessly integrate security aspects within your AWS environment, including the default guardrails offered by the Control Tower.

This framework helps implement solutions quickly on existing AWS accounts and also works in conjunction with the account factory to implement it for new AWS accounts. Ibexlabs provides cloud formation templates that can be called from the manifest files of the Customizations on AWS Control Tower Framework to execute on AWS accounts under the AWS Organization.

The AWS Security Hub Centralization solution will set up one of the AWS accounts (preferably the AWS Control Tower Audit account ) as a ‘master’ of the AWS Security Hub, enabling Security Hub on other AWS accounts (existing and new AWS accounts created by Control Tower) to report the security status to the master account. We use AWS Lambda functions behind-the-scenes to communicate and manage permissions between them with a principle of least privilege.

AWS GuardDuty works in a similar manner by utilizing the Built on Control Tower framework to centralize the monitoring of malicious activity using the GuardDuty ‘delegated administrator’ feature. The solution also makes use of events to capture new AWS account creation and automatically enables AWS GuardDuty to report to the delegated master.

62d1346321adea79d4f11c2d WAR Blog 2 Image


AWS Control Tower provides controls and guardrails to ensure that your accounts operate in alignment with compliance standards, and disallow actions that lead to policy violations.However, manually configuring AWS Security Hub and Amazon GuardDuty on all existing and future accounts can be time-consuming which will affect agility. It can also lead to configuration mistakes and affect the effective usage of respective services.Ibexlabs can deploy custom solutions for you to get a centralized view of security and monitor risk for all AWS accounts under the landing zone.Ibexlabs is a Built on Control Tower Partner. Get in touch with us to learn more about our custom security solutions.In Part 3 of the series, we will highlight how you can build a well-architected environment effortlessly using Infrastructure as code.