AWS Control Tower is a means of automatically creating a multi-account configuration which follows AWS best practices for enterprises.
Control Tower builds on the previous AWS Landing Zone offering, but provides a more fully automated experience.
The base set up which Control Tower creates includes an AWS Organization with sub accounts for security auditing and log aggregation. These are grouped in a single Organisational Unit under the master account, along with an "Account Factory" — a Service Catalog entry which creates new accounts managed by Control Tower.
Unlike Landing Zone, Control Tower conceals many of its operations in an "as-a-service" style platform. It has no API endpoints, so can only be operated from the console. Much of the mechanics that are openly visible in Landing Zone are now concealed.
Like Landing Zone, Control Tower orchestrates a number of other AWS services to provide its value including:
Vs Landing Zone
- Much less complex to use and administer
- Much better performance of initial setup and account creation
- A more mature product that will be supported in an ongoing manner
- The 2.3.1 Landing Zone release was re-licensed to Apache 2.0 after being Amazon Software License beforehand, which may indicate that Amazon does not intend to actively maintain it
- Less "open"; if things go wrong, you're stuck asking AWS Support
- More restrictive; opinionated choices as to network topography etc. are imposed on the user
Migration to Control Tower
At the beginning of 2021, Control Tower gained the ability to be set up in an existing organisation. Control Tower claims to only support one VPC per account, and makes networking choices that strongly deter VPC peering; you should assume that any instance based services you are migrating will have to communicate via PrivateLink endpoints.