This chapter covers AWS Control Tower and Landing Zone, two critical services for multi-account governance and security at scale. On the SAA-C03 exam, approximately 5–8% of questions touch on multi-account management, with Control Tower and Landing Zone being key topics. You must understand how Control Tower automates the setup of a secure, compliant multi-account environment using AWS Organizations, AWS SSO, and AWS CloudTrail. This chapter will give you the deep technical knowledge needed to answer scenario-based questions about centralized governance, preventive and detective guardrails, and account factory provisioning.
Jump to a section
Imagine a large corporation with multiple departments (business units) operating in different regions. Each department has its own office space (AWS account) with its own IT setup. Without centralized governance, departments might use different security standards, have inconsistent network configurations, or accidentally expose sensitive data. AWS Control Tower acts like a Corporate Headquarters (HQ) that enforces company-wide policies. HQ creates a standardized office layout (Landing Zone) for every department, including pre-configured security guards (guardrails), a shared phone system (AWS Organizations), and a central directory (SSO). When a new department opens, HQ automatically sets up a new office with all the required security badges, fire extinguishers, and network cables. If HQ updates a policy—like requiring two-factor authentication on all doors—it automatically applies to every existing and future office. The HQ also maintains a central log of all badge swipes (CloudTrail) and alarms (CloudWatch) across all departments. Without Control Tower, each department would have to manually configure its own security and compliance, leading to errors and inconsistencies. With Control Tower, the entire organization operates under a single, auditable governance framework.
What is AWS Control Tower and Why Does It Exist?
AWS Control Tower is a service that automates the setup of a Landing Zone—a well-architected, multi-account AWS environment based on best practices. It provides governance at scale by enforcing policies (guardrails) across all accounts in an AWS Organization. The primary goal is to allow organizations to quickly create a secure, compliant, and auditable environment without manual configuration.
Before Control Tower, customers had to manually set up AWS Organizations, Service Control Policies (SCPs), AWS SSO, CloudTrail, and AWS Config. This was error-prone and time-consuming. Control Tower automates these steps, ensuring consistency.
How Control Tower Works Internally
Control Tower operates by orchestrating several AWS services:
AWS Organizations: Control Tower creates an organization (if one does not exist) and manages organizational units (OUs). It creates a root OU and three core OUs: Security, Sandbox, and Infrastructure. Additional OUs can be added later.
AWS Single Sign-On (SSO): Control Tower sets up AWS SSO for centralized user access. It creates an SSO directory or integrates with an existing identity provider (e.g., Active Directory).
AWS CloudTrail: Control Tower enables CloudTrail in every account and aggregates logs into a centralized Amazon S3 bucket in the Log Archive account.
AWS Config: Control Tower enables AWS Config in every account to track resource configuration changes and evaluate compliance against guardrails.
Amazon S3: A centralized S3 bucket is created for CloudTrail logs and AWS Config snapshots.
AWS Lambda: Control Tower uses Lambda functions to automate remediation actions when guardrails are violated.
AWS Service Catalog: The Account Factory uses Service Catalog to provision new accounts with pre-defined blueprints.
Guardrails are the core governance mechanism. They come in two types: - Preventive Guardrails: Implemented using Service Control Policies (SCPs) that deny API actions. For example, a preventive guardrail can deny creating an S3 bucket with public access. - Detective Guardrails: Implemented using AWS Config rules that detect non-compliant resources. For example, a detective guardrail can detect S3 buckets with public access and trigger a remediation Lambda.
Control Tower also provides a Dashboard for visibility into compliance status across all accounts and OUs.
Key Components, Values, Defaults, and Timers
- Landing Zone Version: Control Tower uses versioned landing zones. As of 2025, the latest version is 3.0. Each upgrade adds new features and guardrails. - Core Accounts: Control Tower creates three core accounts: - Management Account: The payer account and the root of the organization. Control Tower is deployed here. - Log Archive Account: Stores all CloudTrail logs and AWS Config snapshots. - Audit Account: Provides read-only access for security auditors. - Guardrails: There are about 50+ pre-built guardrails. Preventive guardrails are either mandatory (cannot be disabled) or strongly recommended (can be enabled/disabled). Detective guardrails are elective. - Account Factory: A pre-built Service Catalog product that allows authorized users to provision new accounts with a standardized baseline. It includes network configuration (VPC, subnets), IAM roles, and guardrails. - Enrollment: When you set up Control Tower, it takes approximately 30–60 minutes to create the landing zone. This includes creating the organization, core accounts, and initial guardrails. - Update Cycle: Control Tower releases new features and guardrails periodically. You can update your landing zone from the Control Tower console.
Configuration and Verification
To set up Control Tower: 1. Log into the AWS Management Console with an IAM user that has administrator access in the management account. 2. Navigate to AWS Control Tower and click "Set up landing zone". 3. Choose your email addresses for the management, log archive, and audit accounts. 4. Configure the region (Control Tower is region-specific; it sets up resources in the home region). 5. Enable or disable optional guardrails. 6. Click "Set up landing zone".
After setup, you can verify the landing zone by:
Checking the Control Tower Dashboard for compliance status.
Listing the OUs in AWS Organizations:
aws organizations list-roots
aws organizations list-organizational-units-for-parent --parent-id r-xxxxViewing the SCPs attached to OUs:
aws organizations list-policies --filter SERVICE_CONTROL_POLICYChecking CloudTrail in the Log Archive account:
aws cloudtrail describe-trails --trail-name-list aws-controltower-BaselineCloudTrailInteraction with Related Technologies
AWS Organizations: Control Tower manages OUs and SCPs. You should not manually modify SCPs created by Control Tower, as they enforce guardrails.
AWS SSO: Control Tower creates an SSO instance and assigns permission sets to OUs and accounts. You can manage users and groups in SSO after setup.
AWS Config: Control Tower creates Config rules for detective guardrails. You can see compliance in the Config console.
AWS Service Catalog: Account Factory uses Service Catalog to provision accounts. You can modify the Account Factory portfolio to add custom blueprints.
AWS CloudFormation: Control Tower uses CloudFormation StackSets to deploy resources across accounts. You can view the stacks in the CloudFormation console.
AWS IAM Identity Center (successor to AWS SSO): Control Tower integrates with IAM Identity Center for user management. Note that if you enable IAM Identity Center before Control Tower, you must use the same identity source.
Limitations
Region-scoped: Control Tower is deployed in a single home region. It can manage resources in other regions, but the core infrastructure (CloudTrail, Config) is in the home region.
Cannot manage existing organizations: Control Tower can only set up a new landing zone. It cannot be imported into an existing AWS Organization. You must create a new organization or use a fresh management account.
Guardrails are not retroactive: Preventive guardrails apply to new resources. Detective guardrails can detect existing non-compliant resources.
Account Factory limitations: The default Account Factory creates a VPC with a /28 CIDR block (16 IPs). You can customize the network via the Service Catalog product.
Initiate Landing Zone Creation
The administrator navigates to the AWS Control Tower console and clicks 'Set up landing zone'. This triggers a CloudFormation stack that provisions the foundational resources. The process begins by creating an AWS Organization if one does not exist. Control Tower then creates three core accounts (Management, Log Archive, Audit) using AWS Organizations APIs. Each account gets a unique email address provided during setup. This step takes about 5–10 minutes as AWS creates the accounts and sends verification emails.
Deploy Core Infrastructure
Control Tower deploys the baseline infrastructure across all accounts using CloudFormation StackSets. This includes enabling CloudTrail, AWS Config, and creating the centralized S3 bucket in the Log Archive account. It also sets up AWS SSO with a default directory. The StackSet targets all existing and future accounts in the organization. This step takes approximately 15–20 minutes. During this time, CloudTrail trails are created with multi-region and global service event logging enabled.
Apply Guardrails to OUs
Control Tower creates three OUs (Security, Sandbox, Infrastructure) and attaches SCPs for preventive guardrails. For example, the 'Disallow public read access to S3 buckets' SCP is attached to all OUs. Detective guardrails are implemented as AWS Config rules. Each rule has a remediation action (Lambda function) that can automatically fix non-compliant resources. The SCPs are applied at the OU level and inherited by all accounts within. This step is near-instant after the OUs are created.
Configure Account Factory
Control Tower creates a Service Catalog product called 'AWS Control Tower Account Factory'. This product includes a CloudFormation template that provisions a new account with a standard VPC, IAM roles, and baseline guardrails. The template also creates a CloudTrail trail and enables Config in the new account. Administrators can customize the template to add additional resources, such as subnets or security groups. The Account Factory is published in a portfolio accessible to authorized users.
Verify Landing Zone Compliance
After deployment, the Control Tower Dashboard displays compliance status for all guardrails across accounts. Administrators can drill down to see which accounts are non-compliant and why. The dashboard aggregates data from AWS Config and CloudTrail. Any detective guardrail violations appear within minutes of resource creation. Administrators can also use the AWS Config console to view detailed compliance history. The landing zone is now ready for use, and new accounts can be provisioned via the Account Factory.
Enterprise Scenario 1: Financial Services Compliance
A large bank needs to deploy a multi-account environment that meets PCI DSS and SOC 2 compliance. They use Control Tower to create a landing zone with mandatory guardrails that prevent any account from creating public S3 buckets or disabling CloudTrail. The Log Archive account stores all logs for 7 years using S3 Object Lock. The Audit account is used by external auditors who have read-only access via AWS SSO. The bank provisions separate accounts for production, development, and testing using Account Factory. Each account gets a standardized VPC with a /16 CIDR block, and network traffic is inspected by a centralized firewall appliance in the Security OU. The bank also enables the mandatory guardrail 'Disallow changes to IAM roles created by Control Tower' to prevent accidental privilege escalation.
Enterprise Scenario 2: SaaS Startup Scaling
A fast-growing SaaS company uses Control Tower to manage over 200 accounts for different customers (each customer gets a dedicated account). They use the Account Factory to automate account creation when a new customer signs up. The base landing zone includes a detective guardrail that alerts when an EC2 instance has a public IP address. The company's security team uses the Control Tower Dashboard to monitor compliance across all accounts. They also use custom guardrails via SCPs to restrict instance types to cost-efficient families (e.g., t3, m5). A common misconfiguration is when developers manually modify the SCPs created by Control Tower, causing the landing zone to become 'drifted'. The company uses Control Tower's 'Update landing zone' feature to reset the SCPs to their intended state.
Performance and Scale Considerations
Control Tower is designed for organizations with up to thousands of accounts. However, there are limits: the management account can have a maximum of 5,000 accounts per organization. The Control Tower Dashboard refreshes every 15 minutes. For real-time compliance, use AWS Config's advanced queries. When provisioning accounts via Account Factory, the process takes about 5–10 minutes per account. For bulk provisioning, use the Account Factory API or AWS CloudFormation StackSets directly. A common failure point is exceeding the SCP policy size limit (5,120 characters). Control Tower's built-in SCPs are concise, but custom SCPs can push the limit. Always test SCPs in a Sandbox OU first.
What SAA-C03 Tests on Control Tower and Landing Zone
The SAA-C03 exam objectives (specifically 1.4 - Secure Multi-Account Governance) test your ability to recommend and configure Control Tower for centralized governance. Key areas: - Guardrails: Understand the difference between preventive (SCPs) and detective (AWS Config rules). Know that preventive guardrails deny actions, while detective guardrails detect and optionally remediate. - Account Factory: Know that it uses AWS Service Catalog and CloudFormation to provision accounts. Be aware that you can customize the VPC CIDR range. - Landing Zone Components: Know the three core accounts (Management, Log Archive, Audit) and their purposes. - Integration with AWS Organizations: Control Tower manages OUs and SCPs. Do not manually modify Control Tower-created resources. - Region Limitation: Control Tower is region-specific. The landing zone is set up in one home region.
Common Wrong Answers and Why
'Control Tower can be used with existing AWS Organizations' - WRONG. Control Tower requires a new organization. If an organization already exists, you must migrate to a new management account.
'Preventive guardrails are implemented using AWS Config rules' - WRONG. Preventive guardrails use SCPs. Config rules are for detective guardrails.
'Account Factory creates accounts in the same OU as the management account' - WRONG. Account Factory provisions accounts into a specified OU (default: Infrastructure).
'Control Tower automatically remediates all non-compliant resources' - WRONG. Only detective guardrails with remediation actions can auto-fix; preventive guardrails simply deny the action.
Specific Numbers and Terms on the Exam
Landing Zone setup time: 30–60 minutes.
Core accounts: 3 (Management, Log Archive, Audit).
Default OUs: 3 (Security, Sandbox, Infrastructure).
Guardrail types: Preventive (SCP) and Detective (Config).
Account Factory: Uses Service Catalog and CloudFormation.
Edge Cases and Exceptions
If you enable AWS SSO manually before Control Tower, the SSO configuration must match. Control Tower will fail if it cannot create an SSO instance.
Control Tower does not support all AWS services in all regions. For example, some detective guardrails are not available in China or GovCloud regions.
When you update the landing zone, Control Tower may reset some custom configurations. Always document custom changes.
How to Eliminate Wrong Answers
If a question mentions 'denying API actions', the answer involves preventive guardrails or SCPs.
If a question mentions 'detecting non-compliance', the answer involves detective guardrails or AWS Config.
If a question asks about automated multi-account setup, look for 'Control Tower Landing Zone' or 'Account Factory'.
If a question mentions 'centralized logging', think of Log Archive account and CloudTrail.
Avoid selecting answers that suggest manual configuration when Control Tower is an option for automation.
Control Tower automates the creation of a secure multi-account environment using a Landing Zone.
Preventive guardrails are implemented via SCPs and deny actions; detective guardrails use AWS Config rules to detect and optionally remediate.
Control Tower creates three core accounts: Management, Log Archive, and Audit.
Account Factory uses AWS Service Catalog and CloudFormation to provision new accounts with standardized resources.
Control Tower cannot be added to an existing AWS Organization; a new organization is required.
Guardrails are applied at the OU level and inherited by all accounts in that OU.
The landing zone setup takes approximately 30–60 minutes and is deployed in a single home region.
These come up on the exam all the time. Here's how to tell them apart.
AWS Control Tower
Automates landing zone setup with guardrails and core accounts.
Provides a dashboard for compliance visibility.
Integrates Account Factory for automated account provisioning.
Includes pre-built guardrails for common compliance frameworks.
Manages AWS SSO and CloudTrail automatically.
AWS Organizations
Provides the foundational hierarchy (OUs, accounts) and SCPs.
Does not include a dashboard or automated remediation.
Requires manual setup of CloudTrail, Config, and SSO.
Allows custom SCPs but no pre-built guardrails.
Is a building block; Control Tower builds on top of it.
Mistake
Control Tower can be deployed into an existing AWS Organization without any migration.
Correct
Control Tower requires a new organization. If you have an existing organization, you must create a new management account and migrate resources. There is no in-place conversion.
Mistake
Preventive guardrails are implemented using AWS Config rules that can auto-remediate.
Correct
Preventive guardrails use Service Control Policies (SCPs) that deny API actions before they happen. Detective guardrails use AWS Config rules and can trigger remediation, but they only detect violations after the fact.
Mistake
Control Tower automatically applies guardrails to all existing resources in the management account.
Correct
Preventive guardrails apply only to new API calls. Existing resources are not affected unless they are modified. Detective guardrails can detect existing non-compliant resources and flag them.
Mistake
The Account Factory can provision accounts into any OU, including the root OU.
Correct
Account Factory provisions accounts into the 'Infrastructure' OU by default. You can change the target OU in the Service Catalog product, but you cannot provision directly into the root OU.
Mistake
Control Tower provides a single dashboard that can manage resources across all AWS regions.
Correct
Control Tower is region-specific. The dashboard shows compliance for resources in the home region only. For multi-region governance, you must set up additional resources manually or use AWS Organizations policies.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
No, AWS Control Tower cannot be deployed into an existing AWS Organization. Control Tower requires a new organization. If you already have an organization, you must create a new management account, set up Control Tower, and then migrate your accounts and resources. There is no in-place upgrade path.
Preventive guardrails deny API actions that violate policies, using Service Control Policies (SCPs). For example, a preventive guardrail can prevent creating an S3 bucket with public access. Detective guardrails use AWS Config rules to detect non-compliant resources after they are created. They can trigger remediation actions via Lambda, but they do not block the initial action. Both types are essential for comprehensive governance.
Account Factory uses AWS Service Catalog and AWS CloudFormation. It provides a pre-built product that, when launched, creates a new AWS account via AWS Organizations, applies a baseline CloudFormation template that includes a VPC, IAM roles, and guardrails, and then enrolls the account into the Control Tower landing zone. The process takes about 5–10 minutes.
Yes, you can customize the VPC CIDR range by modifying the Account Factory CloudFormation template in AWS Service Catalog. The default CIDR is /28 (16 IPs). You can change it to any valid CIDR block, but ensure it does not overlap with other VPCs in your organization if you plan to peer them.
Modifying SCPs created by Control Tower can cause the landing zone to become 'drifted'. Control Tower expects these SCPs to remain unchanged. If you modify them, the Control Tower Dashboard may show non-compliance or errors. You can use the 'Update landing zone' option to reset the SCPs to their intended state, but this may overwrite any custom changes.
Control Tower is deployed in a single home region. It can manage resources in other regions via CloudTrail and Config, but the core infrastructure (S3 bucket, CloudTrail trail) is in the home region. For multi-region governance, you must ensure that CloudTrail and Config are enabled in all regions, which Control Tower does automatically.
Auditors can be granted access via AWS SSO (now IAM Identity Center). Control Tower creates a permission set called 'AWSControlTower_AuditAccess' that provides read-only access to all accounts. You can assign this permission set to users or groups in the SSO console. The Audit account itself has an IAM role that allows cross-account access from the management account.
You've just covered AWS Control Tower and Landing Zone — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?