This chapter covers AWS Control Tower, a service that automates the setup of a secure, well-architected multi-account AWS environment, known as a landing zone. For the SOA-C02 exam, topics related to Control Tower appear in approximately 5-8% of questions, primarily under Domain 3: Deployment, Objective 3.1 (Automate the deployment of infrastructure with AWS services). Understanding Control Tower is critical because it is the recommended approach for building a multi-account architecture from scratch, and the exam tests your ability to distinguish it from manual Organizations setups, AWS Landing Zone (the older solution), and other governance tools. This chapter will cover the core components, how guardrails work, the account factory, and common exam traps.
Jump to a section
Imagine a large corporation that acquires multiple subsidiaries. Each subsidiary has its own building, employees, and IT systems. Without central oversight, each subsidiary might install different security systems, use different accounting software, and have different policies for hiring. This creates chaos, security gaps, and inefficiency. AWS Control Tower acts like a corporate headquarters that provides a standard blueprint for every new subsidiary. When a new subsidiary is formed (a new AWS account), HQ provides a pre-approved list of security cameras, door locks, and network configurations (guardrails). HQ also sets up a shared directory service (AWS SSO) so employees can use one badge to access any building. HQ monitors all subsidiaries for compliance — if a subsidiary disables a required security camera, HQ issues an alert and can automatically re-enable it. The subsidiaries (accounts) can still operate independently, but they must follow the baseline rules. Control Tower is that headquarters: it orchestrates AWS Organizations, AWS SSO, AWS Service Catalog, and AWS Config to create a multi-account environment with mandatory policies and automated provisioning. It does not replace these services but uses them as building blocks, much like HQ uses existing vendors and contractors to enforce standards.
What is AWS Control Tower?
AWS Control Tower is a service that offers the easiest way to set up and govern a secure, compliant multi-account AWS environment based on best practices. It automates the creation of a landing zone — a baseline multi-account structure using AWS Organizations, with pre-configured policies, logging, and identity management. Control Tower is not a replacement for AWS Organizations; it is an orchestration layer that sets up Organizations, AWS Single Sign-On (SSO), AWS Service Catalog, and AWS Config, and then provides ongoing governance through guardrails.
The exam expects you to know that Control Tower is designed for customers who want a quick, standardized multi-account setup without manually configuring each service. It is the successor to the deprecated AWS Landing Zone solution.
How Control Tower Works Internally
When you set up a landing zone, Control Tower performs the following key actions: 1. Creates an AWS Organization (if one does not already exist) and configures it with three default organizational units (OUs): Security, Sandbox, and Infrastructure. You can add custom OUs later. 2. Creates three core accounts: the Management account (the payer account where Control Tower is deployed), a Log Archive account (for centralized logging), and an Audit account (for read-only access to all accounts for auditing). These accounts are created under the Security OU. 3. Enables AWS CloudTrail and AWS Config in all accounts to capture API activity and resource configuration changes. Logs are delivered to a centralized Amazon S3 bucket in the Log Archive account. 4. Sets up AWS Single Sign-On (SSO) as the identity provider, using the Control Tower admin email to create an initial SSO user. You can later integrate with an external identity provider (IdP) like Azure AD or Okta. 5. Deploys a set of mandatory guardrails — high-level rules that govern accounts. These are implemented using AWS Service Control Policies (SCPs) and AWS Config rules. 6. Creates an Account Factory — a pre-configured AWS Service Catalog product that allows authorized users to provision new accounts with standardized baselines.
Key Components
Landing Zone: The entire multi-account environment created by Control Tower. It includes the OU structure, core accounts, guardrails, logging, and identity management.
Guardrails: These are policies that enforce rules across accounts. There are two types: - Preventive guardrails: Implemented using SCPs. They deny API actions that violate the policy. Example: "Disallow public read access to Amazon S3 buckets" — this SCP prevents any IAM principal from making an S3 bucket publicly readable. - Detective guardrails: Implemented using AWS Config rules. They detect and alert when a resource violates the policy. Example: "Detect whether CloudTrail is enabled" — if CloudTrail is disabled, a Config rule triggers a non-compliant state.
Control Tower provides around 40+ pre-defined guardrails, both mandatory and elective. You can also create custom guardrails using SCPs and Config rules.
Account Factory: This is an AWS Service Catalog product that you can customize. When a user requests a new account through the Account Factory, Control Tower automatically:
Creates a new AWS account via Organizations
Moves the account into the specified OU
Applies all mandatory and any OU-level guardrails
Sets up CloudTrail and Config logging
Provisions baseline resources like VPCs (optional)
The Account Factory can be integrated with an enterprise IT service management (ITSM) tool via Service Catalog API.
Shared Accounts: The three core accounts: - Management Account: Where Control Tower is deployed. This account is the payer account and should be used only for administrative tasks, not for workloads. - Log Archive Account: Stores all CloudTrail logs and Config snapshots from all accounts. This account is immutable — no one can modify logs (protected by SCPs). - Audit Account: Provides read-only access to all accounts for security teams. It aggregates Config rules compliance data.
Configuration and Verification
To set up Control Tower, you navigate to the AWS Control Tower console and click "Set up landing zone." You provide:
Email addresses for the Management, Log Archive, and Audit accounts
Region for the landing zone (Control Tower is region-specific; it governs only the region where it is deployed)
Optional: configure an external IdP for SSO
The setup takes about 30-60 minutes. Once complete, you can verify the setup:
In the Control Tower dashboard, you see the landing zone status as "Active."
You can view the OU hierarchy and accounts.
Under "Guardrails," you see the list of enabled guardrails and their compliance status.
Using the AWS CLI, you can check with:
aws control-tower describe-landing-zone --landing-zone-identifier <id>aws organizations list-accountsaws config describe-compliance-by-config-ruleInteraction with Related Technologies
Control Tower integrates deeply with: - AWS Organizations: Control Tower creates and manages the organization. You should not modify the organization directly (e.g., create accounts outside the Account Factory) because Control Tower will lose governance and may become non-compliant. - AWS SSO: Control Tower sets up SSO as the identity source. You can later enable external IdP. - AWS Service Catalog: The Account Factory is a Service Catalog product. You can add additional products to Service Catalog for standardized resource provisioning. - AWS Config: Detective guardrails are Config rules. Aggregator in Audit account collects compliance data. - AWS CloudTrail: Enabled in all accounts, logs delivered to Log Archive bucket. - Amazon S3: Centralized logging bucket with SCPs preventing deletion or modification. - AWS Lambda: Some guardrails use Lambda functions for remediation (e.g., auto-remediate a non-compliant resource).
Default Values and Timers
Landing zone setup time: Typically 30-60 minutes, but can vary.
Account creation via Account Factory: Usually 5-10 minutes.
Guardrail propagation: After enabling a guardrail, it can take up to 10 minutes to apply to all existing accounts.
Config rule evaluation: Config rules evaluate resources periodically (default every hour) or on configuration changes.
SCP effects: Preventive guardrails take effect almost immediately after the SCP is attached to an OU.
Important Limits
Control Tower supports up to 1000 accounts per landing zone (soft limit, can be increased).
You can have up to 20 OUs per landing zone.
Guardrails: up to 100 guardrails per landing zone (including mandatory and elective).
Region: Control Tower operates in a single home region. It can govern resources in other regions only if you enable AWS Config in those regions. By default, it governs only the home region.
Exam Relevance
The SOA-C02 exam tests your ability to:
Identify when to use Control Tower vs. manually setting up Organizations.
Understand the difference between preventive and detective guardrails.
Know that the Account Factory is used to provision new accounts with a standard baseline.
Recognize that Control Tower should not be used if you need to customize the OU structure heavily, because it enforces a specific structure.
Remember that Control Tower is region-specific; you must deploy it in each region where you want governance, or use it in one region and manually extend governance to others.
Initiate Landing Zone Creation
You begin by navigating to the AWS Control Tower console and clicking 'Set up landing zone.' You provide the email addresses for the three core accounts (management, log archive, audit) and select the home region. Control Tower then calls AWS Organizations to create a new organization (or uses an existing one) and creates the three accounts. It also sets up the initial OU structure: Security, Sandbox, and Infrastructure. This step takes about 10-15 minutes as accounts are created and verified.
Deploy Core Infrastructure
Control Tower enables AWS CloudTrail in all accounts to record API calls. It also enables AWS Config to track resource configurations. Logs are delivered to an S3 bucket in the Log Archive account with a bucket policy that prevents deletion. An S3 bucket lifecycle policy is configured to transition logs to Glacier after a specified period (default 365 days). Additionally, Control Tower sets up an AWS Config aggregator in the Audit account to collect compliance data from all accounts. This step runs concurrently with account creation.
Configure Identity and Access
Control Tower creates an AWS SSO directory (if not already present) and creates an initial administrative user using the email provided. It then creates permission sets in SSO (e.g., AWSAdministratorAccess, AWSReadOnlyAccess) and assigns them to OUs or accounts. The SSO configuration allows users to log in with a single sign-on to access multiple accounts. Control Tower also attaches SCPs to OUs to implement preventive guardrails. For example, a mandatory guardrail 'Disallow changes to IAM roles for CloudTrail and Config' is implemented as an SCP that denies modifying those IAM roles.
Apply Guardrails
Control Tower applies mandatory and elective guardrails. Mandatory guardrails are always enabled and cannot be disabled. They include: 'Disallow changes to IAM roles for CloudTrail and Config', 'Disallow public read access to S3 buckets', 'Disallow changes to the Log Archive bucket policy', and 'Detect whether CloudTrail is enabled'. Elective guardrails can be enabled or disabled per OU. For example, 'Disallow the creation of IAM users' (preventive) or 'Detect whether EC2 instances are using IMDSv2' (detective). Each guardrail is implemented either as an SCP (preventive) or an AWS Config rule (detective). The SCPs are attached to OUs, and Config rules are deployed in each account via a StackSet.
Set Up Account Factory
Control Tower creates an AWS Service Catalog portfolio containing the Account Factory product. This product defines a CloudFormation template that, when launched, creates a new AWS account via Organizations, moves it to the specified OU, applies all mandatory guardrails, and optionally creates a default VPC. The product is shared with all accounts in the organization. Users with appropriate permissions can request a new account through the Service Catalog console. The Account Factory can be customized to include additional resources like subnets, security groups, or IAM roles. After the account is created, it takes about 5-10 minutes for all guardrails to be applied.
Ongoing Governance and Monitoring
Once the landing zone is active, Control Tower continuously monitors compliance via AWS Config. The dashboard shows the number of non-compliant resources per guardrail. If a detective guardrail detects a violation (e.g., an S3 bucket becomes public), an alert is sent via Amazon CloudWatch Events (now Amazon EventBridge) to the Audit account. You can configure automatic remediation using AWS Systems Manager Automation or Lambda functions. For preventive guardrails, SCPs block the action immediately. Control Tower also provides a 'Landing Zone Updates' feature that allows you to update the landing zone to the latest version, which may include new guardrails or features.
Enterprise Scenario 1: Financial Services Compliance
A bank needs to deploy multiple AWS accounts for different business units (retail, investment, compliance). Each account must adhere to strict regulatory requirements: all S3 buckets must be private, CloudTrail must be enabled, and IAM users are prohibited (using SSO instead). The bank uses Control Tower to create a landing zone with mandatory guardrails that enforce these rules. The Account Factory allows developers to request new accounts for projects, automatically placing them in the appropriate OU (e.g., Sandbox for testing, Infrastructure for production). The bank's security team uses the Audit account to monitor compliance across all accounts. A common issue arises when a developer tries to create an IAM user in a Sandbox account — the SCP denies the action, and the developer is confused. The solution is to educate developers that IAM users are not allowed; they must use SSO. Performance is not a concern because SCPs are evaluated at the time of the API call with minimal latency.
Enterprise Scenario 2: Multi-Region Governance
A global e-commerce company operates in multiple AWS regions. Control Tower is deployed in us-east-1 (home region). However, the company wants to govern resources in eu-west-1 as well. They enable AWS Config in eu-west-1 and extend the guardrails by creating custom Config rules in that region. However, preventive guardrails (SCPs) are global and apply to all regions automatically. A misconfiguration occurs when a team creates a resource in ap-southeast-1 where Config is not enabled — detective guardrails do not evaluate resources there, leading to compliance blind spots. The company learns that Control Tower governs only the home region by default and must manually enable Config in all desired regions. They use AWS CloudFormation StackSets to deploy Config rules across regions.
Enterprise Scenario 3: Mergers and Acquisitions
A company acquires another firm that already has an AWS Organization with 50 accounts. The acquired company's environment does not follow best practices — many accounts have public S3 buckets, no CloudTrail, and IAM users with long-term keys. The acquiring company wants to bring these accounts under Control Tower governance. However, Control Tower cannot be deployed into an existing organization that has existing accounts unless those accounts are moved into the Control Tower OU structure. The solution is to create a new landing zone in a new organization, migrate the acquired accounts one by one using AWS Organizations' account migration feature, and then apply guardrails. This process is complex and requires careful planning. A common mistake is to try to enable Control Tower on an existing organization — Control Tower will fail if the organization already has accounts outside the expected structure. The exam may test this scenario: Control Tower requires a clean organization or you must first remove existing accounts.
What SOA-C02 Tests on Control Tower
The SOA-C02 exam objectives under Domain 3 (Deployment) Objective 3.1 include: 'Automate the deployment of infrastructure with AWS services such as AWS CloudFormation, AWS Elastic Beanstalk, and AWS Control Tower.' Specific focus areas: - Objective 3.1.1: Create and manage a landing zone using AWS Control Tower. - Objective 3.1.2: Implement and manage guardrails. - Objective 3.1.3: Use the Account Factory to provision accounts.
Common Wrong Answers and Why
'Control Tower can be used to govern existing accounts without any preparation.' Wrong — Control Tower requires a specific OU structure and cannot be added to an existing organization with accounts that are not in the expected structure. You must either start fresh or migrate accounts.
'Preventive guardrails are implemented using AWS Config rules.' Wrong — Preventive guardrails use SCPs; detective guardrails use Config rules. Many candidates confuse the two.
'Control Tower replaces AWS Organizations.' Wrong — Control Tower uses Organizations as a foundation; it does not replace it. You can still use Organizations directly, but Control Tower adds automation and governance.
'The Account Factory can only be used by the management account admin.' Wrong — The Account Factory is a Service Catalog product that can be shared with other accounts, allowing authorized users in child accounts to provision new accounts.
Specific Numbers and Terms on the Exam
Three core accounts: Management, Log Archive, Audit.
Default OUs: Security, Sandbox, Infrastructure.
Guardrail types: Preventive (SCP) and Detective (Config).
Mandatory guardrails: About 10, including 'Disallow changes to IAM roles for CloudTrail and Config' and 'Disallow public read access to S3 buckets'.
Account Factory: Uses AWS Service Catalog.
Region-specific: Control Tower governs only the home region by default.
Landing zone update: You can update the landing zone to the latest version via the console.
Edge Cases and Exceptions
Control Tower in an existing organization: If you have an existing organization with accounts, you cannot simply enable Control Tower. You must either create a new organization or remove all accounts and start over. The exam may present a scenario where a company has an existing organization and asks what to do — the correct answer is to create a new organization and migrate accounts.
Custom guardrails: You can create custom SCPs and Config rules, but they are not managed by Control Tower directly. You must attach them manually.
Multiple regions: To govern multiple regions, you must enable Config in each region and deploy Config rules accordingly. Control Tower's preventive guardrails (SCPs) are global, but detective guardrails are regional.
Account Factory customization: You can modify the Account Factory template to include additional resources, but doing so may cause drift if Control Tower updates its baseline.
How to Eliminate Wrong Answers
If the question mentions 'preventing' an action, the answer likely involves SCPs (preventive). If it mentions 'detecting' or 'alerting', it likely involves Config rules (detective).
If the question asks about provisioning new accounts with a standard baseline, the answer is Account Factory.
If the question asks about centralized logging, the answer is Log Archive account with S3 bucket.
If the question asks about a solution that requires heavy customization of OU structure, Control Tower is not the best choice because it enforces a specific structure; manual Organizations may be better.
Control Tower automates the creation of a multi-account landing zone with best-practice OU structure (Security, Sandbox, Infrastructure) and three core accounts (Management, Log Archive, Audit).
Preventive guardrails use SCPs to deny actions; detective guardrails use AWS Config rules to detect violations.
The Account Factory is an AWS Service Catalog product that provisions new accounts with a standardized baseline.
Control Tower is region-specific; it governs only the home region by default. Extend governance to other regions by enabling Config and deploying rules.
You cannot enable Control Tower on an existing organization with accounts; you must start with a new organization or migrate accounts.
Mandatory guardrails cannot be disabled; elective guardrails can be enabled per OU.
Control Tower integrates with AWS SSO, CloudTrail, Config, and Service Catalog.
The Log Archive account stores all CloudTrail logs and Config snapshots in an immutable S3 bucket.
The Audit account provides read-only access to all accounts for centralized compliance monitoring.
Landing zone updates are available to apply new features and guardrails.
Custom guardrails can be created but are not managed by Control Tower directly.
Control Tower supports up to 1000 accounts and 20 OUs per landing zone.
These come up on the exam all the time. Here's how to tell them apart.
AWS Control Tower
Automated landing zone creation with best-practice OU structure and core accounts.
Pre-built guardrails (preventive and detective) that are easy to enable.
Account Factory for standardized account provisioning via Service Catalog.
Integrated with AWS SSO, CloudTrail, and Config automatically.
Limited customization of OU structure; enforces a specific hierarchy.
Manual AWS Organizations Setup
Requires manual creation of OUs, accounts, SCPs, and logging infrastructure.
You must create your own SCPs and Config rules from scratch.
No built-in account factory; you must build your own automation (e.g., CloudFormation).
You configure SSO, CloudTrail, and Config separately.
Full flexibility to design any OU structure and policy hierarchy.
Mistake
Control Tower can be enabled on an existing AWS Organization with accounts already in it.
Correct
Control Tower requires a new organization or an organization with no existing accounts. If you try to enable it on an existing organization with accounts, the setup will fail. You must create a new organization or remove all accounts first.
Mistake
Preventive guardrails are implemented using AWS Config rules.
Correct
Preventive guardrails use AWS Service Control Policies (SCPs) to deny API actions. Detective guardrails use AWS Config rules to detect and alert on non-compliance.
Mistake
Control Tower replaces AWS Organizations.
Correct
Control Tower is an orchestration layer that uses AWS Organizations as its foundation. It does not replace Organizations; it automates the setup and governance on top of it.
Mistake
The Account Factory can only be used by the management account administrator.
Correct
The Account Factory is an AWS Service Catalog product that can be shared with other accounts. Authorized users in any account with the appropriate permissions can use it to provision new accounts.
Mistake
Control Tower governs all AWS Regions automatically.
Correct
Control Tower governs only the home region where it is deployed by default. To govern other regions, you must manually enable AWS Config and deploy detective guardrails in those regions. Preventive guardrails (SCPs) are global, but detective guardrails are regional.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
AWS Organizations is the foundational service that allows you to centrally manage multiple AWS accounts, create OUs, and apply SCPs. AWS Control Tower is a higher-level service that automates the setup of an Organizations-based multi-account environment with best practices. Control Tower creates the organization, sets up OUs, core accounts, guardrails, logging, and identity management. You can use Organizations alone, but Control Tower simplifies and automates the process.
Yes, but only if you create a new organization. Control Tower requires a clean organization with no existing accounts. You can migrate existing accounts into the Control Tower-managed organization using AWS Organizations account migration, but you cannot enable Control Tower on an organization that already has accounts. The exam tests this: if a company has an existing organization with accounts, the correct approach is to create a new organization and migrate accounts.
Mandatory guardrails are always enabled and cannot be disabled. They include: 'Disallow changes to IAM roles for CloudTrail and Config', 'Disallow public read access to S3 buckets', 'Disallow changes to the Log Archive bucket policy', 'Detect whether CloudTrail is enabled', 'Detect whether Config is enabled', and 'Disallow the creation of IAM users' (preventive). There are about 10 mandatory guardrails total. They ensure the landing zone remains secure and compliant.
The Account Factory is an AWS Service Catalog product that automates the creation of new AWS accounts. When a user requests a new account, the Account Factory uses CloudFormation to create the account via Organizations, moves it to the specified OU, applies all mandatory guardrails, and optionally creates a default VPC. The product can be customized to include additional resources. It is shared with all accounts in the organization, allowing authorized users to provision accounts.
By default, Control Tower governs only the home region where it is deployed. To govern other regions, you must manually enable AWS Config in those regions and deploy the detective guardrails (Config rules) to them. Preventive guardrails (SCPs) are global and apply to all regions automatically. However, detective guardrails are regional, so you need to ensure Config is enabled in each region you want to monitor.
Preventive guardrails are implemented using AWS Service Control Policies (SCPs). They actively deny API actions that violate the policy, preventing non-compliant resources from being created or modified. Detective guardrails are implemented using AWS Config rules. They do not block actions but detect and alert when a resource becomes non-compliant. For example, a preventive guardrail can block making an S3 bucket public, while a detective guardrail can alert if a bucket becomes public (if the preventive guardrail is not enabled).
Modifying the organization directly (e.g., creating accounts outside the Account Factory, moving OUs, changing SCPs) can cause Control Tower to lose governance. Control Tower expects to manage the organization structure and guardrails. If you make manual changes, Control Tower may show a 'Drift' status, and you may need to remediate the drift by updating the landing zone. In some cases, you might need to re-set up the landing zone. The exam advises against manual changes.
You've just covered AWS Control Tower for Landing Zones — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?