Building a Scalable AWS Multi-Account Environment with Control Tower, Terraform AFT, and SCP Guardrails

🔖 Overview

This document outlines the AWS account structure, governance, and control strategy used across our organization.
It describes how AWS Control Tower, AFT, and SCPs interact to provide a compliant, secure, and automated multi-account landing zone — aligning with AWS Well-Architected and CIS Benchmarks.

🌍 Organizational Structure

OU	Description	Primary Accounts
Security OU	Core compliance and security monitoring	`Log Archive`, `Audit`
Internal OU	Shared platform services and IAM root	`Shared Services`, `IAM/Root`
NPR Networking OU	Non-Production networking environment	`Internal Comms`, `External Comms`
PRD Networking OU	Production networking environment	`Internal Comms`, `External Comms`
Deprecated OU	Legacy accounts (no new workloads)	Various (read-only)

🧭 Regional Strategy

Component	Region	Rationale
IAM Identity Center (SSO)	`us-east-1`	Global endpoint for AWS SSO and Organizations
Control Tower Management Account	`us-east-1` backend	Required by AWS
All Member Accounts	`eu-west-2` (London)	Primary data residency & workload region
Backup / DR	`eu-west-1` (Ireland)	Optional failover region

💠 Conceptual Flow Diagram

                 ┌──────────────────────────────────────────────┐
                 │               Management Account             │
                 │ (AWS Organizations + Control Tower + AFT)    │
                 └──────────────────────────────────────────────┘
                                   │
                 ┌──────────────────────────────────────────────┐
                 │ Control Tower Landing Zone                   │
                 │ • Security OU (LogArchive + Audit)           │
                 │ • Creates baseline guardrails (AWS-managed)  │
                 │ • Delegates to AFT for account provisioning  │
                 └──────────────────────────────────────────────┘
                                   │ Management Acct (us-east-1)
              ┌────────────────────┴────────────────────┐
              │                                         │
    ┌──────────────────────────────┐          ┌──────────────────────────────┐
    │ Account Factory for TF (AFT) │          │ AWS Organizations (Org Root) │
    │ • GitOps: account requests   │          │ • OU hierarchy (SEC, INT,    │
    │ • Customizations pipelines   │          │   NPR, PRD, DEPRECATED)      │
    │ • Baselines, tagging, roles  │          │ • SCPs attached per OU       │
    └──────────────────────────────┘          └──────────────────────────────┘
              │                                         │
              │                                         │
              │              ┌────────────────────────────────────────┐
              │              │ SCP layer (Preventive Guardrails)      │
              │              │ • Enforced at Org root / OU level      │
              │              │ • Deny/allow APIs before IAM evaluated │
              │              │ • Prevents config drift or unsafe ops  │
              │              └────────────────────────────────────────┘
              │
     ┌────────┴─────────┐
     │ Enrolled Account │
     │ (e.g. Internal,  │
     │ NPR, PRD, etc.)  │
     └──────────────────┘

🧩 Control Tower & AFT Integration

Landing Zone

Deployed via AWS Control Tower in the management account.
Establishes:
- AWS Organizations
- Log Archive and Audit accounts
- Baseline guardrails (AWS-managed)

Account Factory for Terraform (AFT)

Provides GitOps-based account lifecycle management.
Each account is provisioned using Terraform pipelines that:
- Enroll the account in Control Tower
- Apply OU-specific baselines (e.g., Config, logging)
- Tag accounts automatically
AFT runs in its own AFT Management Account.

Account Hierarchy Diagram

Management Account
 ├── AWS Control Tower (Landing Zone)
 ├── AFT Pipelines (Account Factory for Terraform)
 └── AWS Organizations (Root OU)
      ├── Security OU
      ├── Internal OU
      ├── NPR Networking OU
      ├── PRD Networking OU
      └── Deprecated OU

🧰 Networking & Shared Services Strategy

Service	Owning Account	Scope	Sharing Mechanism
Transit Gateway (TGW)	Internal Comms (per env)	Environment-specific	AWS RAM (within the env)
Internet Gateway (IGW)	External Comms (per env)	Environment-specific	Single point of entry – not shared
NAT Gateway (NGW)	Shared Services	Cross-environment	Single point of exit – not shared
Network Firewall (NFW)	Shared Services	Cross-environment	AWS RAM + TGW routing
VPC Endpoint Services	Shared Services	Org-wide	Route53 Reslover

🔐 Governance & Security Controls

Governance is enforced using three layers:

Layer	Type	Enforcement Mechanism
Preventive	Service Control Policies (SCPs)	AWS Organizations
Detective	Config / Security Hub / GuardDuty	Audit account
Proactive	CloudFormation Hooks / AFT Customizations	Terraform baselines

🚫 Core SCP Pack (Preventive Guardrails)

1️⃣ Deny Root User Access

Prevents use of root credentials in any account.

{
  "Sid": "DenyRootUser",
  "Effect": "Deny",
  "Action": "*",
  "Resource": "*",
  "Condition": {
    "StringLike": {
      "aws:PrincipalArn": "arn:aws:iam::*:root"
    }
  }
}

2️⃣ Restrict Regions (EU + us-east-1)

{
  "Sid": "DenyOutsideApprovedRegionsExceptIdentity",
  "Effect": "Deny",
  "NotAction": [
    "iam:*","organizations:*","route53:*","sso:*","support:*"
  ],
  "Resource": "*",
  "Condition": {
    "StringNotEquals": {
      "aws:RequestedRegion": ["eu-west-1", "eu-west-2", "us-east-1"]
    }
  }
}

3️⃣ Deny Unapproved Network Creation

{
  "Sid": "DenyUnapprovedNetworking",
  "Effect": "Deny",
  "Action": [
    "ec2:CreateInternetGateway","ec2:AttachInternetGateway",
    "ec2:CreateNatGateway","ec2:CreateVpcPeeringConnection",
    "ec2:CreateTransitGateway","ec2:DeleteTransitGateway"
  ],
  "Resource": "*"
}

4️⃣ Restrict Service Creation

Resource	Allowed Account(s)	SCP Condition
TGW (Transit Gateway)	Internal Comms (PRD/NPR)	`aws:PrincipalAccount` = INC IDs
IGW (Internet Gateway)	External Comms (PRD/NPR)	`aws:PrincipalAccount` = EXC IDs
NFW (Network Firewall)	Shared Services	`aws:PrincipalAccount` = SSV ID
NGW (NAT Gateway)	Shared Services	`aws:PrincipalAccount` = SSV ID
VPC Endpoint Services	Shared Services	`aws:PrincipalAccount` = SSV ID

5️⃣ Tag Enforcement

{
  "Sid": "RequireStandardTags",
  "Effect": "Deny",
  "Action": ["ec2:RunInstances","rds:CreateDBInstance","s3:CreateBucket"],
  "Resource": "*",
  "Condition": {
    "Null": {
      "aws:RequestTag/Environment": "true",
      "aws:RequestTag/Owner": "true"
    }
  }
}

6️⃣ Deny Org Tampering

Protects core logging and control-plane resources

{
  "Sid": "DenyOrgTampering",
  "Effect": "Deny",
  "Action": [
    "organizations:LeaveOrganization",
    "cloudtrail:StopLogging",
    "config:StopConfigurationRecorder"
  ],
  "Resource": "*"
}

7️⃣ Deprecated OU Policy

{
  "Sid": "DenyNewCreates",
  "Effect": "Deny",
  "Action": ["*"],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:ResourceTag/Environment": "deprecated"
    }
  }
}

🧠 Control Layers Explained

Layer	Description	Managed By
Control Tower	Creates baseline governance (OU, guardrails, log archive, audit)	AWS
AFT	Automates account provisioning, tagging, baseline controls	Platform team
SCPs	Prevent actions that violate org standards (region, network, security)	Org root
Delegated Security Accounts	Detect & monitor compliance (Config, GuardDuty)	Security team

🪜 Deployment Workflow

Step	Action	Tool
1	Enable Control Tower (Landing Zone)	Console / CLI
2	Bootstrap AFT management	Terraform
3	Create OUs + SCPs	Terraform
4	Submit account requests via AFT	GitOps
5	Apply OU-specific baselines	Terraform
6	Validate security controls	AWS Config / Security Hub
7	Continuous compliance	Detective + Proactive guardrails