Control Tower 2

Question 1

VPCs, Networking, Regions

What does Control Tower do with VPCs?

Answer 1

Deletes the default VPC. Creates new Control Tower VPC.

Question 2

VPCs, Networking, Regions

What’s in the Control Tower VPC?

Answer 2

3 AZs. Each has 1 public and 2 private subnets. IP space divided equally. No overlaps.

Question 3

VPCs, Networking, Regions

Control Tower and Regions?

Answer 3

Home Region is where you start. Have to tell Control Tower to move into new regions and manage them.

Question 4

VPCs, Networking, Regions

Can accounts enrolled in Control Tower deploy into regions that aren’t enabled when setting up the Landing Zone?

Answer 4

Yes (but controls, auditing, etc. are not enabled, no data collected, nothing enforced)

Question 5

VPCs, Networking, Regions

What is Region Deny?

Answer 5

Can prevent users from accessing resources in Regions not governed by your LZ.

Question 6

VPCs, Networking, Regions

At what level do you set Region Deny?

Answer 6

Whole Organization. Can’t set at particular OUs.

Question 7

Controls

Another name for Controls?

Answer 7

Guardrails (an older term being phased out)

Question 8

Controls

Where in Organizations do Controls live?

Answer 8

Anywhere! Per-OU, multiple OUs, inherited down

Question 9

Controls

Use Case for different Controls in different OUs?

Answer 9

Developer OU has wide open controls, production OU is locked-down tight

Question 10

Controls

Three categories of Controls?

Answer 10

Preventative (can’t happen), Proactive (Stop provisioning), Dectective (find an existing bad thing)

Question 11

Controls

Example system providing Preventative Controls?

Answer 11

SCPs

Question 12

Controls

Example system providing Proacrtive Controls?

Answer 12

CloudFormation hooks

Question 13

Controls

Example system providing Dectective Controls?

Answer 13

Config rules

Question 14

Controls

Three types of Control guidance?

Answer 14

Mandatory, Strongly Recommended, and Elective

Question 15

Controls

Can you turn off or disable a Mandatory Control?

Answer 15

No

Question 16

Controls

At what Org level are Mandatory Controls?

Answer 16

Root (everywhere)

Question 17

Controls

Are Mandatory Controls on by default in a new LZ?

Answer 17

Yes

Question 18

Controls

Can you turn off or disable a Strongly Recommended Control?

Answer 18

Yes

Question 19

Controls

At what Org level are Strongly Recommended Controls?

Answer 19

Any OUs you want

Question 20

Controls

Are Strongly Recommended Controls on by default in a new LZ?

Answer 20

No

Question 21

Controls

Can you turn off or disable an Elective Control?

Answer 21

Yes

Question 22

Controls

At what Org level are Elective Controls?

Answer 22

Any OUs you want

Question 23

Controls

Are Elective Controls on by default in a new LZ?

Answer 23

No

Question 24

Controls

What’s the differentiator between Strongly Recommended and Elective Controls?

Answer 24

Elective are for niche things, SR are generally good ideas across core workloads.

Question 25

Controls

What Controls are in effect in the CT Management account?

Answer 25

None: deliberately unrestricted

Question 26

Controls

What happens to the in-account Controls when you move an account to another OU?

Answer 26

You have some manual steps to get it all sorted out…no automatic.

Question 27

Controls

Examples of Mandatory Controls?

Answer 27

Can’t change things set up by CT, like notification SNS or AWS Config rules

Question 28

Controls

Example of Proactive Controls?

Answer 28

DB tables require PIT recovery turned on, S3 SSE turned on

Question 29

Controls

Example of Strongly Recommended Controls?

Answer 29

Encrypt EBS volumes, no public access to RDS databases

Question 30

Controls

Example of Elective Controls?

Answer 30

Turn on versioning for S3 buckets