Suggestion: AWS Control Tower for OU and Account Structure Management

[jaredthivener]

Hi everyone,

I wanted to propose a shift in approach for setting up AWS Organizational Units (OUs) and account structures. Currently, the repository uses a combination of Terraform and Python to manage this setup. While this provides flexibility and is familiar to many of us, I believe adopting AWS Control Tower could provide a more scalable, secure, and AWS-native way to manage the same.

Why AWS Control Tower? 🗼

• Standardization: Out-of-the-box best practices for landing zones, guardrails, and account baselining.
• Account Factory: Simplifies creation of new AWS accounts with pre-approved blueprints.
• Compliance: Integrated with AWS Config and CloudTrail to provide ongoing governance.
• Extensibility: Supports lifecycle hooks and can be extended using Control Tower Account Factory for Terraform (AFT).
• Maintenance Overhead: Reduces the need for custom scripts to handle SCPs, OU hierarchy, and initial account setup.

What I’m Proposing 💡

• Start a parallel branch or module using AWS Control Tower (possibly with AFT) to handle OU and account provisioning.
• Evaluate the trade-offs between current Terraform/Python approach and Control Tower's capabilities.
• If it proves effective, consider gradually shifting or at least offering it as a recommended alternative for AWS-native management.

I’d love to hear your thoughts

[Lstedmanfalls]

I would be very interested in seeing this, as I'm not experienced with AWS Control Tower. Are you suggesting something like this https://developer.hashicorp.com/terraform/tutorials/aws/aws-control-tower-aft? I would personally prefer a solution that allows infra management via IAC as much as possible versus setup in the AWS console.

I see this Reddit thread from 3 years ago on pros / cons of Control Tower: https://www.reddit.com/r/aws/comments/u6kl39/aws_control_tower_yea_or_nay/. Without any experience with Control Tower, my initial thought is that maybe Control Tower would be best for larger or more regulated orgs where governance is critical, versus smaller ones where a simpler setup is preferred. If that is true, perhaps we could house both setups together in this repo and provide guidance on when either might be preferred. Alternatively if Control Tower is suitable for orgs of all sizes from the get go, we could rewrite this to just use that.

Would be curious to hear more input from those familiar with Control Tower.

[jaredthivener]

To address your concerns:

"I would personally prefer a solution that allows infra management via IAC as much as possible versus setup in the AWS console."

Absolutely valid, Control Tower + AFT Terraform Module is the way to go. It satisfies the “everything-as-code” mindset we want to achieve. 😎

You do bring up a good point about organizational size. I believe any organization of any size can benefit from Control Tower + AFT. But here's a more nuanced breakdown of how I see it.

Org Size / Need	Traditional TF+Python	Control Tower + AFT
Small (<5 accounts)	✅ Simple, lightweight	⚠️ May feel overkill
Medium (5–20 accounts)	⚠️ Increasing overhead	✅ Better governance + scaling
Large / Regulated Orgs	⚠️ Risk of drift	✅ Full governance & compliance
Multi-team / Multi-OU	⚠️ Complex orchestration	✅ Strong OU/account separation

[Lstedmanfalls]

Control Tower + AFT sounds great! 👌

I do think smaller orgs would see it as overkill though, like even getting to multi-account with OUs is a big migration for mid-to-later stage startups, etc (based on my experience), without adding in additional governance / policy layer, which I think would be fantastic to build out and show here.

Are you ok with having them live together as two options (keeping what's there now?). If so, what are your thoughts in housing together in this repo vs a new repo? I'd love if they could both be in this one since it's the same topic, but I also don't want to be rigid about it if it's gonna be messy.

Most important question: Are you up for building this Control Tower demonstration out? 🙏🚀

[Lstedmanfalls]

Hey @jaredthivener, following up. What are your thoughts regarding keeping the current setup and adding a Control Tower one as well? And are you interested in building the Control Tower setup, or should we ask if someone in the community would want to build it?

[Lstedmanfalls]

@jaredthivener as the repo already exists, can definitely submit a PR showing the AWS Control Tower setup. Based on the research I've done on my end, I'm personally leaning towards favoring a restructuring of this same repo to show support of both setups and some info on when a higher-level of standardization and governance offered with Control Tower would be preferred (it's sounding like more relevant for regulated enterprise-level orgs).