It's important to understand the role of each of the accounts that are created by Control Tower when you launch a new environment. In the following diagram, you can see that we start with a master account. Within that account are AWS Organization's Organizational Units (OU), called Core and Custom. Under the Core OU, Control Tower creates a Log Archive Account and an Audit Account. Later, you and your users will make use of AWS Service Catalog to create Provisioned Accounts under the Custom OU:
Control Tower accounts
Each of the blocks in the preceding diagram represents an account:
- The Master Account: This account is where all of the coordination happens for your multi-account environment. Take extra precautions with regard to user access in this account, and be careful with any actions you take here because you can affect all of the child accounts.
- The Log Archive Account: The logging account keeps a copy of the AWS CloudTrail and AWS Config logs as a secure backup to the copy that is kept in each provisioned account for operational purposes. It is good practice to store these logs in an account that is only accessible to auditors. That prevents a bad actor from covering up their tracks in an account where the logs are not shipped to a different location.
- The Audit Account: This account is to be used by auditors and comes equipped with cross-account roles into the other accounts. Auditors and security staff should log in to this account and then use those cross-account roles to switch context into the affected accounts while they are conducting investigations or implementing emergency security measures.
- Provisioned Accounts: These accounts are the whole reason we have gone to the trouble of creating our environment with Control Tower. This is where your application lives. You may have a single provisioned account to host your resources, but it's more likely that you will have a long list of accounts that are used for various purposes. It is good practice to create a separate account for production and development environments, for instance, to reduce the blast radius of changes that are made during the development process.
In preview editions of Control Tower, a third core account was dedicated to shared services. This account was meant to host resources that need to be shared across all your provisioned accounts. A good example of something that should be provisioned in a shared services account is your domain registration. Use Route53 to register a domain, but then delegate the name servers to one of your provisioned accounts where the domain is configured. This makes it much easier to switch an application from one account to another.
Since this account is no longer created for you, our recommendation is to provision an account under the Custom OU for shared services.
Since this account is no longer created for you, our recommendation is to provision an account under the Custom OU for shared services.