AWS Control Tower Multi-Account Architecture & Governance

Overview

Executive Summary

Designed and implemented a comprehensive AWS multi-account architecture leveraging AWS Organizations and Control Tower for a healthcare technology organization. The solution established a secure, compliant, and scalable cloud foundation supporting multiple business units while preparing for enterprise-wide cloud migration.

Business Challenge

The organization required a robust cloud governance framework to:

  • Manage multiple business applications across isolated environments
  • Ensure HIPAA compliance and healthcare data security
  • Enable development, QA, and production segregation
  • Prepare for migration of on-premises workloads to AWS
  • Implement centralized cost management and visibility
  • Establish secure hybrid connectivity for gradual migration

Solution Architecture

  • Multi-Account Structure

Designed a 18-account architecture organized across 4 Organizational Units:

    • Security OU (3 accounts)
      1. Log Archive Account – Centralized logging repository
      2. Audit Account – Security monitoring and compliance
      3. Security Services Account – Threat detection and automation
    • Shared Services OU (3 accounts)
      1. Shared Services Account – Common enterprise services
      2. Networking Account – Hub for connectivity and routing
      3. Deployment Account – CI/CD pipeline orchestration
    • Production OU (6 accounts)
      1. Primary Production & DR – Core business workloads
      2. Application A Production – Dedicated application environment
      3. Application B Production & DR – Isolated healthcare application
      4. Legacy Account – Existing workload migration staging
    • Non-Production OU (6 accounts)
      1. Separate Dev/QA environments for all applications
      2. Cost-optimized development infrastructure

  • Key Technical Implementations

    • Governance & Security
      1. Implemented Service Control Policies (SCPs) across all OUs for compliance enforcement
      2. Integrated Microsoft Entra ID with AWS IAM Identity Center for SSO
      3. Deployed AWS GuardDuty, Security Hub, and Detective for threat detection
      4. Established CloudTrail organization trail and AWS Config for audit compliance
      5. Enforced encryption at rest and in transit across all accounts

    • Networking & Connectivity
      1. Designed Transit Gateway hub-and-spoke architecture
      2. Implemented Site-to-Site VPN for hybrid connectivity
      3. Centralized NAT Gateways and Internet Gateway management
      4. Configured Route 53 Resolver for hybrid DNS resolution
      5. Prepared infrastructure for future AWS Direct Connect integration

Network Architecture: Centralized Inspection


Overview

Implemented a Centralized Inspection Architecture to provide unified security inspection for all network traffic across the multi-account environment. This design ensures consistent security posture and simplified management of network security controls.

  • Architecture Components

    • Inspection VPC (in Networking Account)
      1. Dedicated VPC acting as the central inspection point
      2. AWS Network Firewall deployed in multiple Availability Zones
      3. Inspection subnets for stateful traffic filtering
      4. Firewall endpoints for high availability
    • Traffic Flow Design
      1. East-West Traffic: Inter-VPC communication routed through inspection VPC
      2. North-South Traffic: Internet-bound traffic inspected before egress
      3. Ingress Traffic: External requests inspected before reaching workloads
      4. Hybrid Traffic: On-premises connectivity secured through centralized inspection

  • AWS Network Firewall Implementation

    • Stateful Rule Groups
      1. Domain-based filtering for malicious sites and threat intelligence
      2. Protocol-specific inspection (HTTP/HTTPS/DNS)
      3. Custom application-layer rules
      4. Integration with AWS Managed Threat Intelligence
    • Stateless Rule Groups
      1. Fast-path filtering for known traffic patterns
      2. Capacity-based packet inspection
      3. Priority-based rule evaluation
      4. DDoS protection rules
    • Logging and Monitoring
      1. Flow logs sent to Log Archive Account
      2. Alert logs for security event detection
      3. Integration with CloudWatch for real-time monitoring
      4. Security Hub integration for centralized findings

  • Transit Gateway Integration

    • Route Table Configuration
      1. Spoke VPCs route traffic to inspection VPC via Transit Gateway
      2. Inspection VPC routes traffic back to destination via TGW
      3. Segregated routing for production and non-production environments
      4. Blackhole routes for known malicious destinations
    • Traffic Segmentation
      1. Production OU traffic isolated from Non-Production
      2. Security OU has read-only access for monitoring
      3. Shared Services accessible with controlled policies
      4. Legacy account traffic monitored during migration

Key Benefits

  • Security
    1. Single point of inspection for all network traffic
    2. Consistent security policies across all accounts
    3. Centralized threat prevention and detection
    4. Reduced attack surface with controlled egress
  • Operational Efficiency
    1. Simplified security rule management
    2. Centralized logging and compliance reporting
    3. Reduced operational overhead
    4. Automated threat intelligence updates
  • Cost Optimization
    1. Shared Network Firewall resources across accounts
    2. Reduced data transfer costs through optimized routing
    3. Eliminated redundant security appliances
    4. Predictable network security costs
  • Compliance
    1. Centralized audit trail for all network communications
    2. Enforced security policies at network level
    3. Simplified compliance reporting
    4. Support for regulatory requirements (HIPAA, SOC2)
  • Automation & Operations
    1. Leveraged Account Factory for standardized account provisioning
    2. Created golden AMI pipeline using EC2 Image Builder
    3. Implemented centralized patch management with Systems Manager
    4. Established cross-account CI/CD pipelines with AWS CodePipeline
    5. Deployed automated cost anomaly detection and budget alerts
  • Disaster Recovery
    1. Designed multi-region DR strategy with RPO/RTO targets
    2. Implemented cross-region replication for critical workloads
    3. Configured Route 53 health checks and failover routing
    4. Established quarterly DR testing procedures

Technical Deliverables

  • Documentation
    1. Comprehensive architecture blueprint (18 pages)
    2. Service Control Policy definitions for each OU
    3. Landing Zone Governance Model
    4. Account-wise component specifications
    5. Migration and connectivity strategy
    6. Baseline cost analysis
  • Infrastructure Components
    1. 18 AWS accounts with standardized configurations
    2. Multi-OU organizational structure with guardrails
    3. Centralized logging and monitoring infrastructure
    4. Cross-account IAM roles and permissions
    5. Network architecture with TGW and VPN
    6. Security tooling across all environments
  • Governance Framework
    1. 4 distinct SCP sets tailored to each OU
    2. Mandatory tagging policies for cost allocation
    3. Compliance rules for Config and Security Hub
    4. Automated remediation workflows
    5. Cost optimization and FinOps dashboard

Business Impact

  • Security & Compliance
    1. Achieved centralized security monitoring across 18 accounts
    2. Implemented automated threat detection and incident response
    3. Established audit-ready logging and compliance reporting
    4. Enforced encryption and access controls organization-wide
  • Operational Efficiency
    1. Reduced account provisioning time from days to hours
    2. Standardized CI/CD pipelines across all environments
    3. Automated patch management and configuration compliance
    4. Centralized monitoring and alerting
  • Cost Management
    1. Established visibility across all accounts ($1,070 – $1,585/month baseline)
    2. Implemented tagging strategy for cost allocation
    3. Created FinOps dashboard for ongoing optimization
    4. Projected cost savings through Savings Plans and Reserved Instances
  • Scalability & Future-Readiness
    1. Built foundation for enterprise cloud migration
    2. Designed hybrid connectivity for phased migration approach
    3. Enabled rapid onboarding of new teams and projects
    4. Established scalable networking architecture

Technologies & Services Used

  • Core AWS Services
    1. AWS Organizations & Control Tower
    2. AWS IAM Identity Center
    3. AWS Transit Gateway
    4. AWS Site-to-Site VPN
    5. Amazon Route 53
  • Security & Compliance
    1. AWS GuardDuty
    2. AWS Security Hub
    3. AWS Detective
    4. AWS Config
    5. AWS CloudTrail
    6. AWS KMS
  • Monitoring & Logging
    1. Amazon CloudWatch
    2. AWS CloudTrail
    3. VPC Flow Logs
    4. AWS Cost Explorer
  • Automation & DevOps
    1. AWS Service Catalog (Account Factory)
    2. AWS CodePipeline & CodeBuild
    3. AWS Systems Manager
    4. AWS CloudFormation
    5. AWS EC2 Image Builder
  • Integration
    1. Microsoft Entra ID (Azure AD)
    2. Git Repository Integration

Project Highlights

  • Architecture Excellence
    1. Designed solution aligned with AWS Well-Architected Framework
    2. Implemented least-privilege access across all accounts
    3. Created separation of duties between security, networking, and workloads
    4. Established disaster recovery with cross-region capabilities
  • Migration Strategy
    1. Developed 3-phase migration roadmap from on-premises to AWS
    2. Designed hybrid connectivity with redundancy and failover
    3. Planned for AWS Database Migration Service and Application Migration Service integration
    4. Documented migration approach minimizing business disruption
  • Cost Optimization
    1. Provided detailed baseline cost analysis for infrastructure
    2. Designed cost allocation strategy using mandatory tagging
    3. Implemented automated cost anomaly detection
    4. Created framework for ongoing FinOps practices

Key Competencies Demonstrated

  • Cloud Architecture: Multi-account AWS design at enterprise scale
  • Security Engineering: Comprehensive security and compliance framework
  • Network Design: Hybrid connectivity and hub-and-spoke architecture
  • Governance: Policy-driven controls using SCPs and guardrails
  • Automation: Infrastructure as Code and CI/CD implementation
  • Cost Management: FinOps practices and optimization strategies
  • Migration Planning: Phased enterprise cloud migration strategy
  • Documentation: Comprehensive technical blueprints and runbooks

Project Artifacts

  • Architecture diagrams and reference documentation
  • Service Control Policy templates
  • Landing Zone governance model
  • Account provisioning standards
  • Network design specifications
  • Cost baseline analysis
  • Migration strategy documentation

Contact & Collaboration

This project demonstrates expertise in designing and implementing enterprise-scale AWS architectures with strong emphasis on security, compliance, and operational excellence. Available for similar cloud transformation initiatives.

Core Strengths:
  • AWS Solutions Architecture
  • Multi-Account Governance
  • Cloud Security & Compliance
  • Hybrid Cloud Connectivity
  • Cost Optimization
  • Enterprise Migration Planning

This portfolio showcases a production implementation for a healthcare technology organization managing sensitive data across multiple business units. All solutions follow AWS best practices and industry compliance standards.

Network Architecture Diagram