AWS Control Tower Service

TL;DR creates automated set-up and governance of secure, well-architected environments (landing zone with shared services and well defined development and product accounts)

Why use Control Tower?

It's a supported service and the easiest way to set up and govern AWS at scale. Specifically it provides:

Account Blueprints for

• identity management
• federated access to accounts
• centralized logging
• cross-account security audits
• workflows for provisioning accounts
• account baselines with network configurations

Automated ongoing policy management

• guardrails - strongly recommended service control policies (SCPs)
• policy violation detection using AWS Config rules - rules remain in effect as new accounts are created and applied to existing accounts
• summary report of how accounts conforms to our enabled policies.
• policy-level summaries of our AWS environment

Integrated dashboard

• provisioned accounts details
• guardrails enabled across our accounts
• account compliance status