AWS - Control Tower Enum

Reading time: 3 minutes

Control Tower

AWS Control Tower is a service provided by Amazon Web Services (AWS) that enables organizations to set up and govern a secure, compliant, multi-account environment in AWS.

AWS Control Tower provides a pre-defined set of best-practice blueprints that can be customized to meet specific organizational requirements. These blueprints include pre-configured AWS services and features, such as AWS Single Sign-On (SSO), AWS Config, AWS CloudTrail, and AWS Service Catalog.

With AWS Control Tower, administrators can quickly set up a multi-account environment that meets organizational requirements, such as security and compliance. The service provides a central dashboard to view and manage accounts and resources, and it also automates the provisioning of accounts, services, and policies.

In addition, AWS Control Tower provides guardrails, which are a set of pre-configured policies that ensure the environment remains compliant with organizational requirements. These policies can be customized to meet specific needs.

Overall, AWS Control Tower simplifies the process of setting up and managing a secure, compliant, multi-account environment in AWS, making it easier for organizations to focus on their core business objectives.

Enumeration

For enumerating controltower controls, you first need to have enumerated the org:

AWS - Organizations Enum

# Get controls applied in an account
aws controltower list-enabled-controls --target-identifier arn:aws:organizations::<acc_id>:ou/<ou-id>

Post Exploitation & Persistence

AWS - Control Tower Post Exploitation