Building a Scalable AWS Multi-Account Environment with Control Tower, Terraform AFT, and SCP Guardrails

The organization utilizes AWS Control Tower to establish a secure and compliant multi-account landing zone. This landing zone, managed by a dedicated account, sets up the organizational structure including security, internal, NPR networking, PRD networking, and deprecated OUs. A key component is the use of AWS Organizations for centralized management, with Service Control Policies (SCPs) enforced at the OU level. Account Factory for Terraform (AFT) provides GitOps-based automation for account provisioning and applying baseline configurations, tags, and roles. The regional strategy primarily uses eu-west-2 for workloads and us-east-1 for SSO and Control Tower backend. Networking employs Transit Gateways, Internet Gateways, NAT Gateways, and Network Firewalls hosted in shared services accounts. Governance employs preventive (SCPs), detective (Config, Security Hub), and proactive (CloudFormation hooks) controls. Core SCPs enforce security best practices like region restrictions, access control, and tag enforcement. The deployment workflow involves enabling Control Tower, bootstrapping AFT, creating OUs with SCPs, and automated account provisioning. Future improvements include policy staging, proactive controls like CloudFormation Hooks, and automated compliance checks.