AWS Control Tower Upgrade

A client had been operating with an AWS Landing Zone solution that was implemented several years earlier by a third-party provider. As AWS introduced Control Tower as its preferred framework for multi-account governance, the client sought to modernise - but was understandably cautious. With over 60 AWS accounts in production and a heavy reliance on service control policies (SCPs), the risk of a misstep was significant.

SCPs act as permission boundaries across AWS accounts. A misconfiguration - such as an unintended Deny - can immediately restrict access to critical services across the organisation. In an environment this size, even a minor oversight could render large parts of the infrastructure inaccessible.

Beyond the SCPs, Control Tower introduces architectural and governance changes that require a clean transition. Several components from the original Landing Zone framework are deprecated and must be safely decommissioned. Additionally, integration points with services like AWS Transit Gateway, Direct Connect, and network security appliances needed to be preserved.

The first and most critical step was to create a complete inventory of the environment. Over several days, we audited the configuration of all accounts, networking elements, IAM structures, and dependencies. This included documenting how each account interacted with centralised infrastructure and security controls.

This discovery process was the foundation of the entire migration. With a clear understanding of the environment, we could proceed with confidence.

The upgrade to Control Tower was then executed, with each phase validated against the documented state. The migration proceeded without issue, and once Control Tower was fully deployed, the previous Landing Zone framework was decommissioned cleanly.

A comprehensive handover document was delivered to the client’s internal IT team, detailing the structure of the new Control Tower setup and providing operational guidance for ongoing management.

The migration was completed successfully with zero service disruption. The key to the outcome was the thorough upfront analysis, which allowed all changes to be implemented with full awareness of their potential impact. In projects involving broad governance changes across many AWS accounts, preparation and understanding of the existing environment are essential to ensuring a smooth transition.