TowerControls.Ai

TowerControls for your AWS org — stand up landing zones, migrate accounts, and stay continuously compliant, all without the console.

writes: … region: … config
TowerControls
Your AWS organization at a glance — live posture, the org map, and a way into every area. Pick a track below, or grab a guide from Help.
account: … landing zone: checking…
Environment overview
Your whole AWS org at a glance — accounts, OUs and live posture. Click any account for detail.
Management (root) Audit / Security Log Archive Workload Sandbox
Mapping the organization

Tower Status ✦ AI

Judging your environment…

Loading assessment…
Jump in
Operate

AWS Accelerator-Pipeline

open in console ↗
loading…

Click any stage for action details + CFN events.

? How to use it

Start with the wizard. Answer a couple of questions — what you want to do (create, bring accounts in, manage, close) and, for an existing account, its id. The wizard picks the right ordered path and grounds the recommendation in a live dependency scan.

Then follow the steps. Click Open on a step and the wizard pre-fills that screen with the account you gave it. Steps marked gate are go/no-go: hit Run check and the next step only unlocks once the dependency scan, readiness, or verify passes. Prefer to drive yourself? Use the Or jump straight to a task tiles, or the left nav.

Or jump straight to a task
? How to use it

A vetted library of Service & Resource Control Policies and the Control Tower controls catalog, each mapped to NIST. Get an AI blast-radius read before you attach anything. Applying is generate-and-guide — the dashboard emits the exact command; it never silently attaches an org-wide deny.

Loading guardrails…
? How to use it

What it does. Stands up a brand-new AWS Control Tower landing zone from scratch — the Day-0 substrate that LZA runs on — optionally with AI drafting the design.

How it works. Describe your org (or fill the form), run read-only preflight checks, forecast the cost, and generate the CreateLandingZone manifest + CLI. Generate-and-guide by default; with writes on you can launch it directly behind a typed confirmation. Then generate a starter LZA config repo so you land in the day-2 flows.

checking environment…

1 · Describe your landing zone

Tell us about your org in plain English and let AI draft the plan — or skip and fill it in below.

2 · Plan

Editable. These feed the Control Tower manifest and the generated LZA config.

Permanent. Control Tower’s home region can’t be changed after the landing zone is set up. Defaults to this account’s region — change it if your org lives elsewhere.

Governed regions — where guardrails apply (home region is always governed)

Shared accounts

3 · Make the org ready WRITES

Control Tower needs an all-features org, the two shared accounts (Log Archive + Audit), and no conflicting Config recorder in the governed regions. Check here, then fix each in place — fixes are gated on writes.

Overview
NIST 800-53 posture — read from the Audit account's aggregator, fixes pushed down into each account.
? How to use it

A snapshot of your NIST 800-53 / FedRAMP posture — the ATO readiness score, control coverage, and what needs your attention first.

? How to use it

A live map of every account in your AWS Organization, grouped by OU and graded for NIST posture. Click an account for its detail; the Audit account is where org-wide posture is read from.

Organization Map
Every account in the org, placed under its OU and labelled by role. The Audit account is the security delegated-administrator — where posture is read from.
Management (root) Audit / Security Log Archive Workload Sandbox
Browse by OU
Fold out any OU to see its accounts and grades.
Mapping the organization

Organizational Units

What each governance boundary contains and enforces. Move accounts, target guardrails, and add (nested) OUs — every change ships as a config PR through the pipeline.

? How to use it

Organizational Units are the governance boundaries Control Tower and the Landing Zone Accelerator enforce against — baselines, SCPs and account membership all target an OU. Here you see each OU, what it contains, and what's enforced on it. Add a new (or nested) OU with the field below; move an account into an OU from Account Ops → Manage. Every change is written to organization-config.yaml and ships as a config PR through the pipeline, which creates and registers the OU with Control Tower — nothing is changed live by hand.

ok drift / partial failing

loading…

? How to use it

Audit-ready reports built from your live assessment — OSCAL SSP, SAR and POA&M, plus a posture summary. They pull in your controls, evidence artifacts and POA&M items. Download as a rich PDF, or JSON for the OSCAL models.

Reports
System Security Plan · Security Assessment Report · POA&M · Posture — generated from the live NIST 800-53 assessment, pulling in your controls, evidence artifacts and POA&M items. Download as a rich PDF, or JSON for the OSCAL models.
Loading reports…
? How to use it

Downloadable documentation for TowerControls — a Quick Start for onboarding, the full User Manual, and an Administrator Guide, each branded and rich with screenshots and step-by-step directions, plus the product white paper under Documents.

Help & Guides
Branded, screenshot-rich PDF guides generated on demand. Hand them to new users, or keep them for reference.
Loading guides…
Documents
Reference documents — download and share.
? How to use it

The Jira intake queue — tickets labelled ct-intake are pulled in here so you can review the prepared plan and approve account actions before they run.

Work — Jira intake queue

Jira: … Pulls ct-intake tickets, preps each, and comments the plan back. Approve here, or add ct-approve on the ticket in Jira.

No work yet — click Sync from Jira.

? How to use it

Run the safety checks built into the create / migrate / close flows on their own, against any account — pre-flight before an action or verify the result after.

Checks — pre-flight & verification

Run safety checks before an action or verify the result after. These are the same checks built into the create, migrate and close flows — here you can run them on their own, against any account.

FISMA-High posture NIST 800-53 r5

Reads AWS Security Hub's NIST 800-53 Rev 5 controls and reports a compliance score, the failing controls, a severity breakdown, and a breakdown by control family. The Migrate → Baseline phase turns this monitoring on; here you see what its ongoing scanning produces.

? How to use it

Two ways to create. If you run a Control Tower / LZA pipeline, use the GitOps form (left). If you don't have a pipeline, use No pipeline? Create directly (the card lower down) to create straight through AWS Organizations.

GitOps form. Fill it in and click Preview YAML to see the exact change to accounts-config.yaml (and iam-config.yaml if you pick assignments). Apply opens a feature-branch pull request in CodeCommit — you review and merge, then the AWS Accelerator-Pipeline creates the account (~25–40 min). The dashboard only assigns roles and groups that already exist, never creates them, and needs a justification (logged) with per-day and total account caps.

Direct create. Enter a name, a unique email, and a justification, then Create account. It calls organizations:CreateAccount and shows the new account id when it lands (about a minute) — gated on writes being enabled. The new account gets OrganizationAccountAccessRole and joins the org.

New Workload Account

Adds an entry to accounts-config.yaml::workloadAccounts and, optionally, deploys existing IAM roles and groups to the new account. The dashboard never creates new IAM roles, groups, or OUs — only assigns existing ones.

Deploy existing roles to this account (optional)

Deploy existing groups to this account (optional)

No pipeline? Create directly WRITES

For an org without a Control Tower / LZA pipeline — create the account straight through AWS Organizations, gated. (The form above is the GitOps path, which needs a pipeline to provision it.)

? How to use it

What it does. Change an account that already exists, two ways: unassign roles or groups currently deployed to it, or remove its workloadAccounts entry from the config.

How it works. Pick the account, tick what to unassign (or confirm the removal), Preview, then Apply to open a PR. Removal is refused if the AWS account already exists in Organizations — at that point use the Closure tab instead. Same dry-run and PR gate; the dashboard never merges.

Manage existing account

Two inverse operations: unassign roles/groups currently deployed to an account, or remove the workloadAccounts entry (only if the AWS account doesn't already exist). Both go through the same dry-run / live + PR gate.

Currently deployed roles (tick to unassign)

Pick an account above to see its current role deployments.

Currently deployed groups (tick to unassign)

Pick an account above to see its current group deployments.

Danger zone — remove workloadAccounts entry

Cuts the entry from accounts-config.yaml and strips the account from any role/group deployments. Refused if the AWS account already exists in Organizations — at that point you need the account-closure procedure, not a YAML edit.

— pick an account first —
? How to use it

What it does. A read-only, filterable list of every live account in the AWS Organization — the same accounts the Org Map shows, with each account's NIST grade and whether it's declared in accounts-config.yaml.

How it works. Filter by OU or role, or search by name or account id. Declared = present in the LZA config; live only = exists in the org but not in the declared config.

Name Account ID OU Role NIST Declared
? How to use it

What it does. Compares what is declared in the config repo against what is live in AWS Organizations.

How it works. Click Recompute to flag two kinds of drift: missing_in_aws (declared but not provisioned, or a failed creation) and orphan_in_aws (exists in AWS with no YAML entry). Read-only.

Org Hygiene — declared config vs live AWS Organizations

orphan_in_aws = a live account with no config entry — this is what halts the LZA pipeline. Quarantine parks it in the ignored holding OU so LZA leaves it alone; Close retires it. parked = already in the holding OU. missing_in_aws = declared but not provisioned yet.

— click recompute —
KindAccountPlacementResolve
no data yet
? How to use it

What it does. Verifies an account is actually provisioned, correctly placed, governed by SCPs, and covered by the declared baseline — the assurance a green pipeline run does not give you.

How it works. Enter an account id or name and Run. It checks Organizations placement, attached SCPs, org CloudTrail, the security-config.yaml baseline, assignments and drift, and (if it can assume into the account) live in-account settings. It also flags accounts that exist in AWS but have no accounts-config.yaml entry. Nothing is changed; the verdict is recorded to the audit log.

Account readiness (post-provision / post-migration verification — read-only)

Confirms an account is actually provisioned, correctly placed, governed by SCPs, and covered by the declared baseline — the assurance the pipeline's green light doesn't give you. Nothing is modified; every result is recorded to the audit log.

? How to use it

What it does. A guided pre-flight checklist for closing an existing AWS account, plus the real, gated close.

How to. Enter the account id and Dry-run all checks to run the automatable verifications (OU placement, YAML state, status) without changing anything. Then, in the Close this account card, click Pre-flight & close: it shows the guards (it refuses the management account and delegated administrators), and if they pass you type CLOSE <id> to confirm. The account is suspended immediately and AWS permanently deletes it after 90 days (reversible via AWS Support during that window). The 7-day minimum people remember is for removing an account from the org, not closing it.

Account closure (pre-flight checklist — the real, gated close is the card below)

For removing an existing AWS account. The Dry-run all checks button runs every automatable verification (account age, OU placement, YAML state) without changing anything — use it before you start. Each step is then yours to run manually; the dashboard records that you ran it.

Close this account WRITES · REAL

Runs the real organizations:CloseAccount on the id above — gated by a typed confirmation. It refuses the management account and delegated administrators. The account is suspended immediately and AWS permanently deletes it after 90 days (reversible via AWS Support during that window).

? How to use it

What it does. A read-only view of who can access what across the org. AWS IAM Identity Center (SSO) is the primary Control Tower access model — the permission sets (the roles users assume in an account), the groups, and the assignments that grant a group a permission set on specific accounts.

How it works. Everything here is read live from IAM Identity Center — nothing is created or changed. To grant access, make the assignment in Identity Center. The classic IAM roles & groups LZA provisions from iam-config.yaml (break-glass, service/automation) are shown at the bottom when present — most Control Tower orgs use Identity Center and leave those empty.

IAM Identity Center — access
Permission sets (roles) and groups that exist in your org right now — the primary Control Tower access model. Read-only.
Permission sets — roles
loading…
Groups
loading…
Assignments
Who can access what — each group or user granted a permission set on an account. Read live from Identity Center.
AccountGroup / userPermission set (role)Managed by
loading…
IAM roles & groups (LZA)
Classic IAM that LZA provisions into accounts from iam-config.yaml — break-glass, service and automation roles. Separate from Identity Center. Read-only.

Role sets

RoleTargetAssumed byAWS managedCustomer managedInst. profile

Group sets

GroupTargetAWS managedCustomer managed
? How to use it

What it does. Configure a two-org account migration: the source org the accounts leave, the destination (FISMA-High) org they join, member-account access, the accounts to move, the baseline toggles, and Control Tower enrollment.

How it works. Fill it in and Save — the config persists to .migration/migration-config.json and every other Migration tab reads from here. Live moves only run when LZA_ALLOW_WRITES=1.

Migration config

Two-org account migration: pulls accounts out of source_org, hands them into dest_org, optionally baselines + enrolls under Control Tower. Config persisted to .migration/migration-config.json. Live moves are gated by LZA_ALLOW_WRITES=1.

Source org (the one accounts leave)

Destination org (the one accounts join)

Member access (per-account credentials)

Accounts to migrate (one per line: account_id,name)

FISMA High baseline toggles

Control Tower enrollment

Loading…
? How to use it

What it does. Confirms every credential context in your migration config actually works, before you run a phase.

How it works. Calls sts:GetCallerIdentity against the source org, the destination org, and each member account. Read-only and safe to run any time — green when every context resolves, red lists the failures. Run it before any phase.

Preflight

Calls sts:GetCallerIdentity on every credential context in the config — source org, dest org, and each member account. Read-only; safe to run any time. Run before any phase.

Dependency scan

Read-only “will it break” report for one account before it leaves the org — SCPs, RAM shares, delegated-admin roles, Identity Center assignments and security-tooling membership that don't follow the move.

? How to use it

What it does. Phase 1. A read-only assessment of one account before you move it — org attachment, IAM surface, integrations, footprint, and SCP exposure.

How it works. Pick the account and Dry-run (Apply behaves the same; there are no destructive calls). It surfaces anything that could block the move and writes a report to .migration/reports/.

Phase 1 · Inventory

Read-only assessment of one account: org attachment, IAM surface, integrations, footprint, SCP exposure. Writes a report to .migration/reports/<account>.inventory.json. Safe to run anytime.

? How to use it

What it does. Phase 2 (destructive). Actually moves the account out of the source org and into the destination org's target OU.

How it works. Removes the account from the source org, waits for it to go standalone, invites it to the destination, accepts the handshake, and moves it into the OU. It is atomic but irreversible — you cannot put an account back. Always dry-run first; live runs require LZA_ALLOW_WRITES=1 and can poll for up to 5 minutes.

Phase 2 · Move destructive

Removes the account from source org, waits for it to go standalone, invites it to dest org, accepts the handshake, moves it into the target OU. Atomic but irreversible — you can't "put back" an account that left an org. Live runs require LZA_ALLOW_WRITES=1.

? How to use it

What it does. Phase 3. Applies the FISMA-High control baseline to the account.

How it works. Sets up SCPs, AWS Config, Security Hub, GuardDuty, CloudTrail (verify), the IAM password policy, default EBS encryption, and the S3 public-access block — each control idempotent, with toggles set in Setup. Writes a baseline report. Live runs require LZA_ALLOW_WRITES=1.

Phase 3 · Baseline

Applies FISMA High controls to the account: SCPs, AWS Config, Security Hub, GuardDuty, CloudTrail (verify), IAM password policy, EBS default encryption, S3 public-access block. Live runs require LZA_ALLOW_WRITES=1.

? How to use it

What it does. Phase 4. Verifies the account is governed by Control Tower and that its networking and security actually took effect.

How it works. Confirms the account is in the Control Tower-registered OU, that a shared subnet is attached, and that Security Hub is on, then emails a summary of all the checks. Account Factory enrollment via Service Catalog stays operator-gated.

Phase 4 · Enroll

Verify the account lives in the Control Tower-registered OU, then confirm a shared subnet is attached (networking plumbed) and that Security Hub is turned on. If Account Factory mode is on, surfaces the launch parameters — actual enrollment via Service Catalog is operator-gated.

? How to use it

What it does. Finds accounts already in your AWS Organization that LZA does not manage (not declared in accounts-config), and generates the entry to adopt each one — bringing it under the baseline + guardrails. No account is created.

How it works. Reads organizations:ListAccounts and subtracts what's declared in the LZA config. Pick a destination OU and it generates the accounts-config.yaml entry — commit it and the pipeline enrolls the account.

Adopt unmanaged accounts

accounts in the org but not in the LZA config
? How to use it

What it does. The "after" bookend to the dependency scan — confirms an account landed under management post-move: active, in a managed OU + declared in the LZA config, has a Config recorder, SSO access and security-tooling membership. Then bundles a FISMA evidence pack.

How it works. Read-only reads across Organizations / Config / Identity Center / GuardDuty / Security Hub. The evidence pack combines the pre-move scan + this verification + who-approved/when into a downloadable audit artifact.

Post-move verification & evidence

? How to use it

What it does. Orders a set of accounts into dependency-aware waves — infrastructure / shared first, then non-production, then production — with a gate between each, so a big migration moves safely in batches.

How it works. Classifies by a name heuristic and groups into ordered waves. Read-only — it produces the plan; each account still runs through the migration phases. Pull the unmanaged set or paste your own list.

Wave planner

Account readiness — security standards
Per-account Security Hub standards. The baseline is NIST 800-53 + FSBP — anything missing NIST won't be graded until it's turned on (the pipeline enables it org-wide).
AccountRoleStandards enabledNIST 800-53Baseline
loading…
Activity log
Every action and every failure across the app — who did it, when, what it hit, and whether it succeeded.
Time (UTC)UserResultActionDetail
loading…
? How to use it

What it does. A local log of every Apply (dry-run or live) the dashboard has performed, newest first.

How it works. Each row shows the action, the files touched, and the branch and commit. Revert restores the file(s) from the pre-change snapshot, through the same dry-run / PR gate as a forward change.

Local audit log (.audit/audit.jsonl)

Every Apply (dry-run or live) appears here. Newest first. Revert restores the file(s) from the snapshot pre-image, through the same dry-run / live + PR gate as a forward change.

Timestamp (UTC)UserActionTarget file(s)BranchCommitRevert
loading…