AWS Control Tower migration for governance and efficiency | HCLTech

AWS migration from landing zone to control tower and CloudOps

Simplifying AWS governance with control tower migration
5 min read
Share
5 min read
Share

A leading Canadian communications and media company needed assistance migrating its workloads from a self-managed AWS environment to AWS Control Tower. HCLTech helped streamline account management, enhance governance and ensure a smooth transition without disrupting business-critical operations.

The Challenge

The Challenge
  • Migration complexity: Seamless migration of existing workloads to a managed service without downtime
  • Governance and compliance: Ensuring compliance across all accounts while adapting existing policies to AWS Control Tower’s governance framework
  • Customization vs simplicity: Balancing the need for Landing Zone (LZ) customization with the simplicity provided by AWS Control Tower
  • Account management: Managing many AWS accounts while minimizing operational disruption

The Objective

The goal was to implement AWS Control Tower for centralized governance, improved compliance and streamlined account management.

 The Objective
  • Current environment review: Analyzed existing AWS Landing Zone (ALZ) structure and identified governance and account management gaps
  • Migration planning: Developed a detailed roadmap for migrating workloads and accounts with minimal impact on operations
AWS migration from landing zone to control tower and CloudOps

The Solution

HCLTech provided a comprehensive solution to address client’s challenges in migrating to AWS Control Tower:

The Solution
  • Assessment and design: HCLTech evaluated the existing AWS Landing Zone (ALZ) and designed a new AWS Control Tower structure with Organizational Units (OUs) and account segregation for core functions like shared services, network, security, log archive and audit. Each Application OU had accounts for production, staging, testing, development and sandbox environments
  • Migration execution: HCLTech carefully assessed the feasibility of migrating CloudTrail and AWS Config data, reviewed service limits and systematically migrated all workloads and resources from the ALZ to the Control Tower setup
  • Customization and cleanup: Control Tower settings were customized to meet the client’s specific needs and accounts were enrolled and configured through Control Tower. Data storage from the old Landing Zone was migrated and a complete cleanup of residual ALZ components was conducted to ensure a clean environment
  • Ongoing support: HCLTech assisted with various operational challenges such as automate the centralized log management for across AWS Organization and integration with the client’s third-party log management platform for proactive and automated action on respective logs
  • Customized Account Creation Automation: HCLTech assessed the legacy account creation pipeline and seamlessly automated the client’s approved security posture for AWS account creation with same ways-of-working in AWS Control Tower to ensure minimal changes for the operations team

The Impact

The Impact
  • Automated customized account creation: With AWS Control Tower’s Account Factory, the client automated the deployment and enrollment of new accounts, reducing manual intervention and operational overhead
  • Centralized governance: AWS Organization, integrated with Control Tower, provided centralized compliance and governance, ensuring consistent policy enforcement across all 140+ accounts
  • Improved extensibility: Provided the flexibility to extend and build upon AWS Control Tower within their AWS Organizations structure, providing scalability and adaptability for future cloud operations
  • Operational efficiency: The seamless migration minimized downtime and disruptions, while ongoing support ensured a smooth post-migration environment for business-critical operations

AWS services used:

AWS Control Tower, AWS Organizations, AWS CloudTrail, AWS Config, AWS Lambda