AWS migration from landing zone to control tower and CloudOps
Simplifying AWS governance with control tower migration
A leading Canadian communications and media company needed assistance migrating its workloads from a self-managed AWS environment to AWS Control Tower. HCLTech helped streamline account management, enhance governance and ensure a smooth transition without disrupting business-critical operations.
The Challenge

- Migration complexity: Seamless migration of existing workloads to a managed service without downtime
- Governance and compliance: Ensuring compliance across all accounts while adapting existing policies to AWS Control Tower’s governance framework
- Customization vs simplicity: Balancing the need for Landing Zone (LZ) customization with the simplicity provided by AWS Control Tower
- Account management: Managing many AWS accounts while minimizing operational disruption
The Objective
The goal was to implement AWS Control Tower for centralized governance, improved compliance and streamlined account management.

- Current environment review: Analyzed existing AWS Landing Zone (ALZ) structure and identified governance and account management gaps
- Migration planning: Developed a detailed roadmap for migrating workloads and accounts with minimal impact on operations

The Solution
HCLTech provided a comprehensive solution to address client’s challenges in migrating to AWS Control Tower:

- Assessment and design: HCLTech evaluated the existing AWS Landing Zone (ALZ) and designed a new AWS Control Tower structure with Organizational Units (OUs) and account segregation for core functions like shared services, network, security, log archive and audit. Each Application OU had accounts for production, staging, testing, development and sandbox environments
- Migration execution: HCLTech carefully assessed the feasibility of migrating CloudTrail and AWS Config data, reviewed service limits and systematically migrated all workloads and resources from the ALZ to the Control Tower setup
- Customization and cleanup: Control Tower settings were customized to meet the client’s specific needs and accounts were enrolled and configured through Control Tower. Data storage from the old Landing Zone was migrated and a complete cleanup of residual ALZ components was conducted to ensure a clean environment
- Ongoing support: HCLTech assisted with various operational challenges such as automate the centralized log management for across AWS Organization and integration with the client’s third-party log management platform for proactive and automated action on respective logs
- Customized Account Creation Automation: HCLTech assessed the legacy account creation pipeline and seamlessly automated the client’s approved security posture for AWS account creation with same ways-of-working in AWS Control Tower to ensure minimal changes for the operations team
The Impact

- Automated customized account creation: With AWS Control Tower’s Account Factory, the client automated the deployment and enrollment of new accounts, reducing manual intervention and operational overhead
- Centralized governance: AWS Organization, integrated with Control Tower, provided centralized compliance and governance, ensuring consistent policy enforcement across all 140+ accounts
- Improved extensibility: Provided the flexibility to extend and build upon AWS Control Tower within their AWS Organizations structure, providing scalability and adaptability for future cloud operations
- Operational efficiency: The seamless migration minimized downtime and disruptions, while ongoing support ensured a smooth post-migration environment for business-critical operations
AWS services used:
AWS Control Tower, AWS Organizations, AWS CloudTrail, AWS Config, AWS Lambda