Control Tower for both commercial and govcloud accounts

If you have workloads that will be deployed to commercial and GovCloud regions and also want Control Tower to manage governance of your AWS accounts, then you're going to need separate management account. So how this will look like is you will have a management account running Control Tower for commercial workloads and a second management account running Control Tower for GovCloud workloads. If your reasons for operating in GovCloud is for FedRAMP or other compliance related needs, then you'll want to make sure you have the proper segregation of your Commercial and GovCloud environments.

Regarding the documentation stating that "AWS Control Tower must be set up in the commercial Region before you can sign in to the AWS Control Tower management account to create AWS Control Tower accounts in AWS GovCloud (US)," it doesn't imply running multiple AWS Control Towers within the same management account. Essentially, AWS requires the initial setup of AWS Control Tower in a commercial region, even if your ultimate goal is to operate in GovCloud. You can find more detailed explanations in this documentation.

Lastly, I also recommend you look at AWS LZA that Rajarshi mentioned or perhaps a partner to help implement the controls needed to operate in GovCloud for your compliance needs.

For consolidated billing across multiple payer accounts, your AWS account team might be able to help you or recommend a service/tool.

Hi,

Please note how AWS Control Tower Differs for AWS GovCloud (US): "Organizations that you create in the AWS GovCloud (US) Regions are independent from organizations created in commercial AWS Regions."

Would highly recommend checking out the Landing Zone Accelerator (LZA) on AWS Solution. It has a GovCloud specific deployment configuration, with Control Tower enabled.

Thank you for your reply Rajarshi. I really like the how LZA looks for deploying these accounts and will dig deeper into those this weekend.

Looking at the "How AWS Control Tower Differs for AWS GovCloud (US)" link you provided, in the "Creating your accounts" section, it says

"AWS Control Tower must be set up in the commercial Region before you can sign in to the AWS Control Tower management account to create AWS Control Tower accounts in AWS GovCloud (US)."

If I'm reading this correctly, does this mean that:

1. I create the initial management account, "cm1".
2. Deploy Control Tower in account "cm1".
3. From account "cm1", create the GovCloud account "gc2", which creates the linked acct "ln2".
4. I can now deploy Control Tower into account "gc2"

Which would result in one Control Tower to manage accounts in the Commercial regions and one Control Tower to manage accounts in the GovCloud regions? I'm trying to see if we can utilize one "billing" account "to rule them all" and still have operational separation for compliance in Commercial and GovCloud. We're okay with managing policies using 2 Control Towers as this would be the preferred method for us, but we'd like to try to keep one billing account if possible.

And thank you again for your help with this.