Secure your multi-account AWS environment using AWS Control Tower with Ermetic

Ermetic integrates with AWS Control Tower to offer operational automation that makes Ermetic cloud security capabilities available for all newly added AWS accounts.

Ermetic Team By Ermetic Team

Download the solution brief (or continue reading below).

Overview: What You Should Know

Ermetic integrates with AWS Control Tower to offer operational automation that makes Ermetic cloud security capabilities available for all newly added AWS accounts. The integration automatically extends Ermetic's leading identity-centric risk analysis, anomaly detection, least privilege enforcement and compliance audit capabilities to all AWS accounts in your AWS and multicloud environment.

Ermetic - A Comprehensive Cloud Infrastructure Security Platform

Ermetic is a comprehensive cloud infrastructure security platform for AWS and multicloud environments that uniquely assesses cloud risk with high accuracy, from the perspective of identity. A SaaS solution, Ermetic offers a holistic solution, from full asset discovery through flexible risk auto-remediation, real-time anomaly detection, compliance audit and policy enforcement. Ermetic unifies cloud infrastructure entitlement management (CIEM) and cloud security posture management (CSPM) in a single platform, and promotes collaboration with Security, DevOps and IAM.

Ermetic provides deep visibility into the configurations, permissions, network exposure and activities of every resource or identity, human and service (including roles, compute, serverless, containers and third parties), in your AWS and multicloud environment. Its identity-first architecture reveals effective access and the toxic scenarios that put your data at risk. Organizations use Ermetic to investigate and mitigate risky access, misconfigurations and threats, and achieve least privilege through automated guardrails, optimized policies and configuration fixes via workflows, IaC snippets in Terraform and CloudFormation, and Just-in-Time (JIT) access.

Challenge: Managing Access Risk and Compliance at Scale

By 2023, according to analyst firm Gartner, 99% of cloud security failures will be the cloud customer’s fault – with 75% of those due to inadequate management of identities, access and privileges. A single misconfiguration can take down an application or lead to a devastating breach.

The only way to meet your cloud’s biggest security challenge is by understanding effective access, which determines your attack surface and the damage that may follow a breach. Yet cloud infrastructure complexity – thousands of services, configurations, identities and policies determining access — makes it hard to understand which resources an identity can access and which identities can access a given sensitive resource. Shortages in cloud expertise, fast cloud growth and the disappearance of the traditional network perimeter exacerbate the challenge.

AWS native tools and other cloud security tools help yet serious gaps remain as organizations seek solutions to identify cloud risk – and address shared responsibility and compliance. Enterprises need to adopt a multi-account strategy as a best practice to higher isolation of security resources in AWS and need comprehensive, automated solutions to uncover and remediate risk in context and at scale.

Solution: Operational Automation Through Ermetic - AWS Control Tower Integration

AWS Control Tower uses AWS best practices with guardrails in place, including those that complement your enterprise's data residency posture, to establish a strategic, well-architected, multi-account baseline across your AWS accounts. Through guardrails, AWS Control Tower implements preventive or detective controls that help govern your resources and monitor compliance across groups of AWS accounts. The Ermetic integration with AWS Control Tower enables you to automatically extend the Ermetic platform’s capabilities to new AWS accounts added to your multi-account AWS environment via AWS Control Tower. The operational automation enhances your ability to protect these AWS cloud infrastructures through security controls for governing access risk effectively across the identity lifecycle, detecting anomalies, enforcing least privilege and auditing compliance at scale.

How it Works

Ermetic enables management of AWS cloud resources and identities in one unified platform where you can investigate entitlements, configurations, anomalies, compliance errors and relationships. The solution is deployed using AWS CloudFormation templates and integrates with AWS Control Tower lifecycle events. When a new Control Tower managed account is created – or an existing one is enrolled using the AWS Control Tower Account Factory – the lifecycle event triggers an AWS Lambda function that leads to the creation and configuration of an Ermetic ›Identity and Access Management (IAM) integration role in the account. This role enables Ermetic to collect account data from AWS CloudTrail logs from the new account.

Figure - Ermetic offers a deep, multi-dimensional asset inventory and visualizes resources and identities by risk severity
Figure - Ermetic offers a deep, multi-dimensional asset inventory and visualizes resources and identities by risk severity

By the Numbers

Identities are the new security perimeter, and access permissions have the biggest impact on the size of a blast radius in case of a breach. So an identity-first approach to cloud security is essential to reducing risk and achieving least privilege.


  • 82% of breaches involved the human element – 13% due to human error, with misconfigured cloud storage a heavy influencer [Verizon, Data Breach Investigations Report 2022]
  • 96% of organizations reported they could have prevented or minimized the breach by implementing identity-focused security outcomes [Identity Defined Security Alliance, 2022 Trends in Securing Digital Identities]
  • 81% of organizations lack full visibility into all resources directly accessible from the Internet. [Osterman Research, Ermetic Cloud Security Maturity Survey 2022]

In Summary

Ermetic is a comprehensive cloud security platform for AWS, Azure and GCP that enables you to proactively reduce your attack surface and blast radius, and detect threats. The platform enables comprehensive risk assessment across the security stack including full asset discovery, deep risk visualization and prioritization, remediation, anomaly detection and compliance. Combined with AWS Control Tower, Ermetic allows you to apply essential security and compliance capabilities to your newly added AWS accounts, helping you continuously improve your cloud security posture and facilitate implementation of least privilege and zero trust.

Download the solution brief

Skip to content