Work Healthy Australia embrace AWS Control Tower


Work Healthy Australia
Work Healthy Australia specialises in developing early intervention programs and risk management strategies to help reduce the time it takes for injured employees to get back to work.

The Problem
Work Healthy Australia(WHA) wanted to build an internal development practice to streamline business automation, create efficiencies while also improving customer and employee experiences. WHA could not confidently create a best practice AWS development environment and approached Olikka to help.


"We were determined to start our AWS journey on the right foot. Olikka provided a best practice AWS Control Tower solution, and this has allowed Work Healthy Australia to develop new online services with confidence."

Darren Xerri
WHA Project Manager

The Solution
Olikka experienced in delivering AWS cloud solutions for customers across many different industries was well positioned to deliver a solution. The AWS default is to provide customers with a single account, organisation and tenant where administrators can perform their work, the environment includes many pre-configured roles from read-only to an administrator. WHA was looking for a more customised type of control and engaged Olikka to design an environment where accounts are delegated to the developer teams without exposing their internal infrastructure to the risk of an accident.

Olikka initially led with a Landing Zone solution, however, just a couple of weeks into the engagement Control Tower was released. Olikka directed to move the project to Control Tower, a more automated secure and simple account generating service. Control Tower includes Landing Zone, Account Factory, Preventive and Detective Guardrails, Mandatory or Optional Guardrails with an easy to understand dashboard for system administration. These features are explained below:

Landing Zone

The Landing Zone is responsible for creating a multi-account environment using AWS Organisations and provide Identity and Access Management(IAM) using AWS Single-Sign-On(SSO) default directory. It assists with logging and cross-account security audits using AWS IAM and AWS SSO.

Account Factory
Account Factory automates the provisioning of new accounts. It also helps standardise provisioning of new accounts with pre-approved account configuration.

"Olikka has enabled Work Healthy Australia to transform operations digitally. We will improve the way we engage customers and assist our staff do their job more efficiently because of it."

Darren Xerri
WHA Project Manager

Preventive and Detective Guardrails
Guardrails are pre-packaged governance rules for security, operations, and compliance that customers can select and apply enterprise-wide or to specific groups of accounts.Mandatory and Optional Guardrails
AWS Control Tower offers a curated set of guardrails based on AWS best practices and standard customer policies for governance. You can automatically leverage Mandatory Guardrails as part of your landing zone setup.

The Control Tower dashboard provides continuous visibility into your AWS environment. You can view the number of Organisational Units(OU) and accounts provisioned, the number of guardrails enabled, and then check the status of your OUs and accounts against those guardrails. A list of noncompliant resources is also generated.

The initial Landing Zone solution scoped, would of been similar to Control Tower however it would be deployed and managed using cloud formation. Many of the benefits are similar however Control Tower offers an improved dashboard and automation of day to day operation while maintenance of the Landing Zone is a manual procedure. Both of these solutions would have been fit for purpose for WHA.

The project wasn't all smooth sailing however. Control Tower includes a setting that creates a new AWS tenancy where default accounts are provisioned. WHA already had existing infrastructure within another AWS tenant and meant that existing infrastructure would not be accessible in the new Control Tower tenant.

Olikka overcame the challenge by providing a standardised tenant for the new production environment. Olikka were then able to leverage AWS tools to migrate the AWS tenant sitting outside of Control Tower.

Olikka completed handover and included a comprehensive education session for the WHA Team. WHA are now empowered and skilled to manage their own Control Tower environment with confidence and to best practice. 
WHA ended up with two tenants, one for their initial subscription to AWS. That contained their existing infrastructure and databases alongside a new tenant managed by Control Tower with a link into their existing Google App's suite using AWS SSO. This allows for standardised, secure account creation and provides their new developers with restricted and limited access to accounts suited to the tasks they perform. Control Tower has also provided WHA with automation and pre-configuration that will save WHA precious IT resources.

"Olikka were very professional and helpful in the way they engaged our team, and we look forward to collaborating in the future."

Darren Xerri
WHA Project Manager



Previous story

NEXT story

Group 4 Created with Sketch.

Ready to get started in you AWS Landing Zone Journey?

Get in Touch