# Controls and compliance Within AWS Control Tower, compliance refers to the state of a resource, when it is evaluated with respect to a deployed detective control, or a drift detection rule. Compliance in AWS Control Tower is related to drift — usually, a non-compliant resource is in a state of drift. AWS Control Tower controls embody rules of compliance. They help you identify compliant and non-compliant resources by helping identify drift. When AWS Control Tower evaluates the compliance of resources, it reports the compliance results at the OU, account, and control levels. This section describes compliance status in detail, for controls, OUs, and accounts. Compliance reporting is intended to let cloud administrators know when the resources associated with the accounts in their organization are compliant with established policies. When the resources are in compliance, builders can provision new AWS accounts quickly in a few clicks. When we talk about compliance in AWS Control Tower, we do not intend the same meaning as compliance with governmental regulations, such as data privacy or health information standards. However, AWS Control Tower can assist your organization to comply with many governmental regulations, sometimes referred to as *frameworks*. + For more information about how AWS Control Tower helps you maintain compliance with governmental regulations and industry standards, see [Compliance Validation](https://docs.aws.amazon.com//controltower/latest/userguide/compliance-validation.html). + For more information about how you can verify AWS Control Tower resource compliance during CloudFormation stack creation, see this blog post, [How AWS Control Tower users can proactively verify compliance in AWS CloudFormationstacks](https://aws.amazon.com/blogs/mt/how-aws-control-tower-users-can-proactively-verify-compliance-in-aws-cloudformation-stacks/). For ongoing governance, administrators can enable pre-configured controls—clearly defined rules for security, operations, and compliance. These controls can: + Prevent deployment of resources that don’t conform to policies (by means of preventive controls, implemented with SCPs, or by means of proactive controls, implemented with CloudFormation hooks). + Continuously monitor deployed resources for nonconformance (by means of detective controls, implemented with AWS Config rules). **Examples of compliance rules (controls) in AWS Control Tower:** + [Detect Whether Public Write Access to Amazon S3 Buckets is Allowed](strongly-recommended-detective-controls.md#s3-disallow-public-write) + [Detect Whether Unrestricted Incoming TCP Traffic is Allowed](strongly-recommended-detective-controls.md#rdp-disallow-internet) **Examples of governmental compliance regulations (frameworks):** + The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) + The European Union’s General Data Protection Regulation of 2016 (GDPR) # How can administrators review compliance? Compliance with detective controls is determined according to data retrieved from the AWS Config aggregator in the AWS Control Tower Audit account. You can review compliance status in the AWS Control Tower console, by subscribing to SNS topics that send email messages to the Audit account, or both. **Detective control status** To view the compliance status of detective controls in the AWS Control Tower console, select **Controls** in the left navigation, choose the control name from the controls table, and then scroll to the **Accounts** section on that control details page. Accounts may show a control compliance status of **Unknown** if any detective controls are misconfigured. For example, status **Unknown** often can appear due to account drift, such as **Moved account** drift. The **Unknown** status also can appear as a result of SCP drift. **Note** AWS Control Tower displays the compliance status of all AWS Config rules deployed into organizational units registered with AWS Control Tower, including rules that were activated outside of the AWS Control Tower console. To view the compliance status of all your Config rules, navigate to the **Account details** page in the AWS Control Tower console. You will see a list showing the compliance status of controls managed by AWS Control Tower and Config rules deployed outside of AWS Control Tower. You can identify any non-compliant AWS Config rule. **Preventive control status** The compliance status of preventive controls on an OU may be viewed on the **OU detail** page, by scrolling to the **Enabled controls** section. If any preventive controls are misconfigured for an OU, the **State** field for that OU may show the state of **Registration failed**, in the **Details** section near the top of the page. Preventive control misconfiguration is caused most often by SCP drift, which can occur if the control's SCP is modified or detached from the OU by means of the AWS Organizations console. **Proactive control status** The control compliance status also can be viewed on other pages: + On the AWS Control Tower **Dashboard** page, by scrolling to the **Controls** section near the bottom of the page. + On the **Control details** page, which you can view by selecting the name of a control on another page. **Note** The **State** of a control, as viewed in the AWS Control Tower console, reflects only the enabled or de-activated state of the control for a specific OU. This field does not reflect any information about the framework compliance status or the drift status of the landing zone environment. The control **State** and **Status** information is available in the console only. It is not available from the public API. To view the control status, navigate to the **Control details** page in the AWS Control Tower console. **Nested OUs and compliance** When an OU shows a status of **Noncompliant**, it means that one of the accounts directly under the OU contains noncompliant resources. The compliance status of an OU is not influenced by the compliance status of nested OUs under the OU, or the compliance status of any accounts that are not directly under the OU. **Other resources** If an account has any non-compliant resources, that account may be shown with **Noncompliant** status on the **OU** or **Account** page in the AWS Control Tower console. Details about the specific resources that have caused the non-compliant status are shown on the **Account details** page. If an account shows **Compliant** status, that means it has no resources that are non-compliant; therefore, no resource details are shown on the **Account details** page, only an empty table. **Receive compliance status updates** To receive updates about compliance, you can subscribe to SNS topics that send notifications when resource compliance status changes. See [Compliance notifications by SNS in the audit account](receive-notifications.md), later in this chapter. For more information on how AWS Control Tower collects information about resources, see the [AWS Config Aggregator Documentation](https://docs.aws.amazon.com//config/latest/developerguide/aggregate-data.html). **Drift changes the compliance status for OU and account resources** Drifted resources may be shown with status **Unknown** in the **Compliance** status field of the AWS Control Tower console. The **Unknown** state indicates that AWS Control Tower cannot determine the compliance status of the resource, because drift is present. Drift is not necessarily a detective control compliance violation. For more information about drift, see [Detect and resolve drift in AWS Control Tower](https://docs.aws.amazon.com//controltower/latest/userguide/drift.html). In another case of this type of drift, resources may be shown as compliant when they are not. If you delete an AWS Config rule, or if you turn off the Config recorder, compliance status may be reflected inaccurately in the console, because compliance no longer can be evaluated. For example, if you turn off the Config recorder, the last evaluated status continues to appear in the console. Similarly, if you delete an AWS Config rule, the resources covered by that rule always show to be compliant. In this situation, your environment could have some non-compliant resources that are not reported. Avoid deleting or turning off your AWS Config resources. # AWS Control Tower compliance status for OUs and accounts Compliance status in the console Compliance is reported in the AWS Control Tower dashboard for accounts and OUs. This section lists the possible categories of compliance and non-compliance in AWS Control Tower, assuming that controls are enabled for an account or an OU. + **For an account or OU: **A compliance status of **Compliant**, **Noncompliant**, or **Unknown** is possible. The compliance status refers to the status of the resources associated with a single account, or the status of all accounts in an OU that has multiple controls enabled on it. The account or OU compliance status can be found on the account or OU detail pages. **Note** The **State** of a control, as viewed in the AWS Control Tower console, reflects only the enabled or de-activated state of the control for a specific OU. This field does not reflect any information about the framework compliance status or the drift status of the landing zone environment. The control **State** and **Status** information is available in the AWS Control Tower console. Enabled controls can be viewed through the public API. ****The following list gives more information about compliance status as reported specifically for OUs and their member accounts.**** + **`Compliant`** – Compliance rules are properly in place. No violations have been detected for any resources. Controls are applied at the OU level, for all enrolled accounts in the OU, and their resources. + **Reported for:** Detective controls (AWS Config Rules) + **What it checks:** + Any individual detective control that's applied to the member accounts in an OU + Multiple detective controls that are applied to the member accounts in an OU + **`Noncompliant`** – Compliance rules are in place. However, non-compliant resources have been detected in one or more member accounts in the OU. + **Reported for:** Detective controls (AWS Config Rules) + **What it checks:** + Any individual detective control that's applied to the member accounts in an OU + Multiple detective controls that are applied to the member accounts in an OU **The following status can be reported for any account, control, or OU.** **`Unknown`** – A compliance rule is broken or compliance cannot be guaranteed. + **Reported for:** + Detective controls (AWS Config Rules) + Preventive controls (SCPs) + **What it checks:** + Any detective control that's enabled on any accounts that are members of an OU. Controls are enabled at the OU level. + Any preventive control that's enabled on any accounts that are members of an OU. Controls are enabled at the OU level. + Basically anything with a compliance status (account, control, resource, or OU). # Drift prevention and notification You can enable certain controls and subscribe to certain SNS notifications that help you maintain compliance in AWS Control Tower. **Note** AWS Control Tower will no longer be sending drift notifications to SNS topic for all customers on LZ4.0\$1. For customers on LZ4.0\$1 follow the [EventBridge Notification setup](https://docs.aws.amazon.com//controltower/latest/userguide/governance-drift.html#eventbridge-creation). **Drift monitoring protection** AWS Control Tower provides passive and active methods of drift monitoring protection for preventive controls. + **Passive protection:** AWS Organizations monitors and logs preventive control (SCP) drift. + **Active protection:** The AWS Control Tower [drift monitoring service](https://docs.aws.amazon.com//controltower/latest/userguide/drift.html#scp-invariance-scans) actively scans the preventive control SCPs, on a regular basis. AWS Control Tower notifies you by means of SNS messaging, if drift is detected. **Drift prevention** Some controls prevent modification of compliance reporting mechanisms. + [Disallow Changes to AWS Config Rules Set Up by AWS Control Tower](mandatory-controls.md#config-rule-disallow-changes) (Mandatory, preventive control) + [Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower](mandatory-controls.md#config-aggregation-authorization-policy) (Mandatory, preventive control) + [Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources](mandatory-controls.md#cloudwatch-disallow-config-changes) (Mandatory, preventive control) + [Disallow Configuration Changes to AWS Config](mandatory-controls.md#config-disallow-changes) (Mandatory, preventive control) In contrast to preventive controls, detective controls notify you of resources that violate the associated AWS Config rule. **To receive SNS notifications about drift and control compliance** For information about how to receive appropriate drift and control compliance notifications by Amazon SNS, see [Compliance notifications by SNS in the audit account](receive-notifications.md). ## Publishers and subscribers for SNS topics **The `aws-controltower-AllConfigNotifications` topic:** + The `AWS::Config::DeliveryChannel` resource is configured to send notifications about configuration changes to this topic. + The possible types of notifications that AWS Config can send are defined in the [**Amazon SNS Topic** section](https://docs.aws.amazon.com//config/latest/developerguide/how-does-config-work.html#delivery-channel) of the AWS Config documentation. + The `AWS::CloudTrail::Trail` resource is configured to send notifications of log file delivery to this topic. + You may subscribe to this topic. **The `aws-controltower-SecurityNotifications` topic:** + The `AWS::Events::Rule` resource is configured to send notifications about AWS Config Rule compliance changes (one of the SNS notification types) to this topic. + The `aws-controltower-NotificationForwarder` Lambda function is subscribed to this topic, and it forwards the SNS notifications to the `aws-controltower-AggregateSecurityNotifications` topic. **The `aws-controltower-AggregateSecurityNotifications` topic:** + This topic receives notifications from `aws-controltower-SecurityNotifications`, forwarded by the Lambda function. + It also receives drift notifications in the home Region. + When AWS Control Tower creates the topic, a subscription is added for the audit account email address, and you must confirm the subscription. **Note** The endpoint, such as an email address, must confirm each subscription, SNS doesn’t send messages to an endpoint until the subscription is confirmed. # Compliance notifications by SNS in the audit account Compliance notifications by SNS and email **Note** AWS Control Tower will no longer be sending drift notifications to SNS topic for all customers on LZ4.0\$1. For customers on LZ4.0\$1 follow the [EventBridge Notification setup](https://docs.aws.amazon.com//controltower/latest/userguide/governance-drift.html#eventbridge-creation). To receive compliance change notifications in email sent to your audit account, subscribe to this Amazon SNS topic: `arn:aws:sns:AWSRegion:AuditAccount:aws-controltower-AggregateSecurityNotifications` When subscribing, substitute your actual AWS Control Tower home Region and audit account information into the topic name shown. You can subscribe to SNS topics that receive notifications about each supported AWS Region in which you run AWS Control Tower. **SNS topics and notifications you can receive** + The `aws-controltower-AllConfigNotifications` topic: It receives notifications from AWS Config regarding compliance, noncompliance, and change. It also receives notification from AWS CloudTrail on log file delivery. + The `aws-controltower-SecurityNotifications` topic: One of these topics exists for each supported AWS Region. It receives compliance, noncompliance, and change notifications from AWS Config in that Region. It forwards all incoming notifications to `aws-controltower-AggregateSecurityNotifications` + The `aws-controltower-AggregateSecurityNotifications` topic: This topic exists in each supported AWS Region. It receives compliance change notifications from the region-specific `aws-controltower-SecurityNotifications` topics. Additionally, in the home Region, it also receives drift notifications. **Other considerations about SNS topics:** + All of these topics exist and receive notifications in the Audit account. + By default, the Audit account email address is subscribed to the `aws-controltower-AggregateSecurityNotifications` SNS topic. + SNS topics in AWS Control Tower are extremely noisy, by design. For example, AWS Config sends a notification every time AWS Config discovers a new resource. + Administrators who wish to filter out specific types of notifications from an SNS topic can create an AWS Lambda function and subscribe it to the SNS topic. Alternatively, you can set up an EventBridge rule to filter notifications, as described in this support article, [How can I be notified when an AWS resource is non-compliant using AWS Config?](https://aws.amazon.com//premiumsupport/knowledge-center/config-resource-non-compliant/) + AWS Config notifications contain a JSON object. + AWS Control Tower drift notifications appear in plain text. ## The AWS Config SNS topic policy The AWS Config SNS topic policy contains the `aws:SourceOrgID` condition key. The policy is shown in the following example. ``` SNSAllConfigurationTopicPolicy: Type: AWS::SNS::TopicPolicy Properties: Topics: - !Ref SNSAllConfigurationTopic PolicyDocument: Statement: - Sid: AWSSNSPolicy Action: - sns:Publish Effect: Allow Resource: !Ref SNSAllConfigurationTopic Principal: Service: - cloudtrail.amazonaws.com - config.amazonaws.com Condition: StringEquals: aws:SourceOrgID: !Ref OrganizationId ```