# Using controls to govern resources and monitor compliance
<a name="controls"></a>

[AWS Control Tower controls](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) are high-level rules that provide ongoing governance and enforce specific policies for your AWS environment. Controls can be applied to organizational units (OUs) and have three different types: *preventive*, *detective, *and *proactive*.
+ **Preventive controls** help ensure that your accounts maintain compliance by disallowing actions that cause policy violations. Preventive controls are implemented with [service control policies (SCPs)](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html), which are part of AWS Organizations. For example, the control [Disallow Actions as a Root User](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-root-auser-actions) helps ensure that the high privilege root user can't be used for unrestricted access to all resources in an account. Instead, users are forced to use more restricted IAM roles.
+ **Detective controls** continuously monitor resources to detect non-compliance in your accounts, and then provide alerts through the dashboard. For example, the control [Detect Whether Unrestricted Incoming TCP Traffic is Allowed](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#rdp-disallow-internet) can detect whether a security group is set up with unrestricted incoming TCP traffic and alert the user to restrict their incoming protocols. Detective controls are implemented by using [AWS Config Rules](https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) and AWS Lambda functions.
+ **Proactive controls** use [AWS CloudFormation Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/what-is-cloudformation-hooks.html) to help ensure that custom configuration and compliance checks are automatically enforced during the deployment of CloudFormation resources. These controls make it easier to maintain a secure and compliant AWS environment.

**Note**  
SCPs (preventive controls) don't have any effect in the management account. The root user and IAM administrators in the management account can perform any action that is denied in an SCP. This ensures that the management account retains full administrative control over the organization and can't be accidentally locked out by any SCP errors. All actions that are performed in the management account are still tracked by the AWS CloudTrail and AWS Config recorder and stored in the Log Archive account.

**Control guidance levels**

AWS Control Tower controls have three different guidance levels: [mandatory](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html), [strongly recommended](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html), and [elective](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html).

Mandatory controls are automatically enabled and enforced by AWS Control Tower. Strongly recommended controls are optional and based on AWS best practices. Elective controls are also optional but are commonly used by enterprises. For more information, see the [controls library](https://docs.aws.amazon.com/controltower/latest/controlreference/controls-reference.html) in the AWS Control Tower documentation.

**Note**  
You can use custom SCPs and AWS Config Rules for additional detection and prevention. These aren't implemented in AWS Control Tower but can be implemented in AWS Organizations and AWS Config.

**Limitations for preventive controls**

You can have a maximum of five SCPs attached to an OU and a maximum of five OU levels. This includes both custom SCPs and AWS Control Tower–created SCPs, so try to consolidate your SCPs into fewer documents. (AWS Control Tower will do this automatically for its preventive controls.) If you need more SCPs on an account, you can nest OUs. For example, you can attach a maximum of 25 SCPs when you nest 5 OUs.

**Automating controls**

AWS Control Tower supports operational concurrency for all controls. That is, you can activate or deactivate multiple preventive and detective controls without having to wait for control operations to complete.

You can automatically activate and deactivate controls by using any of the following with the [AWS Control Tower API](https://docs.aws.amazon.com/controltower/latest/APIReference/Welcome.html):
+ [CloudFormation](https://docs.aws.amazon.com/controltower/latest/controlreference/enable-controls.html)
+ [AWS Command Line Interface (AWS CLI)](https://docs.aws.amazon.com/cli/latest/reference/controltower/enable-control.html)
+ [Language-specific AWS SDKs](https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html#API_EnableControl_SeeAlso)

For more information about automating controls, see [About controls in AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/controls.html) in the AWS Control Tower documentation. The following sections discuss [mandatory controls](mandatory.md), [optional controls](optional.md), and [custom controls](custom.md) in more detail.

# Mandatory controls
<a name="mandatory"></a>

Mandatory controls are enforced by AWS Control Tower to protect AWS Control Tower managed resources. You can’t deactivate mandatory controls.

## Documenting mandatory controls for your organization
<a name="mandatory-controls-table"></a>

In your landing zone design document, you can document the mandatory controls that AWS Control Tower enforces by using the following table format. You can extend this table with optional controls and custom controls, as discussed later in this section.

**Note**  
AWS Control Tower controls are continuously updated. For the most up-to-date and complete list of controls, see [Mandatory controls](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html) in the AWS Control Tower documentation.


| **Control** | **Guidance level** | **Behavior** | **Default OU** | **Purpose** | 
| --- |--- |--- |--- |--- |
| [Disallow Changes to Encryption Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#disallow-changes-s3-buckets-created) | Mandatory | Preventive | Security OU | Protects the encryption configuration for buckets deployed by AWS Control Tower in the Log Archive account so that encryption cannot be turned off for sensitive logs. | 
| [Disallow Changes to Logging Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#disallow-logging-changes-s3-buckets-created) | Mandatory | Preventive | Security OU | Protects the logging configuration for buckets deployed by AWS Control Tower in the Log Archive account so that only AWS Control Tower can make changes to these configurations. | 
| [Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#disallow-policy-changes-s3-buckets-created) | Mandatory | Preventive | Security OU | Protects the bucket policies for buckets deployed by AWS Control Tower in the Log Archive account. This helps ensure that only AWS Control Tower can edit the permissions for the centralized logs, and that sensitive logs are secured. | 
| [Disallow Changes to Lifecycle Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#disallow-lifecycle-changes-s3-buckets-created) | Mandatory | Preventive | Security OU | Protects the lifecycle configuration for buckets deployed by AWS Control Tower in the Log Archive account so that logs are stored for the required amount of time. | 
| [Disallow Changes to Amazon CloudWatch Logs Log Groups set up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#log-group-deletion-policy) | Mandatory | Preventive | All OUs | Protects the retention policy for the CloudWatch logs set up by AWS Control Tower in the Log Archive account so that only AWS Control Tower can make changes and logs are secured. | 
| [Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#config-aggregation-authorization-policy) | Mandatory | Preventive | All OUs | Protects the AWS Config aggregation authorizations set up by AWS Control Tower in the Audit account. This helps ensure that only AWS Control Tower can modify or disable account authorizations and that all authorization changes can be logged. | 
| [Disallow Deletion of Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#disallow-audit-bucket-deletion) | Mandatory | Preventive | Security OU | Prevents deletion of the S3 buckets created by AWS Control Tower in the Log Archive account. This helps ensure that no one can remove the central log buckets. | 
| [Detect Public Read Access Setting for Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#log-archive-public-read) | Mandatory | Detective | Security OU | Detects changes to read access permissions to the bucket deployed by AWS Control Tower in the Log Archive account. Such changes could risk exposing the central logs to the public. | 
| [Detect Public Write Access Setting for Log Archive](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#log-archive-public-write) | Mandatory | Detective | Security OU | Detects changes to write access permissions to the bucket deployed by AWS Control Tower. Such changes could risk exposing the central logs to the public. | 
| [Disallow Configuration Changes to CloudTrail](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#cloudtrail-configuration-changes) | Mandatory | Preventive | All OUs | Protects the configuration of the organization trail deployed by AWS Control Tower. This helps ensure that only AWS Control Tower can modify the trail. | 
| [Integrate CloudTrail Events with Amazon CloudWatch Logs](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#cloudtrail-integrate-events-logs) | Mandatory | Preventive | All OUs | Protects the CloudTrail event selectors of the organization trail deployed by AWS Control Tower. | 
| [Enable CloudTrail in All Available Regions ](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#cloudtrail-enable-region)                        | Mandatory | Preventive | All OUs | Protects the configuration of the organization trail deployed by AWS Control Tower in all enabled AWS Regions. This helps ensure that CloudTrail always collects logs in all enabled Regions. | 
| [Enable Integrity Validation for CloudTrail Log File](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#cloudtrail-enable-validation) | Mandatory | Preventive | All OUs | Protects the integrity of CloudTrail log files in the organization trail deployed by AWS Control Tower. Enabling integrity validation helps ensure that the digest file created for the logs can always prove that logs have not been modified. | 
| [Disallow Changes to Amazon CloudWatch Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#cloudwatch-disallow-changes) | Mandatory | Preventive | All OUs | Protects the CloudWatch logs set up by AWS Control Tower from modification or removal so that AWS Control Tower log configurations aren't modified. | 
| [Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#cloudwatch-disallow-config-changes) | Mandatory | Preventive | All OUs | Prevents changes to the tags that AWS Control Tower created when you set up the landing zone. This helps secure the AWS Control Tower functionality that is dependent on those tags. | 
| [Disallow Configuration Changes to AWS Config](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#config-disallow-changes) | Mandatory | Preventive | All OUs | Protects the AWS Config configuration set up by AWS Control Tower so that AWS Config recording cannot be modified or stopped. | 
| [Enable AWS Config in All Available Regions](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#config-enable-regions) | Mandatory | Preventive | All OUs | Protects the AWS Config configuration set up by AWS Control Tower so that AWS Config recording cannot be modified or stopped in any AWS Region. | 
| [Disallow Changes to AWS Config Rules Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#config-rule-disallow-changes) | Mandatory | Preventive | All OUs | Protects the AWS Config Rules that are set up by AWS Control Tower to prevent them from being modified or removed. This helps ensure that the controls that are specific to AWS Control Tower are managed by AWS Control Tower only. | 
| [Disallow Changes to AWS IAM Roles Set Up by AWS Control Tower and CloudFormation](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#iam-disallow-changes) | Mandatory | Preventive | All OUs | Prevents changes to the IAM roles that AWS Control Tower created when you set up the landing zone so that the landing zone is secured. | 
| [Disallow Changes to AWS Lambda Functions Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#lambda-disallow-changes) | Mandatory | Preventive | All OUs | Prevents changes to the AWS Lambda functions that are set up by AWS Control Tower so that the landing zone is secured. | 
| [Disallow Changes to Amazon SNS Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#sns-disallow-changes) | Mandatory | Preventive | All OUs | Prevents changes to the Amazon SNS topics that are set up by AWS Control Tower so that the landing zone is secured. | 
| [Disallow Changes to Amazon SNS Subscriptions Set Up by AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#sns-subscriptions-disallow-changes) | Mandatory | Preventive | All OUs | Prevents changes to the Amazon SNS subscriptions that are set up by AWS Control Tower so that the integrity of Amazon SNS subscription settings for your landing zone are secured. | 
| [Detect whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled](https://docs.aws.amazon.com/controltower/latest/controlreference/mandatory-controls.html#ensure-cloudtrail-enabled-mandatory) | Mandatory | Detective | Security OU | Detects whether AWS CloudTrail and AWS CloudTrail Lake are disabled in the accounts under the security OU. | 

# Optional controls
<a name="optional"></a>

You can enable optional controls on OUs in the organization if you choose. These controls are categorized as *strongly recommended* or *elective* controls. [Strongly recommended controls](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html) are based on best practices for well-architected, multi-account environments. [Elective controls](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html) prevent or track attempts to perform commonly restricted actions in an AWS enterprise environment. Unlike mandatory controls, strongly recommended and elective controls aren't activated by default—you can activate and deactivate them according to your requirements.

## Security and compliance requirements
<a name="compliance"></a>

Make sure that you customize and adapt your control configurations and choices according to your landing zone requirements. The security requirements of your organization determine which controls to use and which OUs to enable them on. Before you select optional controls, you should consider your organization's specific goals, requirements, and compliance needs. Perform a comprehensive risk assessment to identify the specific risks and vulnerabilities that your organization faces in its AWS environment, and gather your security and compliance requirements. After you list your requirements clearly, you can start selecting the optional controls.

## Guidelines
<a name="guidelines"></a>

Strongly recommended controls are rooted in industry best practices for setting up a secure landing zone. Therefore, unless you have specific requirements that prevent their implementation, we recommend that you enable these controls across all OUs where the associated resources are provisioned.

Elective controls encompass industry-specific best practices and are tailored to address the unique security and compliance requirements of certain industries. We recommend that you research the best practices for your industry and adapt the relevant elective controls accordingly. The controls are designed to strengthen the security and compliance of your AWS environment, and adhering to them helps you align with recognized security standards.

However, some OUs might have unique circumstances that warrant exceptions. For example, consider enabling controls related to Amazon Elastic Block Store (Amazon EBS) volume encryption in OUs, such as workload OUs, where sensitive data is expected. Conversely, in a sandbox OU where experimentation is encouraged and no sensitive data is involved, you might have the flexibility to skip certain controls. The key is to balance robust security, compliance, and operational flexibility. Always aim to apply controls where they provide the most value while respecting the specific needs of each OU.

## Documenting optional controls for your organization
<a name="optional-controls-table"></a>

You can use a table similar to the following in your design document to mark which optional controls should be enabled on which OUs. You can extend this table with information about the mandatory and custom controls you're using in your organization.

This table includes both strongly recommended and elective controls. The AWS Security Hub CSPM standard controls, data residency controls, and proactive controls are additional optional controls that you can append to the table. These are described later in this section.

The following table shows example configurations and OUs that you should adjust for your specific security and compliance requirements.

**Note**  
AWS Control Tower controls are continuously updated. For the most up-to-date and complete list, see [Optional controls](https://docs.aws.amazon.com/controltower/latest/controlreference/optional-controls.html) in the AWS Control Tower documentation.


| **Control** | **Guidance level** | **Behavior** | **Security OU** | **Infrastructure OU** | **Suspended OU** | **Workloads OU** | **Deployments OU** | **Sandbox OU** | **Purpose** | 
| --- |--- |--- |--- |--- |--- |--- |--- |--- |--- |
| [Disallow Creation of Access Keys for the Root User](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-root-access-keys) | Strongly recommended | Preventive | Yes | Yes | Yes | Yes | Yes | Yes | Reduces the risk of unauthorized access to the sensitive root user. | 
| [Disallow Actions as a Root User](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-root-auser-actions) | Strongly recommended | Preventive | Yes | Yes | Yes | Yes | Yes | Yes | Reduces the impact of unauthorized access to the sensitive root user. | 
| [Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#ebs-enable-encryption) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Ensures that encryption is enabled to strengthen data security, maintain compliance, mitigate risks, or align with security best practices. | 
| [Detect Whether Unrestricted Incoming TCP Traffic is Allowed](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#rdp-disallow-internet) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Helps reduce the network attack surface for TCP traffic. | 
| [Detect Whether Unrestricted Internet Connection Through SSH is Allowed](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#ssh-disallow-internet) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Helps reduce the network attack surface for SSH traffic. | 
| [Detect Whether MFA for the Root User is Enabled](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#enable-root-mfa) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | Yes | Helps reduce the risk of unauthorized access to the sensitive root user through multi-factor authentication. | 
| [Detect Whether Public Read Access to Amazon S3 Buckets is Allowed](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#s3-disallow-public-read) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Mitigates the risk of unauthorized read access to sensitive data by identifying S3 buckets that might be publicly accessible. | 
| [Detect Whether Public Write Access to Amazon S3 Buckets is Allowed](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#s3-disallow-public-write) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Mitigates the risk of unauthorized write access to sensitive data by identifying S3 buckets that might be publicly accessible. | 
| [Detect Whether Amazon EBS Volumes are Attached to Amazon EC2 Instances](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-unattached-ebs) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Detects whether an Amazon EBS volume device persists independently from an Amazon EC2 instance. | 
| [Detect Whether Amazon EBS Optimization is Enabled for Amazon EC2 Instances](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-not-ebs-optimized) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Detects  EC2 instances where performance and cost can be improved by using Amazon EBS optimization. | 
| [Detect Whether Public Access to Amazon RDS Database Instances is Enabled](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-rds-public-access) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Detects publicly accessible Amazon Relational Database Service (Amazon RDS) database instances to secure sensitive data. | 
| [Detect Whether Public Access to Amazon RDS Database Snapshots is Enabled](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-rds-snapshot-public-access) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | Yes | Detects publicly accessible Amazon RDS database snapshots to secure sensitive data. | 
| [Detect Whether Storage Encryption is Enabled for Amazon RDS Database Instances](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#disallow-rds-storage-unencrypted) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | No | Identifies unencrypted Amazon RDS instances to mitigate risk of sensitive data exposure. | 
| [Detect whether an account has AWS CloudTraill or CloudTrail Lake enabled](https://docs.aws.amazon.com/controltower/latest/controlreference/strongly-recommended-controls.html#ensure-cloudtrail-enabled-recommended) | Strongly recommended | Detective | Yes | Yes | Yes | Yes | Yes | Yes | Ensures that proper monitoring is enabled by using CloudTrail. | 
| [Disallow Changes to Replication Configuration for Amazon S3 Buckets](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#disallow-s3-ccr) | Elective | Preventive | Yes | Yes | Yes | Yes | Yes | No | Prevents unauthorized alterations to replication configurations to ensure consistent data replication and adherence to regulatory requirements. | 
| [Disallow Delete Actions on Amazon S3 Buckets Without MFA](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#disallow-s3-delete-mfa) | Elective | Preventive | Yes | Yes | Yes | Yes | Yes | No | Prevents accidental or malicious deletion of S3 buckets by requiring multi-factor authentication. | 
| [Detect Whether MFA is Enabled for AWS IAM Users](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#disallow-access-mfa) | Elective | Detective | Yes | Yes | Yes | Yes | Yes | No | Identifies IAM users that don't have multi-factor authentication enabled, to mitigate the risk of unauthorized access. | 
| [Detect Whether MFA is Enabled for AWS IAM Users of the AWS Console](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#disallow-console-access-mfa) | Elective | Detective | Yes | Yes | Yes | Yes | Yes | No | Identifies IAM users  in the AWS Management Console that don't have multi-factor authentication enabled, to mitigate the risk of unauthorized access. | 
| [Detect Whether Versioning for Amazon S3 Buckets is Enabled](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#disallow-s3-no-versioning) | Elective | Detective | Yes | Yes | Yes | Yes | Yes | No | Identifies S3 buckets where versioning isn't enabled, to mitigate the risk of accidental deletion or modification of data. | 
| [Disallow Changes to Encryption Configuration for Amazon S3 Buckets](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#log-archive-encryption-enabled) | Elective | Preventive | Yes | Yes | Yes | Yes | Yes | No | Prevents changes to encryption configuration of S3 buckets to protect sensitive data. | 
| [Disallow Changes to Logging Configuration for Amazon S3 Buckets ](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#log-archive-access-enabled) | Elective | Preventive | Yes | Yes | Yes | Yes | Yes | No | Prevents changes to logging configuration for S3 buckets to ensure consistent and reliable audit logging. | 
| [Disallow Changes to Bucket Policy for Amazon S3 Buckets](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#log-archive-policy-changes) | Elective | Preventive | Yes | Yes | Yes | Yes | Yes | No | Prevents changes to bucket policies for S3 buckets to maintain proper access controls. | 
| [Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#log-archive-retention-policy) | Elective | Preventive | Yes | Yes | Yes | Yes | Yes | No | Prevents changes to lifecycle configurations for S3 buckets to help maintain data management consistency and compliance. | 
| [Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry](https://docs.aws.amazon.com/controltower/latest/controlreference/elective-controls.html#disallow-cfn-extensions) | Elective | Preventive(**Note:** You must enable this control when you activate proactive controls in your environment.) | Yes | Yes | Yes | Yes | Yes | Yes | Prevents unintended management of resource type, modules, and hooks to help ensure the stability and security of infrastructure deployments. | 

## AWS Security Hub CSPM controls
<a name="security-hub"></a>

AWS Control Tower is integrated with AWS Security Hub CSPM through a Security Hub CSPM standard. This integration provides additional controls that help you streamline security and compliance management in your AWS environment.

You can combine more than 230 detective controls from Security Hub CSPM with AWS Control Tower controls to help cover your security and compliance requirements. You can add your selected controls to the table that you set up in the previous section.

**Note**  
To start using Security Hub CSPM controls in AWS Control Tower, go to the AWS Control Tower controls library and enable the desired Security Hub CSPM control. AWS Control Tower takes care of the activation process and creates a new standard named **Service-Managed Standard: AWS Control Tower** in Security Hub CSPM. This standard provides visibility into activated controls and their evaluations, which simplifies monitoring and compliance efforts. For more information, see [Security Hub CSPM standard](https://docs.aws.amazon.com/controltower/latest/controlreference/security-hub-controls.html) in the AWS Control Tower documentation.

## Data residency controls
<a name="data-residency"></a>

Data residency controls enforce data residency requirements in your organization. These elective controls are included in AWS Control Tower to help ensure that your data is stored and processed in compliance with your regulations and policies. You should consider using data residency controls in scenarios such as the following:
+ **Regulatory compliance:** You want to ensure that data is stored and processed in the designated geographic regions to meet regulatory requirements such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), or industry-specific regulations.
+ **International operations:** You want to segment your AWS workloads based on their geographic locations and ensure that data remains within the desired region.
+ **Risk mitigations: **You want to mitigate the risk of data exposure from accidental or unauthorized data transfers across regions, to reduce the risk of data leakage or non-compliance.
+ **Data sovereignty:** You run workloads in countries that have laws that require data to remain within the country's borders.
+ **Data classification:** You want to classify data based on its sensitivity or regulatory requirements, and then apply specific policies to each data classification.

It is essential to thoroughly understand your organization's data residency requirements and the relevant regulations before implementing data residency controls in AWS Control Tower.

### Documenting data residency controls for your organization
<a name="data-residency-controls"></a>

When you design your data residency controls, you can use the optional controls table provided previously in this section and append the data residency controls that you have selected to meet your requirements. The following table lists the existing controls and examples of when to use them.

**Note**  
AWS Control Tower controls are continuously updated. For the most up-to-date and complete list of controls, see [Controls that enhance data residency protection](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html) in the AWS Control Tower documentation.


| **Control** | **Guidance level** | **Behavior** | **Default OU** | **Purpose** | 
| --- |--- |--- |--- |--- |
| [Deny access to AWS based on the requested AWS Region](https://docs.aws.amazon.com/controltower/latest/controlreference/primary-region-deny-policy.html) | Elective | Preventive | All OUs, if enabled in AWS Control Tower landing zone settings. | (This control is frequently referred to as the Region deny control.)Ensures that AWS resources are provisioned only in approved AWS Regions, aligning with data residency and compliance requirements. | 
| [Disallow internet access for an Amazon VPC instance managed by a customer](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#disallow-vpc-internet-access) | Elective | Preventive | — | Prevents internet access in VPCs to reduce the risk of unauthorized access or data exposure to the public when there are data residency and privacy requirements. | 
| [Disallow AWS Virtual Private Network (Site-to-Site VPN) connections](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#prevent-vpn-connection) | Elective | Preventive | — | Restricts VPN connections to guard against unauthorized access, data exfiltration, or bypassing security controls. | 
| [Disallow cross-region networking for Amazon EC2, Amazon CloudFront, and AWS Global Accelerator](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#prevent-cross-region-networking) | Elective | Preventive | — | Prevents cross-Region networking to maintain data residency and help ensure that data remains within approved Regions. Public access could inadvertently lead to data being distributed outside these boundaries. | 
| [Detect whether public IP addresses for Amazon EC2 autoscaling are enabled through launch configurations](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#autoscaling-launch-config-public-ip-disabled) | Elective | Detective | — | Monitors and controls the exposure of instances to the public internet. This helps reduce the attack surface and risk of unauthorized access that might compromise data residency and security. | 
| [Detect whether replication instances for AWS Database Migration Service are public](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#dms-replication-not-public) | Elective | Detective | — | Ensures that replication instances aren't publicly accessible, which helps protect sensitive data from unauthorized access and data residency violations. | 
| [Detect whether Amazon EBS snapshots are restorable by all AWS accounts](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#ebs-snapshot-public-restorable-check) | Elective | Detective | — | Limits access to EBS snapshots to help prevent unauthorized access, data breaches, and potential non-compliance with data residency regulations. | 
| [Detect whether any Amazon EC2 instance has an associated public IPv4 address](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#ec2-instance-no-public-ip) | Elective | Detective | — | Helps identify and mitigate security risks associated with instances that have public IP addresses. These instances might be more vulnerable to attacks. | 
| [Detect whether Amazon S3 settings to block public access are set as true for the account](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#s3-account-level-public-access-blocks-periodic) | Elective | Detective | — | Enforces strict access controls on Amazon S3 buckets to prevent unauthorized public access to sensitive data, to align with data residency and privacy needs. | 
| [Detects whether an Amazon EKS endpoint is blocked from public access](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#eks-endpoint-no-public-access) | Elective | Detective | — | Ensures that Amazon Elastic Kubernetes Service (Amazon EKS) cluster endpoints aren't accessible from the public internet. This helps prevent unauthorized sharing of sensitive data that might compromise data residency requirements. | 
| [Detect whether an Amazon OpenSearch Service domain is in Amazon VPC](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#elasticsearch-in-vpc-only) | Elective | Detective | — | Ensures that Amazon OpenSearch Service domain endpoints aren't public. Deploying these domains within VPCs improves data security by preventing public access and maintaining data residency within trusted network boundaries. | 
| [Detect whether any Amazon EMR cluster master nodes have public IP addresses](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-detective-controls.html#emr-master-no-public-ip) | Elective | Detective | — | Reduces security risks of compromising data residency requirements by ensuring that Amazon EMR cluster master nodes don't have publicly accessible IP addresses. | 
| [Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#lambda-function-public-access-prohibited) | Elective | Detective | — | Controls access to AWS Lambda functions and prevents unauthorized public invocation or exposure of sensitive functions. | 
| [Detect whether public routes exist in the route table for an Internet Gateway (IGW)](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#no-unrestricted-route-to-igw) | Elective | Detective | — | Helps maintain network security by ensuring that public routes through an internet gateway are configured only where necessary. | 
| [Detect whether Amazon Redshift clusters are blocked from public access](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#redshift-cluster-public-access-check) | Elective | Detective | — | Ensures that Amazon Redshift clusters aren't publicly accessible. This helps protect clusters from unauthorized access that could compromise data residency. | 
| [Detect whether an Amazon SageMaker AI notebook instance allows direct internet access](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#sagemaker-notebook-no-direct-internet-access) | Elective | Detective | — | Helps prevents direct internet access to SageMaker AI notebook instances to align with data residency and security requirements, and to reduce exposure to potential threats. | 
| [Detect whether any Amazon VPC subnets are assigned a public IP address](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#subnet-auto-assign-public-ip-disabled) | Elective | Detective | — | Helps maintain network isolation to reduce the risk of unauthorized data exposure and data residency violations. | 
| [Detect whether AWS Systems Manager documents owned by the account are public](https://docs.aws.amazon.com/controltower/latest/controlreference/data-residency-controls.html#ssm-document-not-public) | Elective | Detective | — | Helps ensure that Systems Manager documents aren't publicly accessible. This helps protect sensitive data and maintain data residency and security. | 

## Proactive controls
<a name="proactive"></a>

Proactive controls are optional controls that are implemented with [CloudFormation Hooks](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/what-is-cloudformation-hooks.html#hooks-characteristics). This mechanism enables you to run custom logic during the deployment of CloudFormation stacks to monitor and validate the configuration settings and resources that are defined in the CloudFormation templates. If proactive controls detect any deviations or non-compliance issues, they can take immediate action, such as halting the deployment, sending notifications, or initiating remediation processes, to help mitigate potential risks and maintain the desired security posture.

Proactive controls in AWS Control Tower help you identify and address issues before they become vulnerabilities or compliance violations, and ensure a robust and well-governed AWS environment. These controls are designed to complement the existing guardrails and controls within AWS Control Tower. They can provide an additional layer of security and compliance assurance, especially in scenarios where early prevention and continuous monitoring are essential. However, the specific proactive controls you choose to implement should align with your organization's goals, risk profile, and compliance needs. If your organization has specific security requirements that go beyond the default AWS Control Tower controls, you can customize proactive controls to meet these needs.

These controls are categorized by service and listed in the [Proactive controls](https://docs.aws.amazon.com/controltower/latest/controlreference/proactive-controls.html) section of the AWS Control Tower documentation. You can choose from a large selection of controls and add them to your selected controls table.

**Note**  
CloudFormation Hooks isn't supported in all AWS Regions where AWS Control Tower is available. Therefore, when you deploy a proactive control, it might not operate in all AWS Regions that you govern with AWS Control Tower.

# Custom controls
<a name="custom"></a>

After you have conducted your risk assessment, identified your security and compliance requirements, and selected the AWS Control Tower controls to guardrail these requirements, there might be some requirements that still aren't addressed. You can implement custom service control policies (SCPs), AWS Config Rules, and CloudFormation Hooks to cover these requirements. However, these controls aren't implemented as AWS Control Tower controls—they're implemented outside AWS Control Tower.

The following table provides examples of custom controls that you can append to your controls table.


| **Control** | **Guidance level** | **Behavior** | **Security OU** | **Infrastructure OU** | **Suspended OU** | **Workloads OU** | **Deployments OU** | **Sandbox OU** | **Purpose** | ** ** | 
| --- |--- |--- |--- |--- |--- |--- |--- |--- |--- |--- |
| Protect Amazon CloudWatch | Custom SCP | Proactive | Yes | Yes | Yes | Yes | Yes | No | Deny `cloudwatch:DeleteAlarms`,`cloudwatch:DeleteDashboards`, `cloudwatch:DisableAlarmActions`, `cloudwatch:PutDashboard`, `cloudwatch:PutMetricAlarm`, `cloudwatch:SetAlarmState` |   | 
| Enforce encryption for Amazon Simple Storage Service (Amazon S3) buckets | Custom SCP | Proactive | Yes | Yes | Yes | Yes | Yes | No | Deny `s3:PutObject` on the condition that encryption is `false` |   | 
| AWS Identity and Access Management (IAM) user creation | Custom SCP | Proactive | Yes | Yes | Yes | Yes | Yes | Yes | Deny `iam:CreateUser` |   | 
| Protect account and billing settings | Custom SCP | Proactive | Yes | Yes | Yes | Yes | Yes | Yes | Deny `aws-portal:ModifyAccount`, `aws-portal:ModifyBilling`, `aws-portal:ModifyPaymentMethods` |   |