# Preventive controls that assist with digital sovereignty Digital sovereignty preventive controls These preventive controls are designed to assist you with your digital sovereignty governance posture. This group of controls helps you comply with digital sovereignty regulatory requirements because they prevent actions, enforce configurations, and detect resource changes that affect data residency, granular access restriction, encryption, and resilience capabilities. + These controls are configurable. For more information about configurable controls, see [Controls with parameters](control-parameter-concepts.md). + These are optional controls with Preventive guidance, implemented with AWS service control policies (SCPs). They are not deployed on any OU by default. You can enable them through the AWS Control Tower console, or through the AWS Control Tower [APIs](https://docs.aws.amazon.com//controltower/latest/APIReference/API_Operations.html) In the AWS Control Tower console, you can view these controls together under the **Groups** tab on the **Categories** page. **Topics** + [ # [CT.APPSYNC.PV.1] Require an AWS AppSync GraphQL API to be configured with private visibility ](ct-appsync-pv-1.md) + [ # [CT.EC2.PV.1] Require an Amazon EBS snapshot to be created from an encrypted EC2 volume ](ct-ec2-pv-1.md) + [ # [CT.EC2.PV.2] Require that an attached Amazon EBS volume is configured to encrypt data at rest ](ct-ec2-pv-2.md) + [ # [CT.EC2.PV.3] Require that an Amazon EBS snapshot cannot be publicly restorable ](ct-ec2-pv-3.md) + [ # [CT.EC2.PV.4] Require that Amazon EBS direct APIs are not called ](ct-ec2-pv-4.md) + [ # [CT.EC2.PV.5] Disallow the use of Amazon EC2 VM import and export ](ct-ec2-pv-5.md) + [ # [CT.EC2.PV.6] Disallow the use of deprecated Amazon EC2 RequestSpotFleet and RequestSpotInstances API actions ](ct-ec2-pv-6.md) + [ # [CT.KMS.PV.1] Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services ](ct-kms-pv-1.md) + [ # [CT.KMS.PV.2] Require that an AWS KMS asymmetric key with RSA key material used for encryption does not have a key length of 2048 bits ](ct-kms-pv-2.md) + [ # [CT.KMS.PV.3] Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled ](ct-kms-pv-3.md) + [ # [CT.KMS.PV.4] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from AWS CloudHSM ](ct-kms-pv-4.md) + [ # [CT.KMS.PV.5] Require that an AWS KMS customer-managed key (CMK) is configured with imported key material ](ct-kms-pv-5.md) + [ # [CT.KMS.PV.6] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from an external key store (XKS) ](ct-kms-pv-6.md) + [ # [CT.LAMBDA.PV.1] Require an AWS Lambda function URL to use AWS IAM-based authentication ](ct-lambda-pv-1.md) + [ # [CT.LAMBDA.PV.2] Require an AWS Lambda function or AWS Lambda function URL to be configured for access only to principals within your AWS account ](ct-lambda-pv-2.md) # [CT.APPSYNC.PV.1] Require an AWS AppSync GraphQL API to be configured with private visibility CT.APPSYNC.PV.1 This control disallows creation of public AWS AppSync APIs by requiring APIs to be configured with private visibility. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS AppSync **Control metadata** + **Control objective: **Limit network access + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::AppSync::GraphQLApi` **Usage considerations** This control requires AppSync GraphQL APIs to be created with a private API configuration to ensure that the API is accessible only from a VPC. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTAPPSYNCPV1", "Effect": "Deny", "Action": "appsync:CreateGraphqlApi", "Resource": "*", "Condition": { "StringNotEquals": { "appsync:Visibility": "PRIVATE" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.1] Require an Amazon EBS snapshot to be created from an encrypted EC2 volume CT.EC2.PV.1 This control disallows creation of new snapshots that are based on unencrypted EBS volumes. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Encrypt data at rest + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** This control does not prevent creation of unencrypted EBS snapshots that are created by means of the `CopySnapshot` operation. AWS Control Tower recommends that you enable EBS encryption by default, so that encryption is applied to copies of unencrypted snapshots. See [Encryption scenarios](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-examples) in the *Amazon EC2 User Guide for Linux Instances* for more information. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV1", "Effect": "Deny", "Action": [ "ec2:CreateSnapshot", "ec2:CreateSnapshots" ], "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { "Bool": { "ec2:Encrypted": "false" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.2] Require that an attached Amazon EBS volume is configured to encrypt data at rest CT.EC2.PV.2 This control disallows attaching an unencrypted EBS volume to a running or stopped EC2 instance. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Encrypt data at rest + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::EC2::Volume` **Usage considerations** This control does not prevent replacing an EBS-backed root volume for a running instance with an unencrypted volume, by means of the `CreateReplaceRootVolumeTask` operation. AWS Control Tower recommends that you enable EBS encryption by default. For information about EBS encryption by default, see [Encryption by default](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#encryption-by-default) in the *Amazon EC2 User Guide for Linux Instances*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV2", "Effect": "Deny", "Action": "ec2:AttachVolume", "Resource": "arn:*:ec2:*:*:volume/*", "Condition": { "Bool": { "ec2:Encrypted": "false" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.3] Require that an Amazon EBS snapshot cannot be publicly restorable CT.EC2.PV.3 This control disallows sharing of an EBS snapshot with all AWS accounts. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** This control prevents unencrypted EBS snapshots from being made public, by disallowing sharing of EBS snapshots with all AWS accounts. Encrypted snapshots and snapshots with AWS Marketplace product codes cannot be made public. To prevent the public sharing of snapshots, AWS Control Tower recommends enabling block public access for snapshots. For more information, see [Block public access for snapshots](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-public-access-snapshots.html) in the *Amazon EC2 User Guide for Linux Instances*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV3", "Effect": "Deny", "Action": "ec2:ModifySnapshotAttribute", "Resource": "arn:*:ec2:*::snapshot/*", "Condition": { "StringEquals": { "ec2:Add/group": "all" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.EC2.PV.4] Require that Amazon EBS direct APIs are not called CT.EC2.PV.4 This control disallows usage of all EBS direct APIs. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** Do not enable this control if you use EBS direct APIs, either directly or through an AWS Backup partner product. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV4", "Effect": "Deny", "Action": "ebs:*", "Resource": "*"{% if ExemptedPrincipalArns %}, "Condition": { "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} } }{% endif %} } ] } ``` # [CT.EC2.PV.5] Disallow the use of Amazon EC2 VM import and export CT.EC2.PV.5 This control disallows use of EC2 VM Import/Export APIs that can be used to import and export EC2 instance, snapshot, image and volume data. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege, Protect configurations + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::::Account` **Usage considerations** This control disallows the use of VM Import/Export APIs that can be used to import and export EC2 image, snapshot, instance and volume data. If you need to use VM Import/Export functionality, do not enable this control. This control does not prevent cancelling existing VM Import/Export import, export or conversion tasks. The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV5", "Effect": "Deny", "Action": [ "ec2:CreateInstanceExportTask", "ec2:ExportImage", "ec2:ImportImage", "ec2:ImportSnapshot", "ec2:ImportInstance", "ec2:ImportVolume" ], "Resource": "*"{% if ExemptedPrincipalArns %}, "Condition": { "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} } }{% endif %} } ] } ``` # [CT.EC2.PV.6] Disallow the use of deprecated Amazon EC2 RequestSpotFleet and RequestSpotInstances API actions CT.EC2.PV.6 This control disallows usage of EC2 `RequestSpotFleet` and `RequestSpotInstances` APIs, because they are legacy APIs with no planned investment. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **Amazon EC2 **Control metadata** + **Control objective: **Enforce least privilege, Protect configurations + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::EC2::SpotFleet` **Usage considerations** This control denies `ec2:RequestSpotFleet` and `ec2:RequestSpotInstances` actions for all IAM principals. If you need to use these actions, do not enable this control. This control does not prevent cancelling or modifying an existing spot fleet or spot instance request. The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTEC2PV6", "Effect": "Deny", "Action": [ "ec2:RequestSpotFleet", "ec2:RequestSpotInstances" ], "Resource": "*"{% if ExemptedPrincipalArns %}, "Condition": { "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} } }{% endif %} } ] } ``` # [CT.KMS.PV.1] Require an AWS KMS key policy to have a statement that limits creation of AWS KMS grants to AWS services CT.KMS.PV.1 This control requires that KMS grants are issued only to AWS services that are integrated with AWS KMS, or to an AWS service principal. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control disallows the creation of AWS KMS grants for your KMS keys if the request does not originate from an AWS service that's integrated with AWS KMS, or from an AWS service principal. If you need to issue AWS KMS grants directly to your IAM principals for a customer-managed key, do not enable this control. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV1", "Effect": "Deny", "Action": "kms:CreateGrant", "Resource": "*", "Condition": { "BoolIfExists": { "kms:GrantIsForAWSResource": "false", "aws:PrincipalIsAWSService": "false" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.2] Require that an AWS KMS asymmetric key with RSA key material used for encryption does not have a key length of 2048 bits CT.KMS.PV.2 This control disallows the creation of KMS keys used for encryption and decryption that also have a key spec of `RSA_2048`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control requires that you use a `KeySpec` other than `RSA_2048` when creating asymmetric KMS keys used for encryption and decryption. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV2", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringEquals": { "kms:KeyUsage": "ENCRYPT_DECRYPT", "kms:KeySpec": "RSA_2048" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.3] Require that an AWS KMS key is configured with the bypass policy lockout safety check enabled CT.KMS.PV.3 This control disallows bypassing the KMS key policy lockout safety check when creating a KMS key or updating its key policy. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Enforce least privilege, Protect configurations + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control disallows bypassing the policy lockout safety check, because bypassing this check increases the risk that a KMS key becomes unmanageable. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV3", "Effect": "Deny", "Action": [ "kms:CreateKey", "kms:PutKeyPolicy" ], "Resource": "*", "Condition": { "Bool": { "kms:BypassPolicyLockoutSafetyCheck": "true" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.4] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from AWS CloudHSM CT.KMS.PV.4 This control disallows creation of KMS keys that do not have a key origin of `AWS_CLOUDHSM`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control restricts creation of AWS KMS keys to those that use a specific key material origin. It is suitable when enforcing a KMS key management strategy that requires all KMS keys to an AWS CloudHSM based custom key store. Before enforcing the exclusive use of keys whose key material resides in an AWS CloudHSM cluster, carefully evaluate the trade-offs documented in the [AWS CloudHSM key stores](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-cloudhsm.html) section of the *AWS KMS Developer Guide*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV4", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringNotEquals": { "kms:KeyOrigin": "AWS_CLOUDHSM" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.5] Require that an AWS KMS customer-managed key (CMK) is configured with imported key material CT.KMS.PV.5 This control disallows creation of KMS keys that do not have a key origin of `EXTERNAL`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control restricts creation of KMS keys to those that use a specific key material origin. It is suitable when enforcing a KMS key management strategy that requires all KMS keys to use imported key material. Before enforcing the exclusive use of keys with imported key material, carefully evaluate the trade-offs documented in the [Importing key material for AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) section of the *AWS KMS Developer Guide*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV5", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringNotEquals": { "kms:KeyOrigin": "EXTERNAL" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.KMS.PV.6] Require that an AWS KMS customer-managed key (CMK) is configured with key material originating from an external key store (XKS) CT.KMS.PV.6 This control disallows creation of KMS keys that do not have a key origin of `EXTERNAL_KEY_STORE`. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Key Management Service (AWS KMS) **Control metadata** + **Control objective: **Encrypt data at rest, Encrypt data in transit + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::KMS::Key` **Usage considerations** This control restricts creation of AWS KMS keys to those that use a specific key material origin. It is suitable when enforcing a KMS key management strategy that requires all KMS keys to an external key store custom key store. Before enforcing the exclusive use of keys whose key material resides in an external key store, carefully evaluate the trade-offs documented in the [External key stores](https://docs.aws.amazon.com/kms/latest/developerguide/keystore-external.html) section of the *AWS KMS Developer Guide*. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTKMSPV6", "Effect": "Deny", "Action": "kms:CreateKey", "Resource": "*", "Condition": { "StringNotEquals": { "kms:KeyOrigin": "EXTERNAL_KEY_STORE" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.LAMBDA.PV.1] Require an AWS Lambda function URL to use AWS IAM-based authentication CT.LAMBDA.PV.1 Require an AWS Lambda function URL to restrict access to authenticated users by using `AWS_IAM` based authentication. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Lambda **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::Lambda::Url` **Usage considerations** This control disallows creation and update of AWS Lambda function URL configurations. It does not prevent deletion of Lambda function URL configurations. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTLAMBDAPV1", "Effect": "Deny", "Action": [ "lambda:CreateFunctionUrlConfig", "lambda:UpdateFunctionUrlConfig" ], "Resource": "arn:*:lambda:*:*:function:*", "Condition": { "StringNotEquals": { "lambda:FunctionUrlAuthType": "AWS_IAM" }{% if ExemptedPrincipalArns %}, "ArnNotLike": { "aws:PrincipalArn": {{ExemptedPrincipalArns}} }{% endif %} } } ] } ``` # [CT.LAMBDA.PV.2] Require an AWS Lambda function or AWS Lambda function URL to be configured for access only to principals within your AWS account CT.LAMBDA.PV.2 This control requires an AWS Lambda function resource-based policy to grant access only to IAM principals that reside in your AWS account. This is a preventive control with elective guidance based on service control policies (SCPs). By default, this control is not enabled. You can enable this control through the AWS Control Tower console, or though the AWS Control Tower APIs. **AWS service: **AWS Lambda **Control metadata** + **Control objective: **Enforce least privilege + **Implementation: **Service control policy (SCP) + **Control behavior: **Preventive + **Control owner: **AWS Control Tower + **Control groups: **digital-sovereignty + **Resource types: **`AWS::Lambda::Url`, `AWS::Lambda::Function` **Usage considerations** This control limits cross-account access to AWS Lambda functions by restricting the allowed IAM principals in a Lambda function resource policy to those in the same account as the Lambda function. Allow listing AWS service principals is not supported by this control. Permissions to AWS Lambda functions and related URL(s) are governed by this control. This control supports configuration. It contains elements that are included by AWS Control Tower conditionally, based on the configuration you select. This control supports the following configuration parameters: **ExemptedPrincipalArns**. For more information, see [Configure controls with parameters](https://docs.aws.amazon.com//controltower/latest/controlreference/control-parameter-concepts.html). The artifact for this control is the following service control policy (SCP). ``` { "Version": "2012-10-17", "Statement": [ { "Sid": "CTLAMBDAPV2", "Effect": "Deny", "Action": "lambda:AddPermission", "Resource": "arn:*:lambda:*:*:function:*", "Condition": { "StringNotLike": { "lambda:Principal": [ "arn:*:iam::${aws:PrincipalAccount}:*", "${aws:PrincipalAccount}" ] }, "ArnNotLike": { "aws:PrincipalArn": [ {{ExemptedPrincipalArns}} "arn:*:iam::*:role/AWSControlTowerExecution" ] } } } ] } ```