# Controls
<a name="controls"></a>

 A *control* is a means of mitigating or detecting an issue that is a consequence of risk being realized, while *guardrails* are a technical implementation to meet those controls. More specifically, controls provide instruction for configuring resources to mitigate or address specific risks. We recommend you start their multi-account environment with AWS Control Tower, which offers predefined baseline preventive and detective guardrails that can be enabled at an environment, resource, account, or Organizational Unit (OU) level. Guardrails are an essential part of managing your AWS environments as they provide an automated way to deliver on policy intentions. Two kinds of guardrails exist: preventive and detective. 

 Preventive guardrails enforce specific policies to help ensure that your accounts operate in alignment to compliance standards, and disallow actions that lead to policy violations. Control what your AWS accounts can do by only permitting specific services, Regions, and service actions at the appropriate level. AWS Organizations provides service control policies (SCPs) to apply permission guardrails at the organization, organizational unit, or account level. For example, you can apply an SCP that restricts users from launching resources in Regions that you have not explicitly allowed. Or, you can create an SCP to Disallow creation of access keys for the root user. This would help secure your AWS accounts by disallowing creation of access keys for the root user, thereby reducing risk of unrestricted access to all resources in the account.  

 Detective guardrails detect and alert on unexpected activity and noncompliance of resources within your accounts, such as policy violations. These are helpful in alerting when something requires remediation (either manual or automated). For example, you can create an AWS Config rule to Detect whether public write access to Amazon S3 Buckets is allowed. This rule detects whether public write access is permitted to Amazon S3 buckets. You can use this alert to initiate remediation with a Systems Manager automation document, or a procedure outlined in your ITSM tools. 

 Selecting the right guardrails for your environments is an important step in managing and governing your resources across AWS. Managing configuration compliance for any IT service is typically required to ensure security (confidentiality, integrity, and availability) of your data. This includes reference to standards and regulatory requirements, individual policy definitions, risk management processes, remediation workflows, and exception procedures. To select the correct guardrails, we recommend building a portfolio from compliance frameworks, risk management processes, and AWS Best Practices to match the needs of your specific organization. 

 Compliance-based controls are often included in the compliance and framework specifications. As a reference, you can identify risk-based controls with guidance from the [National Institute of Standards and Technology (NIST) CyberSecurity Framework](https://www.nist.gov/cyberframework). The [NIST Risk Management Framework (RMF)](https://csrc.nist.gov/projects/risk-management/about-rmf) defines an approach for how to select controls, and the [Factor Analysis of Information Risk](https://www.fairinstitute.org/fair-risk-management) (FAIR) defines a process for how to calculate your risk profile and measure risk reduction efforts related to controls. 

 We recommend aggregating the detective guardrails implemented through AWS Config Rules into conformance packs so that they can be easily provisioned across your AWS environments. A key feature of conformance packs is that they are immutable—individual rules cannot be changed outside of the pack in which they were deployed, regardless of access or account permissions. In addition, if the pack is deployed by an organization’s management account, it cannot be modified by the organization’s member accounts. This approach provides you with an additional level of security and certainty when managing compliance across your environments. It also enables aggregated reporting, as compliance summaries can be reported at the pack level. You can start with the [AWS Config conformance samples](https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html) we provide, and customize as you see fit. When using multiple conformance packs, determine if duplicate rules are being used as this might have cost implications across your environments. 

 AWS has provided a sample [set of Config Conformance Packs](https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html) that align to specific services and compliance frameworks. The sample templates, including those related to compliance standards and industry benchmarks, are not designed to ensure your compliance with a specific governance standard, but rather are designed to help you form part of it. They cannot replace your internal efforts or ensure that you will pass a compliance assessment. 

 AWS Control Tower offers a simplified way to automate the provisioning of accounts that are preconfigured with baseline guardrails. Preventive guardrails deployed by AWS Control Tower are implemented via service control policies (SCPs). Detective guardrails deployed by AWS Control Tower are implemented using AWS Config Rules and AWS Lambda functions. In addition to the baseline guardrails found in SCPs and AWS Config Rules, guardrails can also be found in other M&G Guide capabilities. Some examples would be IAM policies, network security groups, NACLs, budget alarms, and constraints on Service Catalog products. 

****  
 BPX Energy, a BP company, used AWS Control Tower to establish their AWS environment with controls enabling them to deploy detective controls with AWS Config and preventive controls with AWS Organizations SCPs via AWS Control Tower. *“The key benefits of adopting AWS Control Tower included enhancing BPX Energy’s security posture, enabling enterprise governance at scale, and providing increased scalability.”* Grant Matthews, Chief Technology Officer, BPX Energy. Learn how BPX’s implementation further aligns to the controls function described in this M&G Guide by reviewing their [case study](https://aws.amazon.com/solutions/case-studies/bpx-energy/). 

 Both AWS Control Tower and AWS Security Hub CSPM continually evaluate all of your AWS accounts and workloads and provide dashboards so you can quickly identify areas of deviation from established guardrails. These insights can be used to improve and maintain your security posture across your AWS environments. For instance, AWS Control Tower applies a mandatory set of guardrails during the provisioning and management of your landing zone that indicate how your landing zone is compliant with best practices. AWS Security Hub CSPM provides a mechanism to deploy and categorize security-focused detective guardrails. This mechanism allows you to aggregate, organize, prioritize, and automate the remediation of the findings across your multi-account environment. There is an inclusive set of Security Hub CSPM standards that can be used to align to your specific compliance and security framework. These include [AWS Foundational Security Best Practices](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp.html), the [CIS AWS Foundations Benchmark](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-cis.html), and the [Payment Card Industry Data Security Standard (PCI DSS)](https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-pcidss.html). You can investigate findings via the AWS Security Hub CSPM integration with Amazon Detective, and you can build automated or semiautomated remediation actions using the Amazon EventBridge integration. 

 Review your use of detective guardrails to identify and remove duplicative detection efforts when using one or more of these frameworks. Also, as you use AWS services, remain aware of the inherent quotas being imposed. For example, AWS Control Tower describes its [limitations and service quotas within the service documentation](https://docs.aws.amazon.com/controltower/latest/userguide/limits.html). When you review these quotas, it is important to choose where to use preventive versus detective guardrails to work within the service quotas while still meeting your compliance needs. 

# Interoperable functions
<a name="interoperable-functions"></a>

 The eight management and governance functions work together and interoperate to reduce complexity. Outputs from these functions are used to inform or integrate with other functions. 

 For controls, this includes: 
+  Inspect and protect out of band **Networking connectivity** changes. 
+  Access permissions and controls federated with your **Identity management** provider. 
+  Controls findings that initiate campaigns and playbooks in **Security management** operations. 
+  Integrated change, provisioning, and remediation capabilities with service level objectives for each control for your **Service management** framework. 
+  **Monitoring and observability** defined for both aggregated and granular views of each control and guardrail. 
+  Financial and process controls aligned to your **Cloud Financial Management** best practices. 
+  Infrastructure as code templates for your guardrails that are **Sourced** and **distributed** in a hub and spoke pattern for your multi-account strategy. 

# Implementation priorities
<a name="implementation-priorities"></a>

 Using a centralized mechanism like AWS Control Tower to create accounts that are pre-configured for compliance can help you adjust to your changing scale needs. Having a multi-account strategy helps raise your security posture with the necessary separation of workloads and networks through logical and physical boundaries. As such, the following controls solutions should be prioritized: 

## Define a multi-account strategy
<a name="cg-multi"></a>

 AWS recommends that you define a multi-account strategy that considers scale and operational efficiency concerns. This means that you should separate out your workloads into a logical pattern that best meets your operational needs. AWS provides [prescriptive guidance](https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/) that suggests you start with a foundational set of accounts to accommodate centralized and decentralized capabilities in your enterprise. You can centralize governance for distributed and autonomous teams using multiple AWS accounts, which lets you delineate at security, financial, and operational levels. 

## Start with AWS Control Tower
<a name="cg-ct"></a>

 [Enable a landing zone using AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/getting-started-with-control-tower.html) in a new or existing management account. AWS Control Tower creates a secure, multi-account environment with an embedded set of default guardrails. AWS Control Tower automatically enables AWS Config in the AWS Control Tower Regions, with configuration history and snapshots delivered to an Amazon S3 bucket located in a centralized Log Archive account. It also provides the ability to add guardrails for each organizational unit (OU) in your AWS Organization. The landing zone includes a preconfigured security OU with an audit and log archive account provisioned. This includes guardrails to prevent unauthorized changes to the security baseline in your audit account. CloudTrail logs are encrypted (using AWS KMS) and enabled in all provisioned accounts with SCPs to prevent their modification. By default, a sandbox OU is provisioned for your use. Review the [best practices for organization unit](https://aws.amazon.com/blogs/mt/best-practices-for-organizational-units-with-aws-organizations/) guidance to determine the multi-account strategy and OU structure that will support your unique enterprise needs. 

 Separating OUs by regulatory and SDLC environments is a commonly used pattern. Workload OUs are used for accounts that host your AWS resources to support your applications with the right policies applied. AWS Control Tower allows you to allow or deny the use of AWS Regions across your environments. 

## Review and add preventive and detective controls
<a name="cg-ctrls"></a>

 AWS Control Tower uses AWS Organizations service control policies (SCPs) to provide preventive guardrails. SCPs define the guardrails or limits that IAM roles and users can have in the accounts located within the OU. Review the *[strongly recommended](https://docs.aws.amazon.com/controltower/latest/userguide/strongly-recommended-guardrails.html)* and *[elective](https://docs.aws.amazon.com/controltower/latest/userguide/elective-guardrails.html)* detective guardrails AWS Control Tower provides, and choose which guardrails to apply. Use the AWS Security Foundations best practices in AWS Security Hub CSPM to identify controls that apply to your enterprise, and add any specific open standard controls required for your workloads. Create additional preventive controls as required, and group them by OUs to align them to your multi-account strategy. 

**Note**  
SCPs have [service quotas](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_reference_limits.html#min-max-values) in the size and number that can be applied. Carefully consider these quotas as you design your controls strategy. 

 Package your detective controls such that they can be deployed easily as you create or update your accounts. There are a variety of AWS Config Conformance Packs available to apply common sets of AWS Config rules to meet open standards and best practices. For instance, there is a sample pack that includes the [Best Practices for the Well-Architected Security Pillar](https://docs.aws.amazon.com/config/latest/developerguide/operational-best-practices-for-wa-Security-Pillar.html), which can provide a starting list of best practice rules to provision. Use these conformance packs to choose and add further guardrails to your environments. 

 Annotate and prioritize your detective guardrail findings so that they can be remediated in accordance with your security and compliance frameworks. Use automation to detect out of policy provisioning of resources. In addition, set and measure service level objectives alongside updating your runbooks and playbooks. 

## Select an aggregated view of your guardrails and findings
<a name="cg-view"></a>

 Centrally view the resource configuration and compliance data recorded in your observability findings. AWS Security Hub CSPM is a security and compliance service that provides security and compliance posture management, as a service. It uses AWS Config and AWS Config rules as its primary mechanism to evaluate the configuration of AWS resources. AWS Config rules can also be used to aggregate and evaluate resource configuration. Other AWS services, such as AWS Control Tower and AWS Firewall Manager, also provide an aggregated view of controls in their console view. Regularly review aggregated views of guardrails to alert you on any deviation of expected controls in your environments. 

## Create a base foundation of capabilities for each of your accounts
<a name="cg-base"></a>

 You can [provision AWS Control Tower accounts in an automated, batch fashion](https://www.youtube.com/watch?v=LxxQTPdSFgw) by calling the Service Catalog APIs. As you provision new accounts, use [Customizations for AWS Control Tower](https://docs.aws.amazon.com/controltower/latest/userguide/customize-landing-zone.html) to add in a base set of services and functions required for each account. This will include capabilities across each of the eight M&G Guide functions as well as tagging and support information. For example: 

 From a networking perspective, determine which VPC structure is provisioned and associate it to a central hub-spoke pattern. Add in any necessary network constructs that vary by account type (firewall, NAT gateway, etc.) 

 For identity management, after Control Tower is configured for single sign-on integrated with your federated user solution, you can provision additional roles and policies. These mighty include permissions boundaries to be distributed to member accounts. 

 Make sure that your monitoring and observability capabilities are updated as new accounts are provisioned. Workloads should be aligned to the environment logging strategies that describe which logs to locate where, and how to appropriately integrate log aggregation. 

 You might need to register new accounts with your security tools (SIEM, GuardDuty, Security Hub CSPM, etc.), or deploy security capabilities to specific accounts (XDR, CSPM, etc.). 

 As you create new accounts, it is important to align them with your service and incident management capabilities. New accounts should be integrated with your service management solution using native connectors configured to integrate those solutions with AWS. Update your playbooks and runbooks as appropriate. 

 [Tag policies](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_tag-policies.html) and tag libraries help create consistent tagging and can be used for common processes including Cloud Financial Management (CFM). Consider distributing new financial guardrails to detect deviations from expected budgets in spoke accounts. Allocate appropriate support levels for each account using the [AWS Support API](https://docs.aws.amazon.com/awssupport/latest/user/Welcome.html). 

 Software assets managed in Service Catalog as portfolios can be shared with users in one or more AWS accounts in a hub and spoke pattern. Using Private Marketplace and private offers, curate an assortment of third-party solutions and distribute them alongside your infrastructure as code templates. Define which base set of resources should be directly provisioned or made available as a self-service model in each of your spoke accounts as they are created with solutions such as the Customization Framework for Control Tower. 

# Control services
<a name="aws-controls-and-guardrails-services"></a>

 The following AWS services can be used to help you follow the guidance provided by the M&G Guide: 

 [AWS Organizations](https://aws.amazon.com/organizations/) includes service control policies (SCPs) that you can use to provide centralized control over all accounts in your organization. You can configure an SCP to define a guardrail, or set a limit, on the actions that the account’s administrator can delegate to the users and roles for the affected accounts. The administrator must still attach identity-based or resource-based policies to IAM roles, or to the resources in your accounts to actually grant permissions. The [effective permissions](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html#scp-effects-on-permissions) are the logical intersection between what is allowed by the SCP and what is allowed by IAM and the resource-based policies. 

 [AWS Control Tower](https://aws.amazon.com/controltower/) complements AWS Organizations by implementing preventive and detective controls as you provision accounts. You can quickly set up and configure a new AWS environment, automate ongoing policy management, and view policy-level summaries of your AWS environments. 

 [AWS Security Hub CSPM](https://aws.amazon.com/security-hub/) provides a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services. These include Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS Systems Manager Patch Manager, AWS Config, AWS IAM Access Analyzer, as well as from many AWS Partner Network (APN) solutions. 

 [Amazon GuardDuty](https://aws.amazon.com/guardduty/) is a threat detection service that continually monitors for malicious activity and unintended behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. Amazon GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. 

 [Amazon Macie](https://aws.amazon.com/macie/) gives you constant visibility of the data security and data privacy of your data stored in Amazon S3. Macie automatically and continually evaluates all of your S3 buckets and alerts you to any unencrypted buckets, publicly accessible buckets, or buckets shared with AWS accounts outside those you have defined in the AWS Organizations. 

 

 In [AWS Config](https://aws.amazon.com/config/), you to create and manage singular rules (detective controls), or group them as conformance packs. [AWS Config conformance packs](https://docs.aws.amazon.com/config/latest/developerguide/conformance-packs.html) help you manage configuration compliance of your AWS resources at scale – from policy definition to auditing and aggregated reporting – using a common framework and packaging model. Additionally, AWS Config conformance packs enable you to simplify compliance reporting, as it is now reported at a new level - the pack level alongside the detailed view for each individual rule and resource level. 

 The [AWS Config Conformance Pack Sample Templates](https://docs.aws.amazon.com/config/latest/developerguide/conformancepack-sample-templates.html) help you create your own conformance packs with different or additional rules, input parameters, and remediation actions that suit your environment. The sample templates, including many related to compliance standards and industry benchmarks, are not designed to ensure your compliance with a specific governance standard. They cannot replace your internal efforts or ensure that you will pass a compliance assessment. 

 [AWS Audit Manager](https://aws.amazon.com/audit-manager/) helps you continually audit your AWS usage by simplifying how you assess risk and compliance with regulations and open standards. Audit Manager provides a fully customizable framework that automates evidence collection, simplifies the tracking of chain of custody for evidence, and manages evidence security and integrity. 

 If you would like support implementing this guidance, or assisting you with building the foundational elements prescribed by the M&G Guide, we recommend you review the offerings provided by [AWS Professional Services](https://aws.amazon.com/professional-services/) or the AWS Partners in the [Built on Control Tower program](https://aws.amazon.com/controltower/partners/). 

 If you are seeking help to operate your workloads in AWS following this guidance, [AWS Managed Services (AMS)](https://aws.amazon.com/managed-services/) can augment your operational capabilities as a short-term accelerator or a long-term solution, letting you focus on transforming your applications and businesses in the cloud. 

# Integrated controls partners
<a name="integrated-controls-and-guardrails-partners"></a>

 The M&G Guide recommends you consider the following questions when choosing an AWS Partner solution for controls: 
+  Does it integrate with lifecycle events for AWS Control Tower? 
+  If controls are provided, are they updated on a regular basis? 
+  Does it support multiple AWS Regions? 
+  Can it be provisioned from an infrastructure as code template that is distributed from a service catalog? 
+  Does it integrate with an observability solution? 
+  Can changes be tracked automatically, or integrated to your service management tool? 

 The following controls partners have built integrations with AWS services, and are available to be provisioned from AWS Marketplace: 

 [Check Point CloudGuard](https://aws.amazon.com/marketplace/solutions/control-tower/operational-intelligence/#CloudGuard) is a comprehensive cloud native security platform for visibility, workload protection, and posture management of cloud workloads and services. CloudGuard provides visualization of cloud assets, including network topology, and firewalls; comprehensive compliance management including automated continuous compliance to help assess and enforce regulatory requirements and security best practices; open-source auto-remediation to accelerate the resolution of dangerous misconfigurations and enforce compliance; automated reversion of unauthorized modifications to cloud accounts; and just-in-time privileged elevation with out-of-band authorization for IAM actions. Checkpoint findings are also integrated to AWS Security Hub CSPM. 

 [CloudCheckr](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#CloudCheckr) CMx is a unique, end-to-end governance solution that enables users to optimize security and monitor their compliance, while enacting self-healing automation to remediate security vulnerabilities and compliance gaps. CloudCheckr provides users with hundreds of security and performance optimization recommendations and dozens of options to fix security and resource utilization issues automatically anytime they are detected. 

 [Cutover](https://aws.amazon.com/marketplace/solutions/control-tower/operational-intelligence/#Cutover) is a work orchestration and observability platform that allows teams to plan, orchestrate, and analyze complex workflows. It integrates with AWS Control Tower to accelerate your migration, drive effective governance, reduce risk, and help ensure standardization. The automation runbooks in Cutover work with existing toolsets to allow teams to achieve full visibility, control, and streamlined communications across their multi-account AWS environments. 

 [Flexera](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#Flexera) offers a powerful policy engine that enables your cloud governance teams to manage and control cloud use with out-of-the-box and custom policies to automate governance of costs, operations, security, and compliance. 

 [Kion](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#cloudtamer.io) is a comprehensive enablement software solution that delivers visibility and control of cloud workloads. [Kion](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#cloudtamer.io) provides out-of-the box compliance checks to help enterprises auto-align with established standards like NIST and CIS, and delivers the flexibility to create custom checks. Auto-remediation and integrations with AWS Security Hub CSPM are also available. [Kion](https://aws.amazon.com/marketplace/solutions/control-tower/cost-management-and-governance/#cloudtamer.io) allows enterprises to manage their cloud presence at scale with automation and orchestration, financial management, and continuous compliance. 

 [Palo Alto Networks Prisma Cloud](https://aws.amazon.com/marketplace/solutions/control-tower/security/#Palo_Alto) unifies Cloud Security Posture Management (CSPM) and workload protection (CWPP) into a single cloud native security platform. Continually monitor your environments and immediately enforce governance with hundreds of pre-built policies. Prisma Cloud ingests AWS APIs and sources threat intelligence from over 30 feeds to provide comprehensive visibility. Risk-ranked alerts prevent remediation fatigue and one-click compliance reporting helps ease auditing across even the most complex distributed environments. Prisma findings are also integrated to AWS Security Hub CSPM. 

 [Sonrai Dig](https://aws.amazon.com/marketplace/solutions/control-tower/security/#Sonrai_Security) is an enterprise cloud security platform providing complete visibility across all multi-account AWS environments. Dig’s CSPM capabilities provide continuous, audit-based monitoring giving comprehensive visibility and control over the security posture of every cloud resource and identity. Detect drift and misconfigurations on identities, data stores, or a particular cloud resource to help ensure that compliance is baselined, monitored, and met. 

 [Trend Micro Cloud One - Conformity](https://aws.amazon.com/marketplace/solutions/control-tower/operational-intelligence/#TrendMicro) is a cloud security posture management service that helps you fulfill your side of the shared responsibility model with continual security, compliance, and governance checks. With almost 1,000 cloud configuration checks out of the box that are mapped back to industry best practices, such as the AWS Well-Architected Framework, SOC2, NIST, CIS, PCI DSS, GDPR, and HIPAA, it provides a consistent approach to building cloud architectures that can scale over time. Infrastructure as code (IaC) template scanning also ensures deployment of the most secure and compliant templates aligned with industry best practices when building in the cloud.