AWS Control Tower Guardrails - AWS Audit Manager

AWS Control Tower Guardrails

AWS Audit Manager provides an AWS Control Tower Guardrails framework to assist you with your audit preparation.

What is AWS Control Tower?

AWS Control Tower is a management and governance service that you can use to navigate through the setup process and governance requirements that are involved in creating a multi-account AWS environment.

With AWS Control Tower, you can provision new AWS accounts that conform to your company- or organization-wide policies in a few clicks. AWS Control Tower creates an orchestration layer on your behalf that combines and integrates the capabilities of several other AWS services. These services include AWS Organizations, AWS IAM Identity Center (successor to AWS Single Sign-On), and AWS Service Catalog. This helps streamline the process of setting up and governing a multi-account AWS environment that's both secure and compliant.

The AWS Control Tower Guardrails framework contains all of the AWS Config Rules that are based on guardrails from AWS Control Tower.

Using this framework to support your audit preparation

You can use the AWS Control Tower Guardrails framework to help you prepare for audits. This framework includes a prebuilt collection of controls with descriptions and testing procedures. These controls are grouped according to the AWS Config Rules that are based on guardrails from AWS Control Tower. You can also customize this framework and its controls to support internal audits with specific requirements.

Using the framework as a starting point, you can create an Audit Manager assessment and start collecting evidence that’s relevant for an AWS Control Tower audit. After you create an assessment, Audit Manager starts to assess your AWS resources. It does this based on the controls that are defined in the AWS Control Tower Guardrails framework. When it's time for an audit, you—or a delegate of your choice—can review the collected evidence and then add it to an assessment report. You can use this assessment report to show that your controls are working as intended.

The AWS Control Tower Guardrails framework details are as follows:

Framework name in AWS Audit Manager Number of automated controls Number of manual controls Number of control sets AWS services in scope
AWS Control Tower Guardrails 14 0 5 AWS Config

The controls in this AWS Audit Manager framework aren't intended to verify if your systems are compliant with AWS Control Tower Guardrails. Moreover, they can't guarantee that you'll pass an audit.

You can find the AWS Control Tower Guardrails framework under the Standard frameworks tab of the Framework library in Audit Manager.

For instructions on how to create an assessment using this framework, see Creating an assessment.

When you use the Audit Manager console to create or update an assessment from this standard framework, the list of AWS services in scope is selected by default and can’t be edited. This is because Audit Manager automatically maps and selects the data sources and services for you. This selection is made according to the requirements of the AWS Control Tower Guardrails. If you need to edit the list of services in scope for this framework, you can do so by using the CreateAssessment or UpdateAssessment API operations. Alternatively, you can customize the standard framework and then create an assessment from the custom framework.

For instructions on how to customize this framework to support your specific requirements, see Customizing an existing framework and Customizing an existing control.

More AWS Control Tower resources