Enable controls on an OU from the console - AWS Control Tower

Enable controls on an OU from the console

Mandatory and inherited controls are enabled automatically according to an OU's configuration. Optional controls can be enabled manually on your OUs, from the console, or by means of the control APIs. The following procedure describes the steps for enabling controls on an OU, from the console.

To view control operations

To view your current and recent control operations, navigate to the Recent operations page in the AWS Control Tower console. You can select this page from the left navigation column. This page provides a history of control operations for the previous 90 days. It displays operations that are completed or in progress. For each control operation, you'll see a status of Enabled, Disabled, Enabling, or Disabling.

Important

When you enable optional controls, AWS Control Tower creates and manages AWS resources in your accounts. Do not modify or delete resources created by AWS Control Tower. Doing so could result in the controls entering an unknown state.

To enable controls in an OU, from the console
  1. Using a web browser, navigate to the AWS Control Tower console at https://console.aws.amazon.com/controltower.

  2. From the left navigation, choose All Controls.

  3. Choose a control that you want to enable; for example, Control: Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances. This choice opens the control's details page.

  4. From Organizational units enabled, choose Enable control on OU.

  5. A new page is displayed that lists the names of your OUs. Identify the OU on which you want to enable this control.

  6. Choose Enable control on OU.

  7. Your control is now enabled. It may take several minutes for the change to complete. When it does, you'll see that this control is applied to the OU you selected.

Note

You can enable preventive, detective, and proactive controls concurrently.

To deactivate controls for an OU, from the console
  1. Using a web browser, navigate to the AWS Control Tower console at https://console.aws.amazon.com/controltower.

  2. From the left navigation, choose Controls.

  3. Choose a control that you want to deactivate; for example, Control: Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances. This choice opens the control's details page.

  4. From the Organizational units enabled tab, select the radio button next to the OU from which you want to remove the control.

  5. Choose Disable control at the upper right.

  6. Your control is now deactivated. It may take several minutes for the change to complete. When it does, you'll see that this control is no longer applied to the OU you selected.

Note

The OU Region deny control is a specialized control with parameters. For steps on how to enable that control, see Region deny control applied to the OU.