Control limitations

A new Controls Reference Guide

Information about AWS Control Tower controls has been moved to the AWS Control Tower Controls Reference Guide.

If you modify AWS Control Tower resources, such as an SCP, or remove any AWS Config resource, such as a Config recorder or aggregator, AWS Control Tower can no longer guarantee that the controls are functioning as designed. Therefore, the security of your multi-account environment may be compromised. The AWS shared responsibility model of security is applicable to any such changes you may make.

Note

AWS Control Tower helps maintain the integrity of your environment by resetting the SCPs of the controls to their standard configuration when you update your landing zone. Changes that you may have made to SCPs are replaced by the standard version of the control, by design.

Some controls in AWS Control Tower do not operate in certain AWS Regions where AWS Control Tower is available, because those Regions do not support the required underlying functionality. This limitation affects certain detective controls, certain proactive controls, and certain controls in the Security Hub Service-managed Standard: AWS Control Tower. For more information about Regional availability, see the Regional services list documentation and the Security Hub controls reference documentation.

Control behavior also is limited in case of mixed governance. For more information, see Avoid mixed governance when configuring Regions.

For more information about how AWS Control Tower manages the limitations of Regions and controls, see Considerations for activating AWS opt-in Regions.

You can view the Regions for each control in the AWS Control Tower console.

The following AWS Regions do not support controls that are part of the Security Hub Service-managed Standard: AWS Control Tower.

Asia Pacific (Hong Kong) Region, ap-east-1
Asia Pacific (Jakarta) Region, ap-southeast-3
Asia Pacific (Osaka) Region, ap-northeast-3
Europe (Milan) Region, eu-south-1
Africa (Cape Town) Region, af-south-1
Middle East (Bahrain) Region, me-south-1
Israel (Tel Aviv), il-central-1
Middle East (UAE) Region, me-central-1
Europe (Spain) Region, eu-south-2
Asia Pacific (Hyderabad) Region, ap-south-2
Europe (Zurich) Region, eu-central-2
Asia Pacific (Melbourne) Region, ap-southeast-4
Canada West (Calgary), ca-west-1

The following AWS Regions do not support proactive controls.

Canada West (Calgary)

The following table shows proactive controls that are not supported in certain AWS Regions.

Control identifier	Unsupported regions
`CT.REDSHIFT.PR.5`	ap-southeast-4, ap-south-2, ap-southeast-3, eu-central-2, eu-south-2, il-central-1, me-central-1
`CT.DAX.PR.2`	us-west-1
`CT.GLUE.PR.2`	Unsupported

The following table shows AWS Control Tower detective controls that are not supported in certain AWS Regions.

Control identifier	Unsupported regions
`AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED`	ap-northeast-3, ap-southeast-3, il-central-1, ap-southeast-4, ca-west-1
`AWS-GR_LAMBDA_FUNCTION_PUBLIC_ACCESS_PROHIBITED`	eu-south-2
`AWS-GR_EMR_MASTER_NO_PUBLIC_IP`	ap-northeast-3, ap-southeast-3, af-south-1, eu-south-1, il-central-1, me-central-1, eu-south-2, ap-south-2, eu-central-2, ap-southeast-4, ca-west-1
`AWS-GR_EBS_SNAPSHOT_PUBLIC_RESTORABLE_CHECK`	eu-south-2
`AWS-GR_NO_UNRESTRICTED_ROUTE_TO_IGW`	ap-northeast-3, ap-southeast-3, ap-south-2, eu-south-2, ca-west-1
`AWS-GR_SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS`	ap-northeast-3, ap-southeast-3, af-south-1, eu-south-1, il-central-1, me-central-1, eu-south-2, ap-south-2, eu-central-2, ap-southeast-4, ca-west-1
`AWS-GR_EC2_INSTANCE_NO_PUBLIC_IP`	ap-northeast-3
`AWS-GR_EKS_ENDPOINT_NO_PUBLIC_ACCESS`	ap-northeast-3, ap-southeast-3, af-south-1, eu-south-1, us-west-1, il-central-1, me-central-1, eu-south-2, ap-south-2, eu-central-2, ap-southeast-4, ca-west-1
`AWS-GR_ELASTICSEARCH_IN_VPC_ONLY`	ap-southeast-3, il-central-1, eu-south-2, ap-south-2, eu-central-2, ap-southeast-4, ca-west-1
`AWS-GR_RESTRICTED_SSH`	af-south-1, ap-northeast-3, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1
`AWS-GR_DMS_REPLICATION_NOT_PUBLIC`	af-south-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, ca-west-1
`AWS-GR_RDS_SNAPSHOTS_PUBLIC_PROHIBITED`	af-south-1, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1
`AWS-GR_SUBNET_AUTO_ASSIGN_PUBLIC_IP_DISABLED`	ap-northeast-3
`AWS-GR_ENCRYPTED_VOLUMES`	af-south-1, ap-northeast-3, eu-south-1, il-central-1
`AWS-GR_RESTRICTED_COMMON_PORTS`	af-south-1, ap-northeast-3, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1
`AWS-GR_IAM_USER_MFA_ENABLED`	il-central-1, me-central-1, eu-south-2, ap-south-2, eu-central-2, ap-southeast-4, ca-west-1
`AWS-GR_MFA_ENABLED_FOR_IAM_CONSOLE_ACCESS`	il-central-1, me-central-1, eu-south-2, ap-south-2, eu-central-2, ap-southeast-4, ca-west-1
`AWS-GR_SSM_DOCUMENT_NOT_PUBLIC`	il-central-1, ca-west-1
`AWS-GR_ROOT_ACCOUNT_MFA_ENABLED`	il-central-1, me-central-1, ca-west-1
`AWS-GR_S3_ACCOUNT_LEVEL_PUBLIC_ACCESS_BLOCKS_PERIODIC`	il-central-1, eu-south-2, eu-central-2
`AWS-GR_RDS_STORAGE_ENCRYPTED`	eu-central-2, eu-south-2
`AWS-GR_RDS_INSTANCE_PUBLIC_ACCESS_CHECK`	ap-south-2, eu-south-2
`AWS-GR_REDSHIFT_CLUSTER_PUBLIC_ACCESS_CHECK`	ap-south-2, ap-southeast-3, eu-south-2, ca-west-1
`AWS-GR_EC2_VOLUME_INUSE_CHECK`	ca-west-1
`AWS-GR_EBS_OPTIMIZED_INSTANCE`	ca-west-1

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Request a quota increase

Regions and stack set limitations