Strongly recommended guardrails - AWS Control Tower

Strongly recommended guardrails

Strongly recommended guardrails are based on best practices for well-architected multi-account environments. These guardrails are not enabled by default, and can be disabled. Following, you'll find a reference for each of the strongly recommended guardrails available in AWS Control Tower.

Disallow Creation of Access Keys for the Root User

Secures your AWS accounts by disallowing creation of access keys for the root user. We recommend that you instead create access keys for the IAM users with limited permissions to interact with your AWS account. This is a preventive guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following SCP.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRRESTRICTROOTUSERACCESSKEYS", "Effect": "Deny", "Action": "iam:CreateAccessKey", "Resource": [ "*" ], "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } } ] }

Disallow Actions as a Root User

Secures your AWS accounts by disallowing account access with root user credentials, which are credentials of the account owner that allow unrestricted access to all resources in the account. Instead, we recommend that you create AWS Identity and Access Management (IAM) users for everyday interaction with your AWS account. This is a preventive guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following SCP.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRRESTRICTROOTUSER", "Effect": "Deny", "Action": "*", "Resource": [ "*" ], "Condition": { "StringLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:root" ] } } } ] }

Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances

This guardrail detects whether the Amazon EBS volumes attached to an Amazon EC2 instance are encrypted. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail isn't enabled on any OUs.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check for encryption of all storage volumes attached to compute Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForEncryptedVolumes: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether EBS volumes that are in an attached state are encrypted. Source: Owner: AWS SourceIdentifier: ENCRYPTED_VOLUMES Scope: ComplianceResourceTypes: - AWS::EC2::Volume

Detect Whether Unrestricted Incoming TCP Traffic is Allowed

This guardrail helps reduce a server's exposure to risk by detecting whether unrestricted incoming TCP traffic is allowed. It detects whether internet connections are enabled to Amazon EC2 instances through services such as Remote Desktop Protocol (RDP). This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports. Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' blockedPort1: Type: String Default: '20' Description: Blocked TCP port number. blockedPort2: Type: String Default: '21' Description: Blocked TCP port number. blockedPort3: Type: String Default: '3389' Description: Blocked TCP port number. blockedPort4: Type: String Default: '3306' Description: Blocked TCP port number. blockedPort5: Type: String Default: '4333' Description: Blocked TCP port number. Conditions: blockedPort1: Fn::Not: - Fn::Equals: - '' - Ref: blockedPort1 blockedPort2: Fn::Not: - Fn::Equals: - '' - Ref: blockedPort2 blockedPort3: Fn::Not: - Fn::Equals: - '' - Ref: blockedPort3 blockedPort4: Fn::Not: - Fn::Equals: - '' - Ref: blockedPort4 blockedPort5: Fn::Not: - Fn::Equals: - '' - Ref: blockedPort5 Resources: CheckForRestrictedCommonPortsPolicy: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether security groups that are in use disallow unrestricted incoming TCP traffic to the specified ports. InputParameters: blockedPort1: Fn::If: - blockedPort1 - Ref: blockedPort1 - Ref: AWS::NoValue blockedPort2: Fn::If: - blockedPort2 - Ref: blockedPort2 - Ref: AWS::NoValue blockedPort3: Fn::If: - blockedPort3 - Ref: blockedPort3 - Ref: AWS::NoValue blockedPort4: Fn::If: - blockedPort4 - Ref: blockedPort4 - Ref: AWS::NoValue blockedPort5: Fn::If: - blockedPort5 - Ref: blockedPort5 - Ref: AWS::NoValue Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: RESTRICTED_INCOMING_TRAFFIC

Detect Whether Unrestricted Internet Connection Through SSH is Allowed

This guardrail detects whether internet connections are allowed through remote services such as the Secure Shell (SSH) protocol. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether security groups that are in use disallow SSH Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForRestrictedSshPolicy: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether security groups that are in use disallow unrestricted incoming SSH traffic. Scope: ComplianceResourceTypes: - AWS::EC2::SecurityGroup Source: Owner: AWS SourceIdentifier: INCOMING_SSH_DISABLED

Detect Whether MFA for the Root User is Enabled

This guardrail detects whether multi-factor authentication (MFA) is enabled for the root user of the management account. MFA reduces vulnerability risks from weak authentication by requiring an additional authentication code after the user name and password are successful. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to require MFA for root access to accounts Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' MaximumExecutionFrequency: Type: String Default: 24hours Description: The frequency that you want AWS Config to run evaluations for the rule. AllowedValues: - 1hour - 3hours - 6hours - 12hours - 24hours Mappings: Settings: FrequencyMap: 1hour : One_Hour 3hours : Three_Hours 6hours : Six_Hours 12hours : Twelve_Hours 24hours : TwentyFour_Hours Resources: CheckForRootMfa: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether the root user of your AWS account requires multi-factor authentication for console sign-in. Source: Owner: AWS SourceIdentifier: ROOT_ACCOUNT_MFA_ENABLED MaximumExecutionFrequency: !FindInMap - Settings - FrequencyMap - !Ref MaximumExecutionFrequency

Detect Whether Public Read Access to Amazon S3 Buckets is Allowed

This guardrail detects whether public read access is allowed to Amazon S3 buckets. It helps you maintain secure access to data stored in the buckets. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check that your S3 buckets do not allow public access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForS3PublicRead: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket

Detect Whether Public Write Access to Amazon S3 Buckets is Allowed

This guardrail detects whether public write access is allowed to Amazon S3 buckets. It helps you maintain secure access to data stored in the buckets. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check that your S3 buckets do not allow public access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForS3PublicWrite: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket

Detect Whether Amazon EBS Volumes are Attached to Amazon EC2 Instances

This guardrail detects whether an Amazon EBS volume device persists independently from an Amazon EC2 instance. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether EBS volumes are attached to EC2 instances Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' deleteOnTermination: Type: 'String' Default: 'None' Description: 'Check for Delete on termination' Conditions: deleteOnTermination: Fn::Not: - Fn::Equals: - 'None' - Ref: deleteOnTermination Resources: CheckForEc2VolumesInUse: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether EBS volumes are attached to EC2 instances InputParameters: deleteOnTermination: Fn::If: - deleteOnTermination - Ref: deleteOnTermination - Ref: AWS::NoValue Source: Owner: AWS SourceIdentifier: EC2_VOLUME_INUSE_CHECK Scope: ComplianceResourceTypes: - AWS::EC2::Volume

Detect Whether Amazon EBS Optimization is Enabled for Amazon EC2 Instances

Detects whether Amazon EC2 instances are launched without an Amazon EBS volume that is optimized for performance. Amazon EBS-optimized volumes minimize contention between Amazon EBS I/O and other traffic from your instance. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForEbsOptimizedInstance: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether EBS optimization is enabled for your EC2 instances that can be EBS-optimized Source: Owner: AWS SourceIdentifier: EBS_OPTIMIZED_INSTANCE Scope: ComplianceResourceTypes: - AWS::EC2::Instance

Detect Whether Public Access to Amazon RDS Database Instances is Enabled

Detects whether your Amazon RDS database instances allow public access. You can secure your Amazon RDS database instances by disallowing public access. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether Amazon RDS instances are not publicly accessible. Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForRdsPublicAccess: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether the Amazon Relational Database Service (RDS) instances are not publicly accessible. The rule is non-compliant if the publiclyAccessible field is true in the instance configuration item. Source: Owner: AWS SourceIdentifier: RDS_INSTANCE_PUBLIC_ACCESS_CHECK Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance

Detect Whether Public Access to Amazon RDS Database Snapshots is Enabled

Detects whether your Amazon RDS database snapshots have public access enabled. You can protect your information by disabling public access. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForRdsStorageEncryption: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks if Amazon Relational Database Service (Amazon RDS) snapshots are public. The rule is non-compliant if any existing and new Amazon RDS snapshots are public. Source: Owner: AWS SourceIdentifier: RDS_SNAPSHOTS_PUBLIC_PROHIBITED Scope: ComplianceResourceTypes: - AWS::RDS::DBSnapshot

Detect Whether Storage Encryption is Enabled for Amazon RDS Database Instances

Detects Amazon RDS database instances that are not encrypted at rest. You can secure your Amazon RDS database instances at rest by encrypting the underlying storage for database instances and their automated backups, Read Replicas, and snapshots. This guardrail does not change the status of the account. This is a detective guardrail with strongly recommended guidance. By default, this guardrail is not enabled.

The artifact for this guardrail is the following AWS Config rule.

AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check whether storage encryption is enabled for your RDS DB instances Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForRdsStorageEncryption: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks whether storage encryption is enabled for your RDS DB instances. Source: Owner: AWS SourceIdentifier: RDS_STORAGE_ENCRYPTED Scope: ComplianceResourceTypes: - AWS::RDS::DBInstance