Types of baselines
A baseline in AWS Control Tower is a group of resources and specific configurations that you can apply to a target. The most common baseline target may be an organizational unit (OU). For example, you can enable a baseline with an OU selected as a target, to register that OU into AWS Control Tower.
During landing zone setup, the baseline target may be a shared account or the landing zone as a whole. Certain baselines may be enabled and updated based on your landing zone settings and configurations. AWS Control Tower creates and deploys the resources to the target in the way that the baseline specifies.
When you enable a baseline for a target, the baseline is represented as an AWS CloudFormation resource,
called an EnabledBaseline
resource.
AWS Control Tower includes four essential types of baselines:
-
One type can apply to an OU that's registered with AWS Control Tower, or to an OU that you intend to register by applying the baseline.
-
Three baseline types can apply to a landing zone or shared account, during initial set up or during a landing zone update.
Baseline type that applies at the OU level, for registering and updating OUs
-
Name:
AWSControlTowerBaseline
Description: Sets up resources and mandatory controls for member accounts within the target OU, required for AWS Control Tower governance.
Consideration: This baseline retains the settings of the landing zone Region deny control. In other words, if a Region is not allowed at the landing zone level, that Region is not allowed for that OU when you call the
EnableBaseline
API to register an OU.Note
The OU-level Region deny control has no way to allow Regions that the landing zone Region deny control does not allow.
For more information, see How SCPs work with deny in the AWS Organizations documentation.
Recommendation: We recommend that you confirm the Regions in which your target OU may be running workloads, and check the results against the landing zone Region deny control, before you call the
EnableBaseline
API for the OU, or you could lose access to resources in certain Regions.
Note
Landing zone baselines behave differently than OU-level baselines.
AWS Control Tower enables the baselines that apply at the landing zone level automatically, as part
of the landing zone setup and update process. Baselines for your landing
zone may change as you change your landing zone settings. For example, if you opt in for
IAM Identity Center, AWS Control Tower can enable the latest version of the IdentityCenterBaseline
baseline on your landing zone.
You can view the enabled baselines for your
landing zone with the ListEnabledBaselines
API call.
Baseline types that may apply to your landing zone or shared accounts
-
Name:
AuditBaseline
Description: Sets up resources to monitor security and compliance of accounts in your organization. You cannot change this baseline, it is deployed by AWS Control Tower.
-
Name:
LogArchiveBaseline
Description: Sets up a central repository for logs of API activities and resource configurations from accounts in your organization. You cannot change this baseline, it is deployed by AWS Control Tower.
-
Name:
IdentityCenterBaseline
Description: Sets up shared resources for IAM Identity Center, which prepares the
AWSControlTowerBaseline
to set up Identity Center access for accounts.Consideration: This baseline works only when you’ve selected IAM Identity Center as your identity provider at the time you set up your landing zone initially, or if you subsequently change your landing zone settings to enable IAM Identity Center for your landing zone. If you’re using a different identity provider, you won’t have access to enable this baseline.
Partial enrollment of accounts
When you're working with baselines, an account can be placed into a state called Partially enrolled.
This state can occur if you re-register an OU by calling the
ResetEnabledBaseline
API, because AWS Control Tower applies only the mandatory
resources to the accounts in the target OU. An account that is missing the optional
resources (controls) for its parent OU is marked as Partially
enrolled.
If you move an unenrolled account into a registered OU and then call the
ResetEnabledBaseline
API on the OU to enroll that account, AWS Control Tower
applies the resources associated with the AWSControlTowerBaseline
to the
newly-enrolled account. However, optional controls enabled for this OU are not applied
to the account. The account remains in a Partially enrolled
state.
To enroll the account fully, choose Re-register or Update account in the console. When you select these operations from the console, AWS Control Tower applies all of the resources of that OU to the newly-enrolled account, including the optional controls that are activated for that OU.
Variation in operations between the AWS Control Tower console and APIs for baselines
When you change the governance status of an OU, the AWS Control Tower console performs more operations for you automatically, compared to changing governance by means of the APIs for baselines.
Differences
-
Registering and provisioned products
When you register an OU through the console, AWS Control Tower creates Service Catalog products for the OU's member accounts, as part of enrolling each account. When you register an OU by means of the
EnableBaseline
API and theAWSControlTowerBaseline
, AWS Control Tower does not create provisioned products for the member accounts in the OU. -
Deregister an OU
Any time you deregister an OU, you must first remove all member accounts and nested OUs. Then, AWS Control Tower removes all controls that are applied to the OU.
-
If you select Delete OU the OU from the console, AWS Control Tower proceeds to deregister and then delete the OU from your organization.
-
However, if you deregister the OU by calling the
DisableBaseline
API to remove theAWSControlTowerBaseline
from the OU, AWS Control Tower does not delete the OU from your organization, the OU is still present in the organization, unregistered.
-
Baselines and versioning defaults
If your AWS Control Tower landing zone is already set up, and then you choose to enable a landing zone baseline, AWS Control Tower enables the latest version of the baseline that is compatible with your landing zone version. If you choose to enable a baseline for an OU that is not already registered with AWS Control Tower, AWS Control Tower provides the latest compatible version of the baseline for that OU, automatically.