Control services - Management and Governance Cloud Environment Guide

Control services

The following AWS services can be used to help you follow the guidance provided by the M&G Guide:

AWS Organizations includes service control policies (SCPs) that you can use to provide centralized control over all accounts in your organization. You can configure an SCP to define a guardrail, or set a limit, on the actions that the account’s administrator can delegate to the users and roles for the affected accounts. The administrator must still attach identity-based or resource-based policies to IAM roles, or to the resources in your accounts to actually grant permissions. The effective permissions are the logical intersection between what is allowed by the SCP and what is allowed by IAM and the resource-based policies.

AWS Control Tower complements AWS Organizations by implementing preventive and detective controls as you provision accounts. You can quickly set up and configure a new AWS environment, automate ongoing policy management, and view policy-level summaries of your AWS environments.

AWS Security Hub provides a single place that aggregates, organizes, and prioritizes your security alerts, or findings, from multiple AWS services. These include Amazon GuardDuty, Amazon Inspector, Amazon Macie, AWS Firewall Manager, AWS Systems Manager Patch Manager, AWS Config, AWS IAM Access Analyzer, as well as from many AWS Partner Network (APN) solutions.

Amazon GuardDuty is a threat detection service that continually monitors for malicious activity and unintended behavior to protect your AWS accounts, workloads, and data stored in Amazon S3. Amazon GuardDuty uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. GuardDuty analyzes tens of billions of events across multiple AWS data sources, such as AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs.

Amazon Macie gives you constant visibility of the data security and data privacy of your data stored in Amazon S3. Macie automatically and continually evaluates all of your S3 buckets and alerts you to any unencrypted buckets, publicly accessible buckets, or buckets shared with AWS accounts outside those you have defined in the AWS Organizations.

In AWS Config, you to create and manage singular rules (detective controls), or group them as conformance packs. AWS Config conformance packs help you manage configuration compliance of your AWS resources at scale – from policy definition to auditing and aggregated reporting – using a common framework and packaging model. Additionally, AWS Config conformance packs enable you to simplify compliance reporting, as it is now reported at a new level - the pack level alongside the detailed view for each individual rule and resource level.

The AWS Config Conformance Pack Sample Templates help you create your own conformance packs with different or additional rules, input parameters, and remediation actions that suit your environment. The sample templates, including many related to compliance standards and industry benchmarks, are not designed to ensure your compliance with a specific governance standard. They cannot replace your internal efforts or ensure that you will pass a compliance assessment.

AWS Audit Manager helps you continually audit your AWS usage by simplifying how you assess risk and compliance with regulations and open standards. Audit Manager provides a fully customizable framework that automates evidence collection, simplifies the tracking of chain of custody for evidence, and manages evidence security and integrity.

If you would like support implementing this guidance, or assisting you with building the foundational elements prescribed by the M&G Guide, we recommend you review the offerings provided by AWS Professional Services or the AWS Partners in the Built on Control Tower program.

If you are seeking help to operate your workloads in AWS following this guidance, AWS Managed Services (AMS) can augment your operational capabilities as a short-term accelerator or a long-term solution, letting you focus on transforming your applications and businesses in the cloud.