Mandatory controls
Mandatory controls are enforced by AWS Control Tower to protect AWS Control Tower managed resources. You can’t deactivate mandatory controls.
Documenting mandatory controls for your organization
In your landing zone design document, you can document the mandatory controls that AWS Control Tower enforces by using the following table format. You can extend this table with optional controls and custom controls, as discussed later in this section.
Note
AWS Control Tower controls are continuously updated. For the most up-to-date and complete list of controls, see Mandatory controls in the AWS Control Tower documentation.
Control |
Guidance level |
Behavior |
Default OU |
Purpose |
|---|---|---|---|---|
Mandatory |
Preventive |
Security OU |
Protects the encryption configuration for buckets deployed by AWS Control Tower in the Log Archive account so that encryption cannot be turned off for sensitive logs. |
|
Mandatory |
Preventive |
Security OU |
Protects the logging configuration for buckets deployed by AWS Control Tower in the Log Archive account so that only AWS Control Tower can make changes to these configurations. |
|
Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive |
Mandatory |
Preventive |
Security OU |
Protects the bucket policies for buckets deployed by AWS Control Tower in the Log Archive account. This helps ensure that only AWS Control Tower can edit the permissions for the centralized logs, and that sensitive logs are secured. |
Mandatory |
Preventive |
Security OU |
Protects the lifecycle configuration for buckets deployed by AWS Control Tower in the Log Archive account so that logs are stored for the required amount of time. |
|
Disallow Changes to Amazon CloudWatch Logs Log Groups set up by AWS Control Tower |
Mandatory |
Preventive |
All OUs |
Protects the retention policy for the CloudWatch logs set up by AWS Control Tower in the Log Archive account so that only AWS Control Tower can make changes and logs are secured. |
Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower |
Mandatory |
Preventive |
All OUs |
Protects the AWS Config aggregation authorizations set up by AWS Control Tower in the Audit account. This helps ensure that only AWS Control Tower can modify or disable account authorizations and that all authorization changes can be logged. |
Mandatory |
Preventive |
Security OU |
Prevents deletion of the S3 buckets created by AWS Control Tower in the Log Archive account. This helps ensure that no one can remove the central log buckets. |
|
Mandatory |
Detective |
Security OU |
Detects changes to read access permissions to the bucket deployed by AWS Control Tower in the Log Archive account. Such changes could risk exposing the central logs to the public. |
|
Mandatory |
Detective |
Security OU |
Detects changes to write access permissions to the bucket deployed by AWS Control Tower. Such changes could risk exposing the central logs to the public. |
|
Mandatory |
Preventive |
All OUs |
Protects the configuration of the organization trail deployed by AWS Control Tower. This helps ensure that only AWS Control Tower can modify the trail. |
|
Mandatory |
Preventive |
All OUs |
Protects the CloudTrail event selectors of the organization trail deployed by AWS Control Tower. |
|
Mandatory |
Preventive |
All OUs |
Protects the configuration of the organization trail deployed by AWS Control Tower in all enabled AWS Regions. This helps ensure that CloudTrail always collects logs in all enabled Regions. |
|
Mandatory |
Preventive |
All OUs |
Protects the integrity of CloudTrail log files in the organization trail deployed by AWS Control Tower. Enabling integrity validation helps ensure that the digest file created for the logs can always prove that logs have not been modified. |
|
Disallow Changes to Amazon CloudWatch Set Up by AWS Control Tower |
Mandatory |
Preventive |
All OUs |
Protects the CloudWatch logs set up by AWS Control Tower from modification or removal so that AWS Control Tower log configurations aren't modified. |
Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources |
Mandatory |
Preventive |
All OUs |
Prevents changes to the tags that AWS Control Tower created when you set up the landing zone. This helps secure the AWS Control Tower functionality that is dependent on those tags. |
Mandatory |
Preventive |
All OUs |
Protects the AWS Config configuration set up by AWS Control Tower so that AWS Config recording cannot be modified or stopped. |
|
Mandatory |
Preventive |
All OUs |
Protects the AWS Config configuration set up by AWS Control Tower so that AWS Config recording cannot be modified or stopped in any AWS Region. |
|
Disallow Changes to AWS Config Rules Set Up by AWS Control Tower |
Mandatory |
Preventive |
All OUs |
Protects the AWS Config Rules that are set up by AWS Control Tower to prevent them from being modified or removed. This helps ensure that the controls that are specific to AWS Control Tower are managed by AWS Control Tower only. |
Disallow Changes to AWS IAM Roles Set Up by AWS Control Tower and AWS CloudFormation |
Mandatory |
Preventive |
All OUs |
Prevents changes to the IAM roles that AWS Control Tower created when you set up the landing zone so that the landing zone is secured. |
Disallow Changes to AWS Lambda Functions Set Up by AWS Control Tower |
Mandatory |
Preventive |
All OUs |
Prevents changes to the AWS Lambda functions that are set up by AWS Control Tower so that the landing zone is secured. |
Mandatory |
Preventive |
All OUs |
Prevents changes to the Amazon SNS topics that are set up by AWS Control Tower so that the landing zone is secured. |
|
Disallow Changes to Amazon SNS Subscriptions Set Up by AWS Control Tower |
Mandatory |
Preventive |
All OUs |
Prevents changes to the Amazon SNS subscriptions that are set up by AWS Control Tower so that the integrity of Amazon SNS subscription settings for your landing zone are secured. |
Mandatory |
Detective |
Security OU |
Detects whether AWS CloudTrail and AWS CloudTrail Lake are disabled in the accounts under the security OU. |
