About controls in AWS Control Tower
A control is a high-level rule that provides ongoing governance for your overall AWS environment. It's expressed in plain language. AWS Control Tower implements preventive, detective, and proactive controls that help you govern your resources and monitor compliance across groups of AWS accounts.
A control applies to an entire organizational unit (OU), and every AWS account within the OU is affected by the control. Therefore, when users perform work in any AWS account in your landing zone, they're always subject to the controls that are governing their account's OU.
Note
We are transitioning our terminology to align better with industry usage and with other AWS services. During this time, you may see the previous term, guardrail, as well as the new term, control, in our documentation, console, blogs, and videos. These terms are synonymous for our purposes.
The purpose of controls
Controls assist you to express your policy intentions. For example, if you enable the detective control Detect Whether Public Read Access to Amazon S3 Buckets is Allowed on an OU, you can determine whether an entity (such as a user) would be permitted to have read access over the internet to any Amazon S3 buckets, for any accounts under that OU.
Exception to controls for the management account
The root user and any administrators in the management account can perform work that controls would otherwise deny. This exception is intentional. It prevents the management account from entering into an unusable state. All actions taken within the management account continue to be tracked in the logs contained within the log archive account, for purposes of accountability and auditing.
Exception to controls for the Security OU
You cannot deploy proactive controls or Security Hub controls to the AWS Control Tower Security OU. AWS Control Tower deploys and manages resources in this OU, which are required so that AWS Control Tower can function properly. You can deploy preventive controls (SCP-based) and detective controls (based on AWS Config rules) to this OU.