Preventative controls - AWS Prescriptive Guidance

Preventative controls

Preventative controls are security controls that are designed to prevent an event from occurring. These guardrails are a first line of defense to help prevent unauthorized access or unwanted changes to your network. An example of a preventative control is an AWS Identity and Access Management (IAM) role that has read-only access because it helps prevent unintended write actions from unauthorized users.

Review the following about this type of control:


The primary purpose of preventative controls is to minimize or avoid the likelihood of a threat event from occurring. The control should help prevent unauthorized access to the system and help prevent unintentional changes from affecting the system. The following are the objectives of preventative controls:

  • Segregation of duties – Preventative controls can establish logical boundaries that limit privileges, allowing permissions to perform only specific tasks in designated accounts or environments. Examples include:

    • Segmenting workloads to different accounts for specific services

    • Separating and accounts into isolated production, development, and test environments

    • Delegating access and responsibilities to multiple entities to perform specific functions, such as using IAM roles or assumed roles to allow only specific job functions to perform certain actions

  • Access control – Preventative controls can consistently grant or deny access to resources and data in the environment. Examples include:

    • Preventing users from exceeding their intended permissions, known as privilege escalation

    • Restricting access to applications and data to only authorized users and services

    • Keeping the administrator group small

    • Avoiding use of the root user credentials

  • Enforcement – Preventative controls can help your company adhere to its policies, guidelines, and standards. Examples include:

    • Locking configurations that serve as the minimum security baseline

    • Implementing additional security measures, such as multi-factor authentication

    • Avoiding nonstandard tasks and actions that are performed by unapproved roles


Preventative control mapping is the process of mapping controls to requirements and using policies to implement those controls by restricting, disabling, or blocking. When mapping controls, consider the proactive effect they have on the environment, resources, and users. The following are best practices for mapping controls:

  • Strict controls that disallow an activity should be mapped to production environments where the action requires review, approval, and change processes.

  • Development or contained environments might have fewer preventative controls in order to provide the agility to build and test.

  • The classification of data, risk level of an asset, and risk management policy dictate the preventative controls.

  • Map to existing frameworks as evidence of compliance with standards and regulations.

  • Implement preventative controls by geographical location, environment, accounts, networks, users, roles, or resources.

Use cases

Data handling

A role is created that can access all data in an account. If there is sensitive and encrypted data, overly permissive privileges might present a risk, depending on the users or groups that can assume the role. By using a key policy in AWS Key Management Service (AWS KMS), you can control who has access to the key and can decrypt the data.

Privilege escalation

If administrative and write permissions are assigned too broadly, a user can circumvent the limits of their intended permissions and grant themselves additional privileges. The user who creates and manages a role can assign a permissions boundary, which defines the maximum allowable privileges for the role.

Workload lockdown

If your business does not have a foreseeable need to use specific services, enable a service control policy that limits which services can operate in an organization’s member accounts or restricts services based on the AWS Region. This preventative control can reduce the scope of impact if a threat actor manages to compromise and access an account in your organization. For more information, see Service control policies in this guide.

Impact to other applications

Preventative controls can enforce the use of services and features, such as IAM, encryption, and logging, in order to meet the security requirements of your applications. You can also use these controls to help protect against vulnerabilities by limiting the actions that a threat actor can exploit due to unintentional errors or misconfiguration.


Service control policies

In AWS Organizations, service control policies (SCPs) define the maximum available permissions for member accounts in an organization. These policies help accounts stay within access control guidelines of the organization. Note the following when designing SCPs for your organization:

  • SCPs are preventative controls because they define and enforce the maximum allowable permissions for IAM roles and users in the organization’s member accounts.

  • SCPs affect only the IAM roles and users in the member accounts of the organization. It does not affect users and roles in the management account of the organization.

You can make an SCP more granular by defining the maximum permissions for each AWS Region.

IAM permissions boundaries

In AWS Identity and Access Management (IAM), a permissions boundary is used to set the maximum permissions that an identity-based policy can grant to an IAM entity (users or roles). An entity's permission boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permission boundaries. Note the following when using permissions boundaries:

  • You can use an AWS managed policy or a customer managed policy to set the boundary for an IAM entity.

  • A permissions boundary does not grant permissions on its own. The permissions boundary policy limits the permissions that are granted to the IAM entity.

Business outcomes

Time savings

  • By adding automation after you set up preventative controls, you can reduce the need for manual intervention and reduce the frequency of errors.

  • Using permission boundaries as a preventative control helps security and IAM teams focus on critical tasks, such as governance and support.

Regulatory compliance

  • Companies might need to comply with internal or industry regulations. These might be regional restrictions, user and role restrictions, or service restrictions. SCPs can help you stay compliant and avoid violation penalties.

Risk reduction

  • With growth, the number of requests to create and manage new roles and policies increases. It becomes more challenging to understand the context of what is required to manually create the permissions for each application. Establishing preventative controls acts as a baseline and helps prevent users from performing unintended actions, even if they were accidentally given access.

  • Applying preventative controls to access policies provides an additional layer to help protect data and assets.