Types of security controls

There are four main types of security controls:

Preventative controls – These controls are designed to prevent an event from occurring.
Proactive controls – These controls are designed to prevent the creation of noncompliant resources.
Detective controls – These controls are designed to detect, log, and alert after an event has occurred.
Responsive controls – These controls are designed to drive remediation of adverse events or deviations from your security baseline.

An effective security strategy includes all four types of security controls. While preventative controls are a first line of defense to help prevent unauthorized access or unwanted changes to your network, it is important to make sure that you establish detective and responsive controls so that you know when an event occurs and can take immediate and appropriate action to remediate it. Using proactive controls add another layer of security because it complements preventative controls, which are generally stricter in nature.

The following sections describe each type of control in more detail. They discuss the objectives, implementation process, use cases, technological considerations, and target outcomes of each control type.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Security controls in the governance framework

Preventative controls