Mandatory controls
Mandatory controls are owned by AWS Control Tower, and they apply to every OU on your landing zone. These controls are applied by default when you set up your landing zone, and they can't be deactivated. Following, you'll find a reference for each of the mandatory controls available in AWS Control Tower.
Topics
- Disallow Changes to Encryption Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive
- Disallow Changes to Logging Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive
- Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive
- Disallow Changes to Lifecycle Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive
- Disallow Changes to Amazon CloudWatch Logs Log Groups set up by AWS Control Tower
- Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower
- Disallow Deletion of Log Archive
- Detect Public Read Access Setting for Log Archive
- Detect Public Write Access Setting for Log Archive
- Disallow Configuration Changes to CloudTrail
- Integrate CloudTrail Events with Amazon CloudWatch Logs
- Enable CloudTrail in All Available Regions
- Enable Integrity Validation for CloudTrail Log File
- Disallow Changes to Amazon CloudWatch Set Up by AWS Control Tower
- Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources
- Disallow Configuration Changes to AWS Config
- Enable AWS Config in All Available Regions
- Disallow Changes to AWS Config Rules Set Up by AWS Control Tower
- Disallow Changes to AWS IAM Roles Set Up by AWS Control Tower and AWS CloudFormation
- Disallow Changes to AWS Lambda Functions Set Up by AWS Control Tower
- Disallow Changes to Amazon SNS Set Up by AWS Control Tower
- Disallow Changes to Amazon SNS Subscriptions Set Up by AWS Control Tower
- Detect whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled
Note
The four mandatory controls with "Sid": "GRCLOUDTRAILENABLED"
are identical by design. The sample code is correct.
Disallow Changes to Encryption Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive
This control prevents changes to encryption for the Amazon S3 buckets that AWS Control Tower creates in the log archive account. This is a preventive control with mandatory guidance. By default, this control is enabled on the Security OU. It cannot be enabled on additional OUs.
The artifact for this control is the following service control policy (SCP).
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCTAUDITBUCKETENCRYPTIONCHANGESPROHIBITED", "Effect": "Deny", "Action": [ "s3:PutEncryptionConfiguration" ], "Resource": ["arn:aws:s3:::aws-controltower*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Logging Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive
This control prevents changes to logging configuration for the Amazon S3 buckets that AWS Control Tower creates in the log archive account. This is a preventive control with mandatory guidance. By default, this control is enabled on the Security OU. It cannot be enabled on additional OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCTAUDITBUCKETLOGGINGCONFIGURATIONCHANGESPROHIBITED", "Effect": "Deny", "Action": [ "s3:PutBucketLogging" ], "Resource": ["arn:aws:s3:::aws-controltower*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Bucket Policy for AWS Control Tower Created Amazon S3 Buckets in Log Archive
This control prevents changes to bucket policy for the Amazon S3 buckets that AWS Control Tower creates in the log archive account. This is a preventive control with mandatory guidance. By default, this control is enabled on the Security OU. It cannot be enabled on additional OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCTAUDITBUCKETPOLICYCHANGESPROHIBITED", "Effect": "Deny", "Action": [ "s3:PutBucketPolicy", "s3:DeleteBucketPolicy" ], "Resource": ["arn:aws:s3:::aws-controltower*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Lifecycle Configuration for AWS Control Tower Created Amazon S3 Buckets in Log Archive
This control prevents lifecycle configuration changes for the Amazon S3 buckets that AWS Control Tower creates in the log archive account. This is a preventive control with mandatory guidance. By default, this control is enabled on the Security OU. It cannot be enabled on additional OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCTAUDITBUCKETLIFECYCLECONFIGURATIONCHANGESPROHIBITED", "Effect": "Deny", "Action": [ "s3:PutLifecycleConfiguration" ], "Resource": ["arn:aws:s3:::aws-controltower*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Amazon CloudWatch Logs Log Groups set up by AWS Control Tower
This control prevents changes to the retention policy for Amazon CloudWatch Logs log groups that AWS Control Tower created in the log archive account when you set up your landing zone. It also prevents modifying the log retention policy in customer accounts. This is a preventive control with mandatory guidance. By default, this control is enabled on all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRLOGGROUPPOLICY", "Effect": "Deny", "Action": [ "logs:DeleteLogGroup", "logs:PutRetentionPolicy" ], "Resource": [ "arn:aws:logs:*:*:log-group:*aws-controltower*" ], "Condition": { "StringNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/AWSControlTowerExecution" ] } } } ] }
Disallow Deletion of AWS Config Aggregation Authorizations Created by AWS Control Tower
This control prevents deletion of AWS Config aggregation authorizations that AWS Control Tower created in the audit account when you set up your landing zone. This is a preventive control with mandatory guidance. By default, this control is enabled on all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGAGGREGATIONAUTHORIZATIONPOLICY", "Effect": "Deny", "Action": [ "config:DeleteAggregationAuthorization" ], "Resource": [ "arn:aws:config:*:*:aggregation-authorization*" ], "Condition": { "ArnNotLike": { "aws:PrincipalArn": "arn:aws:iam::*:role/AWSControlTowerExecution" }, "StringLike": { "aws:ResourceTag/aws-control-tower": "managed-by-control-tower" } } } ] }
Disallow Deletion of Log Archive
This control prevents deletion of Amazon S3 buckets created by AWS Control Tower in the log archive account. This is a preventive control with mandatory guidance. By default, this control is enabled on the Security OU.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRAUDITBUCKETDELETIONPROHIBITED", "Effect": "Deny", "Action": [ "s3:DeleteBucket" ], "Resource": [ "arn:aws:s3:::aws-controltower*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Detect Public Read Access Setting for Log Archive
This control detects whether public read access is enabled to the Amazon S3 buckets in the log archive shared account. This control does not change the status of the account. This is a detective control with mandatory guidance. By default, this control is enabled on the Security OU.
The artifact for this control is the following AWS Config rule.
AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check that your S3 buckets do not allow public access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForS3PublicRead: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks that your S3 buckets do not allow public read access. If an S3 bucket policy or bucket ACL allows public read access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_READ_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket
Detect Public Write Access Setting for Log Archive
This control detects whether public write access is enabled to the Amazon S3 buckets in the log archive shared account. This control does not change the status of the account. This is a detective control with mandatory guidance. By default, this control is enabled on the Security OU.
The artifact for this control is the following AWS Config rule.
AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to check that your S3 buckets do not allow public access Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForS3PublicWrite: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Checks that your S3 buckets do not allow public write access. If an S3 bucket policy or bucket ACL allows public write access, the bucket is noncompliant. Source: Owner: AWS SourceIdentifier: S3_BUCKET_PUBLIC_WRITE_PROHIBITED Scope: ComplianceResourceTypes: - AWS::S3::Bucket
Disallow Configuration Changes to CloudTrail
This control prevents configuration changes to CloudTrail in your landing zone. This is a preventive control with mandatory guidance. By default, this control is enabled on all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDTRAILENABLED", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": ["arn:aws:cloudtrail:*:*:trail/aws-controltower-*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Integrate CloudTrail Events with Amazon CloudWatch Logs
This control performs real-time analysis of activity data by sending CloudTrail events to CloudWatch Logs log files. This is a preventive control with mandatory guidance. By default, this control is enabled on all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDTRAILENABLED", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": ["arn:aws:cloudtrail:*:*:trail/aws-controltower-*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Enable CloudTrail in All Available Regions
This control enables CloudTrail in all available AWS Regions. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDTRAILENABLED", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": ["arn:aws:cloudtrail:*:*:trail/aws-controltower-*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Enable Integrity Validation for CloudTrail Log File
This control enables integrity validation for the CloudTrail log file in all accounts and OUs. It protects the integrity of account activity logs using CloudTrail log file validation, which creates a digitally signed digest file that contains a hash of each log that CloudTrail writes to Amazon S3. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDTRAILENABLED", "Effect": "Deny", "Action": [ "cloudtrail:DeleteTrail", "cloudtrail:PutEventSelectors", "cloudtrail:StopLogging", "cloudtrail:UpdateTrail" ], "Resource": ["arn:aws:cloudtrail:*:*:trail/aws-controltower-*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Amazon CloudWatch Set Up by AWS Control Tower
This control disallows changes to Amazon CloudWatch; as it was configured by AWS Control Tower when you set up your landing zone. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCLOUDWATCHEVENTPOLICY", "Effect": "Deny", "Action": [ "events:PutRule", "events:PutTargets", "events:RemoveTargets", "events:DisableRule", "events:DeleteRule" ], "Resource": [ "arn:aws:events:*:*:rule/aws-controltower-*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Tags Created by AWS Control Tower for AWS Config Resources
This control prevents changes to the tags that AWS Control Tower created when you set
up your landing zone, for AWS Config resources that collect configuration and compliance
data. It denies any TagResource and UntagResource
operation for aggregation authorizations tagged by AWS Control Tower. This is a
preventive control with mandatory guidance. By default, this control is
enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGRULETAGSPOLICY", "Effect": "Deny", "Action": [ "config:TagResource", "config:UntagResource" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" }, "ForAnyValue:StringEquals": { "aws:TagKeys": "aws-control-tower" } } } ] }
Disallow Configuration Changes to AWS Config
This control prevents configuration changes to AWS Config. It ensures that AWS Config records resource configurations in a consistent manner by disallowing AWS Config settings changes. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGENABLED", "Effect": "Deny", "Action": [ "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteRetentionConfiguration", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:PutRetentionConfiguration", "config:StopConfigurationRecorder" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Enable AWS Config in All Available Regions
This control enables AWS Config in all available AWS Regions. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGENABLED", "Effect": "Deny", "Action": [ "config:DeleteConfigurationRecorder", "config:DeleteDeliveryChannel", "config:DeleteRetentionConfiguration", "config:PutConfigurationRecorder", "config:PutDeliveryChannel", "config:PutRetentionConfiguration", "config:StopConfigurationRecorder" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to AWS Config Rules Set Up by AWS Control Tower
This control disallows changes to AWS Config Rules that were implemented by AWS Control Tower when the landing zone was set up. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRCONFIGRULEPOLICY", "Effect": "Deny", "Action": [ "config:PutConfigRule", "config:DeleteConfigRule", "config:DeleteEvaluationResults", "config:DeleteConfigurationAggregator", "config:PutConfigurationAggregator" ], "Resource": ["*"], "Condition": { "ArnNotLike": { "aws:PrincipalARN": "arn:aws:iam::*:role/AWSControlTowerExecution" }, "StringEquals": { "aws:ResourceTag/aws-control-tower": "managed-by-control-tower" } } } ] }
Disallow Changes to AWS IAM Roles Set Up by AWS Control Tower and AWS CloudFormation
This control disallows changes to the AWS IAM roles that AWS Control Tower created when the landing zone was set up. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
Control update
An updated version has been released for the mandatory control
AWS-GR_IAM_ROLE_CHANGE_PROHIBITED.
This change to the control is required because accounts in OUs that are being enrolled
into AWS Control Tower must have the AWSControlTowerExecution role enabled. The previous
version of the control prevents this role from being created.
AWS Control Tower updated the existing control to add an exception so that AWS CloudFormation StackSets
can create the AWSControlTowerExecution role. As a second measure, this new
control protects the
StackSets
role to prevent principals in the child account from gaining access.
The new control version performs the following actions, in addition to all actions provided in the previous version:
-
Allows the
stacksets-exec-*role (owned by AWS CloudFormation) to perform actions on IAM roles that were created by AWS Control Tower. -
Prevents changes to any IAM role in child accounts, where the IAM role name matches the pattern
stacksets-exec-*.
The update to the control version affects your OUs and accounts as follows:
-
If you extend governance to an OU, that incoming OU receives the updated version of the control as part of the registration process. You do not need to update your landing zone to get the latest version for this OU. AWS Control Tower applies the latest version automatically to OUs that register.
-
If you update or repair your landing zone at any time after this release, your control will be updated to this version for future provisioning.
-
OUs created in or registered with AWS Control Tower before this release date, and which are part of a landing zone that has not been repaired or updated after the release date, will continue to operate with the old version of the control, which blocks the creation of the
AWSControlTowerExecutionrole. -
One consequence of this control update is that your OUs can be functioning with different versions of the control. Update your landing zone to apply the updated version of the control to your OUs uniformly.
The artifact of the updated control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRIAMROLEPOLICY", "Effect": "Deny", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": [ "arn:aws:iam::*:role/aws-controltower-*", "arn:aws:iam::*:role/*AWSControlTower*", "arn:aws:iam::*:role/stacksets-exec-*" #this line is new ], "Condition": { "ArnNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::*:role/AWSControlTowerExecution", "arn:aws:iam::*:role/stacksets-exec-*" #this line is new ] } } } ] }
The former artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRIAMROLEPOLICY", "Effect": "Deny", "Action": [ "iam:AttachRolePolicy", "iam:CreateRole", "iam:DeleteRole", "iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePolicy", "iam:DetachRolePolicy", "iam:PutRolePermissionsBoundary", "iam:PutRolePolicy", "iam:UpdateAssumeRolePolicy", "iam:UpdateRole", "iam:UpdateRoleDescription" ], "Resource": [ "arn:aws:iam::*:role/aws-controltower-*", "arn:aws:iam::*:role/*AWSControlTower*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to AWS Lambda Functions Set Up by AWS Control Tower
This control disallows changes to AWS Lambda functions set up by AWS Control Tower. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRLAMBDAFUNCTIONPOLICY", "Effect": "Deny", "Action": [ "lambda:AddPermission", "lambda:CreateEventSourceMapping", "lambda:CreateFunction", "lambda:DeleteEventSourceMapping", "lambda:DeleteFunction", "lambda:DeleteFunctionConcurrency", "lambda:PutFunctionConcurrency", "lambda:RemovePermission", "lambda:UpdateEventSourceMapping", "lambda:UpdateFunctionCode", "lambda:UpdateFunctionConfiguration" ], "Resource": [ "arn:aws:lambda:*:*:function:aws-controltower-*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Amazon SNS Set Up by AWS Control Tower
This control disallows changes to Amazon SNS set up by AWS Control Tower. It protects the integrity of Amazon SNS notification settings for your landing zone. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRSNSTOPICPOLICY", "Effect": "Deny", "Action": [ "sns:AddPermission", "sns:CreateTopic", "sns:DeleteTopic", "sns:RemovePermission", "sns:SetTopicAttributes" ], "Resource": [ "arn:aws:sns:*:*:aws-controltower-*" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Disallow Changes to Amazon SNS Subscriptions Set Up by AWS Control Tower
This control disallows changes to Amazon SNS subscriptions set up by AWS Control Tower. It protects the integrity of Amazon SNS subscriptions settings for your landing zone, to trigger notifications for AWS Config Rules compliance changes. This is a preventive control with mandatory guidance. By default, this control is enabled in all OUs.
The artifact for this control is the following SCP.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "GRSNSSUBSCRIPTIONPOLICY", "Effect": "Deny", "Action": [ "sns:Subscribe", "sns:Unsubscribe" ], "Resource": [ "arn:aws:sns:*:*:aws-controltower-SecurityNotifications" ], "Condition": { "ArnNotLike": { "aws:PrincipalARN":"arn:aws:iam::*:role/AWSControlTowerExecution" } } } ] }
Detect whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled
This control detects whether shared accounts under the Security organizational unit have AWS CloudTrail or CloudTrail Lake enabled. The rule is NON_COMPLIANT if either CloudTrail or CloudTrail Lake is not enabled in a shared account. This is a detective control with mandatory guidance. By default, this control is enabled on the Security OU.
The artifact for this control is the following AWS Config rule.
AWSTemplateFormatVersion: 2010-09-09 Description: Configure AWS Config rules to detect whether an account has AWS CloudTrail or CloudTrail Lake enabled. Parameters: ConfigRuleName: Type: 'String' Description: 'Name for the Config rule' Resources: CheckForCloudtrailEnabled: Type: AWS::Config::ConfigRule Properties: ConfigRuleName: !Sub ${ConfigRuleName} Description: Detects whether an account has AWS CloudTrail or CloudTrail Lake enabled. The rule is NON_COMPLIANT if either CloudTrail or CloudTrail Lake is not enabled in an account. Source: Owner: AWS SourceIdentifier: CLOUD_TRAIL_ENABLED
