Custom controls

After you have conducted your risk assessment, identified your security and compliance requirements, and selected the AWS Control Tower controls to guardrail these requirements, there might be some requirements that still aren't addressed. You can implement custom service control policies (SCPs), AWS Config Rules, and AWS CloudFormation Hooks to cover these requirements. However, these controls aren't implemented as AWS Control Tower controls—they're implemented outside AWS Control Tower.

The following table provides examples of custom controls that you can append to your controls table.

Control	Guidance level	Behavior	Security OU	Infrastructure OU	Suspended OU	Workloads OU	Deployments OU	Sandbox OU	Purpose
Protect Amazon CloudWatch	Custom SCP	Proactive	Yes	Yes	Yes	Yes	Yes	No	Deny `cloudwatch:DeleteAlarms`,`cloudwatch:DeleteDashboards`, `cloudwatch:DisableAlarmActions`, `cloudwatch:PutDashboard`, `cloudwatch:PutMetricAlarm`, `cloudwatch:SetAlarmState`
Enforce encryption for Amazon Simple Storage Service (Amazon S3) buckets	Custom SCP	Proactive	Yes	Yes	Yes	Yes	Yes	No	Deny `s3:PutObject` on the condition that encryption is `false`
AWS Identity and Access Management (IAM) user creation	Custom SCP	Proactive	Yes	Yes	Yes	Yes	Yes	Yes	Deny `iam:CreateUser`
Protect account and billing settings	Custom SCP	Proactive	Yes	Yes	Yes	Yes	Yes	Yes	Deny `aws-portal:ModifyAccount`, `aws-portal:ModifyBilling`, `aws-portal:ModifyPaymentMethods`

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Optional controls

Networking integration

选择您的 Cookie 首选项

自定义 Cookie 首选项

关键

性能

功能

广告

无法保存 Cookie 首选项

Custom controls

此页内容对您是否有帮助？

下一主题：

上一主题：

需要帮助吗？