Optional controls
You can enable optional controls on OUs in the organization if you choose. These controls are categorized as strongly recommended or elective controls. Strongly recommended controls are based on best practices for well-architected, multi-account environments. Elective controls prevent or track attempts to perform commonly restricted actions in an AWS enterprise environment. Unlike mandatory controls, strongly recommended and elective controls aren't activated by default—you can activate and deactivate them according to your requirements.
Security and compliance requirements
Make sure that you customize and adapt your control configurations and choices according to your landing zone requirements. The security requirements of your organization determine which controls to use and which OUs to enable them on. Before you select optional controls, you should consider your organization's specific goals, requirements, and compliance needs. Perform a comprehensive risk assessment to identify the specific risks and vulnerabilities that your organization faces in its AWS environment, and gather your security and compliance requirements. After you list your requirements clearly, you can start selecting the optional controls.
Guidelines
Strongly recommended controls are rooted in industry best practices for setting up a secure landing zone. Therefore, unless you have specific requirements that prevent their implementation, we recommend that you enable these controls across all OUs where the associated resources are provisioned.
Elective controls encompass industry-specific best practices and are tailored to address the unique security and compliance requirements of certain industries. We recommend that you research the best practices for your industry and adapt the relevant elective controls accordingly. The controls are designed to strengthen the security and compliance of your AWS environment, and adhering to them helps you align with recognized security standards.
However, some OUs might have unique circumstances that warrant exceptions. For example, consider enabling controls related to Amazon Elastic Block Store (Amazon EBS) volume encryption in OUs, such as workload OUs, where sensitive data is expected. Conversely, in a sandbox OU where experimentation is encouraged and no sensitive data is involved, you might have the flexibility to skip certain controls. The key is to balance robust security, compliance, and operational flexibility. Always aim to apply controls where they provide the most value while respecting the specific needs of each OU.
Documenting optional controls for your
organization
You can use a table similar to the following in your design document to mark which optional controls should be enabled on which OUs. You can extend this table with information about the mandatory and custom controls you're using in your organization.
This table includes both strongly recommended and elective controls. The AWS Security Hub standard controls, data residency controls, and proactive controls are additional optional controls that you can append to the table. These are described later in this section.
The following table shows example configurations and OUs that you should adjust for your specific security and compliance requirements.
Note
AWS Control Tower controls are continuously updated. For the most up-to-date and complete list, see Optional controls in the AWS Control Tower documentation.
Control |
Guidance level |
Behavior |
Security OU |
Infrastructure OU |
Suspended OU |
Workloads OU |
Deployments OU |
Sandbox OU |
Purpose |
|---|---|---|---|---|---|---|---|---|---|
Strongly recommended |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Reduces the risk of unauthorized access to the sensitive root user. |
|
Strongly recommended |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Reduces the impact of unauthorized access to the sensitive root user. |
|
Detect Whether Encryption is Enabled for Amazon EBS Volumes Attached to Amazon EC2 Instances |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Ensures that encryption is enabled to strengthen data security, maintain compliance, mitigate risks, or align with security best practices. |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Helps reduce the network attack surface for TCP traffic. |
|
Detect Whether Unrestricted Internet Connection Through SSH is Allowed |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Helps reduce the network attack surface for SSH traffic. |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Helps reduce the risk of unauthorized access to the sensitive root user through multi-factor authentication. |
|
Detect Whether Public Read Access to Amazon S3 Buckets is Allowed |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Mitigates the risk of unauthorized read access to sensitive data by identifying S3 buckets that might be publicly accessible. |
Detect Whether Public Write Access to Amazon S3 Buckets is Allowed |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Mitigates the risk of unauthorized write access to sensitive data by identifying S3 buckets that might be publicly accessible. |
Detect Whether Amazon EBS Volumes are Attached to Amazon EC2 Instances |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Detects whether an Amazon EBS volume device persists independently from an Amazon EC2 instance. |
Detect Whether Amazon EBS Optimization is Enabled for Amazon EC2 Instances |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Detects EC2 instances where performance and cost can be improved by using Amazon EBS optimization. |
Detect Whether Public Access to Amazon RDS Database Instances is Enabled |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Detects publicly accessible Amazon Relational Database Service (Amazon RDS) database instances to secure sensitive data. |
Detect Whether Public Access to Amazon RDS Database Snapshots is Enabled |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Detects publicly accessible Amazon RDS database snapshots to secure sensitive data. |
Detect Whether Storage Encryption is Enabled for Amazon RDS Database Instances |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Identifies unencrypted Amazon RDS instances to mitigate risk of sensitive data exposure. |
Detect whether an account has AWS CloudTraill or CloudTrail Lake enabled |
Strongly recommended |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Ensures that proper monitoring is enabled by using CloudTrail. |
Disallow Changes to Replication Configuration for Amazon S3 Buckets |
Elective |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Prevents unauthorized alterations to replication configurations to ensure consistent data replication and adherence to regulatory requirements. |
Elective |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Prevents accidental or malicious deletion of S3 buckets by requiring multi-factor authentication. |
|
Elective |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Identifies IAM users that don't have multi-factor authentication enabled, to mitigate the risk of unauthorized access. |
|
Detect Whether MFA is Enabled for AWS IAM Users of the AWS Console |
Elective |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Identifies IAM users in the AWS Management Console that don't have multi-factor authentication enabled, to mitigate the risk of unauthorized access. |
Elective |
Detective |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Identifies S3 buckets where versioning isn't enabled, to mitigate the risk of accidental deletion or modification of data. |
|
Disallow Changes to Encryption Configuration for Amazon S3 Buckets |
Elective |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Prevents changes to encryption configuration of S3 buckets to protect sensitive data. |
Disallow Changes to Logging Configuration for Amazon S3 Buckets |
Elective |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Prevents changes to logging configuration for S3 buckets to ensure consistent and reliable audit logging. |
Elective |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Prevents changes to bucket policies for S3 buckets to maintain proper access controls. |
|
Disallow Changes to Lifecycle Configuration for Amazon S3 Buckets |
Elective |
Preventive |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
Prevents changes to lifecycle configurations for S3 buckets to help maintain data management consistency and compliance. |
Disallow management of resource types, modules, and hooks within the AWS CloudFormation registry |
Elective |
Preventive (Note: You must enable this control when you activate proactive controls in your environment.) |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Prevents unintended management of resource type, modules, and hooks to help ensure the stability and security of infrastructure deployments. |
AWS Security Hub controls
AWS Control Tower is integrated with AWS Security Hub through a Security Hub standard. This integration provides additional controls that help you streamline security and compliance management in your AWS environment.
You can combine more than 230 detective controls from Security Hub with AWS Control Tower controls to help cover your security and compliance requirements. You can add your selected controls to the table that you set up in the previous section.
Note
To start using Security Hub controls in AWS Control Tower, go to the AWS Control Tower controls library and enable the desired Security Hub control. AWS Control Tower takes care of the activation process and creates a new standard named Service-Managed Standard: AWS Control Tower in Security Hub. This standard provides visibility into activated controls and their evaluations, which simplifies monitoring and compliance efforts. For more information, see Security Hub standard in the AWS Control Tower documentation.
Data residency controls
Data residency controls enforce data residency requirements in your organization. These elective controls are included in AWS Control Tower to help ensure that your data is stored and processed in compliance with your regulations and policies. You should consider using data residency controls in scenarios such as the following:
-
Regulatory compliance: You want to ensure that data is stored and processed in the designated geographic regions to meet regulatory requirements such as General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPAA), or industry-specific regulations.
-
International operations: You want to segment your AWS workloads based on their geographic locations and ensure that data remains within the desired region.
-
Risk mitigations: You want to mitigate the risk of data exposure from accidental or unauthorized data transfers across regions, to reduce the risk of data leakage or non-compliance.
-
Data sovereignty: You run workloads in countries that have laws that require data to remain within the country's borders.
-
Data classification: You want to classify data based on its sensitivity or regulatory requirements, and then apply specific policies to each data classification.
It is essential to thoroughly understand your organization's data residency requirements and the relevant regulations before implementing data residency controls in AWS Control Tower.
Documenting data residency controls for your organization
When you design your data residency controls, you can use the optional controls table provided previously in this section and append the data residency controls that you have selected to meet your requirements. The following table lists the existing controls and examples of when to use them.
Note
AWS Control Tower controls are continuously updated. For the most up-to-date and complete list of controls, see Controls that enhance data residency protection in the AWS Control Tower documentation.
Control |
Guidance level |
Behavior |
Default OU |
Purpose |
|---|---|---|---|---|
Elective |
Preventive |
All OUs, if enabled in AWS Control Tower landing zone settings. |
(This control is frequently referred to as the Region deny control.) Ensures that AWS resources are provisioned only in approved AWS Regions, aligning with data residency and compliance requirements. |
|
Disallow internet access for an Amazon VPC instance managed by a customer |
Elective |
Preventive |
— |
Prevents internet access in VPCs to reduce the risk of unauthorized access or data exposure to the public when there are data residency and privacy requirements. |
Elective |
Preventive |
— |
Restricts VPN connections to guard against unauthorized access, data exfiltration, or bypassing security controls. |
|
Disallow cross-region networking for Amazon EC2, Amazon CloudFront, and AWS Global Accelerator |
Elective |
Preventive |
— |
Prevents cross-Region networking to maintain data residency and help ensure that data remains within approved Regions. Public access could inadvertently lead to data being distributed outside these boundaries. |
Elective |
Detective |
— |
Monitors and controls the exposure of instances to the public internet. This helps reduce the attack surface and risk of unauthorized access that might compromise data residency and security. |
|
Detect whether replication instances for AWS Database Migration Service are public |
Elective |
Detective |
— |
Ensures that replication instances aren't publicly accessible, which helps protect sensitive data from unauthorized access and data residency violations. |
Detect whether Amazon EBS snapshots are restorable by all AWS accounts |
Elective |
Detective |
— |
Limits access to EBS snapshots to help prevent unauthorized access, data breaches, and potential non-compliance with data residency regulations. |
Detect whether any Amazon EC2 instance has an associated public IPv4 address |
Elective |
Detective |
— |
Helps identify and mitigate security risks associated with instances that have public IP addresses. These instances might be more vulnerable to attacks. |
Detect whether Amazon S3 settings to block public access are set as true for the account |
Elective |
Detective |
— |
Enforces strict access controls on Amazon S3 buckets to prevent unauthorized public access to sensitive data, to align with data residency and privacy needs. |
Detects whether an Amazon EKS endpoint is blocked from public access |
Elective |
Detective |
— |
Ensures that Amazon Elastic Kubernetes Service (Amazon EKS) cluster endpoints aren't accessible from the public internet. This helps prevent unauthorized sharing of sensitive data that might compromise data residency requirements. |
Detect whether an Amazon OpenSearch Service domain is in Amazon VPC |
Elective |
Detective |
— |
Ensures that Amazon OpenSearch Service domain endpoints aren't public. Deploying these domains within VPCs improves data security by preventing public access and maintaining data residency within trusted network boundaries. |
Detect whether any Amazon EMR cluster master nodes have public IP addresses |
Elective |
Detective |
— |
Reduces security risks of compromising data residency requirements by ensuring that Amazon EMR cluster master nodes don't have publicly accessible IP addresses. |
Detect whether the AWS Lambda function policy attached to the Lambda resource blocks public access |
Elective |
Detective |
— |
Controls access to AWS Lambda functions and prevents unauthorized public invocation or exposure of sensitive functions. |
Detect whether public routes exist in the route table for an Internet Gateway (IGW) |
Elective |
Detective |
— |
Helps maintain network security by ensuring that public routes through an internet gateway are configured only where necessary. |
Detect whether Amazon Redshift clusters are blocked from public access |
Elective |
Detective |
— |
Ensures that Amazon Redshift clusters aren't publicly accessible. This helps protect clusters from unauthorized access that could compromise data residency. |
Detect whether an Amazon SageMaker AI notebook instance allows direct internet access |
Elective |
Detective |
— |
Helps prevents direct internet access to SageMaker AI notebook instances to align with data residency and security requirements, and to reduce exposure to potential threats. |
Detect whether any Amazon VPC subnets are assigned a public IP address |
Elective |
Detective |
— |
Helps maintain network isolation to reduce the risk of unauthorized data exposure and data residency violations. |
Detect whether AWS Systems Manager documents owned by the account are public |
Elective |
Detective |
— |
Helps ensure that Systems Manager documents aren't publicly accessible. This helps protect sensitive data and maintain data residency and security. |
Proactive controls
Proactive controls are optional controls that are implemented with AWS CloudFormation Hooks. This mechanism enables you to run custom logic during the deployment of CloudFormation stacks to monitor and validate the configuration settings and resources that are defined in the CloudFormation templates. If proactive controls detect any deviations or non-compliance issues, they can take immediate action, such as halting the deployment, sending notifications, or initiating remediation processes, to help mitigate potential risks and maintain the desired security posture.
Proactive controls in AWS Control Tower help you identify and address issues before they become vulnerabilities or compliance violations, and ensure a robust and well-governed AWS environment. These controls are designed to complement the existing guardrails and controls within AWS Control Tower. They can provide an additional layer of security and compliance assurance, especially in scenarios where early prevention and continuous monitoring are essential. However, the specific proactive controls you choose to implement should align with your organization's goals, risk profile, and compliance needs. If your organization has specific security requirements that go beyond the default AWS Control Tower controls, you can customize proactive controls to meet these needs.
These controls are categorized by service and listed in the Proactive controls section of the AWS Control Tower documentation. You can choose from a large selection of controls and add them to your selected controls table.
Note
AWS CloudFormation Hooks isn't supported in all AWS Regions where AWS Control Tower is available. Therefore, when you deploy a proactive control, it might not operate in all AWS Regions that you govern with AWS Control Tower.
