AWS Control Tower introduces changes to preventive S3 guardrails and updates to S3 bucket encryption protocols

AWS Control Tower is releasing four new, less restrictive, mandatory preventative S3 Log Archive guardrails and changing the guidance of the four previous, more restrictive, preventative S3 Log Archive guardrails from mandatory to elective. With these guardrail changes you can now separate S3 Log Archive governance for resources created by AWS Control Tower from governance for the S3 resources you create.  

The new guardrails and existing guardrail guidance adjustments are available when you set up a new landing zone or update your AWS Control Tower landing zone version. Current AWS Control Tower environments will automatically have the elective guardrails enabled by default for environment consistency, however since the guardrails are now elective they can be disabled. Customers who do not update their landing zone will not be able to disable the elective guardrails until a Landing Zone update is completed. To learn more, visit the AWS Control Tower Landing Zone update page.

New Mandatory Preventative Guardrails:

• Disallow Changes to Encryption Configuration for AWS Control Tower Created S3 Buckets in Log Archive
  
• Disallow Changes to Logging Configuration for AWS Control Tower Created S3 Buckets in Log Archive
  
• Disallow Changes to Bucket Policy for AWS Control Tower Created S3 Buckets in Log Archive
• Disallow Changes to Lifecycle Configuration for AWS Control Tower Created S3 Buckets in Log Archive

Existing Guardrails with Guidance change from Mandatory to Elective:

• Disallow Changes to Encryption Configuration for all Amazon S3 Buckets [Previously: Enable Encryption at Rest for Log Archive]
• Disallow Changes to Logging Configuration for all Amazon S3 Buckets [Previously: Enable Access Logging for Log Archive]
• Disallow Changes to Bucket Policy for all Amazon S3 Buckets [Previously: Disallow Policy Changes to Log Archive]
• Disallow Changes to Lifecycle Configuration for all Amazon S3 Buckets [Previously: Set a Retention Policy for Log Archive]

AWS Control Tower is also releasing blueprint updates requiring S3 bucket requests to use SSL and, by default, AWS Control Tower will enable the “Block Public Access” setting for all AWS Control Tower environment buckets. These changes bring AWS Control Tower in alignment with the latest guidance for the AWS Foundational Security Best Practices for these topics. If you are not currently using SSL for S3 bucket requests, you should change your protocol to use TLS/SSL to prevent any interruption in communications.

For a full list of guardrails see Guardrail Reference - AWS Control Tower. To learn more, visit the AWS Control Tower homepage or see the Control Tower User Guide.  

You can also visit the AWS Control Tower product webpage or visit YouTube to watch this video about getting started with AWS Control Tower for AWS Organizations.