Posted On: Jul 30, 2021

AWS Control Tower guardrail naming and descriptions have been revised to better reflect the guardrail policy intention. The revised names and descriptions will help users more intuitively understand how guardrails enhance control of their accounts. For example, names of detective guardrails were modified from “Disallow” to “Detect” since the detective guardrail itself does not enforce a specific action but detects policy violations and provides alerts through the dashboard. Guardrail behavior, guidance, and implementation remains unchanged.

Control Tower provides customers with out-of-the-box preventative and detective guardrails that customers can deploy to increase their security, operational, and compliance posture. Guardrails are high- level rules that automate ongoing policy management and can be preventative or detective in nature. Guardrails remain in effect as you create new accounts or make changes to your existing accounts, and Control Tower provides a summary report of how each account conforms to your enabled policies.

While you can experience the guardrail naming improvements in all versions of AWS Control Tower, it is recommended that customers not currently on version 2.7 perform a Landing Zone update to take advantage of other features such as Region Selection that are available in the latest version.

For a full list of Regions where AWS Control Tower is available, see the AWS Region Table. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide.