Posted On: May 20, 2022

AWS Control Tower now supports operational concurrency for all guardrail types, preventive or detective. With this new release you can now enable or disable multiple preventive guardrails without needing to wait for individual guardrail operations to complete. AWS Control Tower provides customers with out-of-the-box preventive and detective guardrails that you can deploy to increase your security, operational, and compliance posture.

You can now enable different preventive guardrails (e.g. Disallow Creation of Access Keys for the Root User and Disallow Delete Actions on Amazon S3 Buckets Without MFA) on the same Organizational Unit (OU), or the same preventive guardrail on different OUs concurrently. When using nested OUs, preventive guardrails affect all accounts and OUs nested under the target OU, even if those accounts and OUs are not registered. Preventive guardrails are implemented using Service Control Policies (SCPs), which are part of AWS Organizations. Detective guardrails are implemented using AWS Config rules. Guardrails remain in effect as you create new accounts or make changes to your existing accounts, and AWS Control Tower provides a summary report of how each account conforms to your enabled policies. For a full list of available guardrails, see Guardrail Reference - AWS Control Tower.

AWS Control Tower offers the easiest way to set up and govern a new, secure, multi-account AWS environment based on AWS best practices. Customers can create new accounts using AWS Control Tower’s account factory and enable governance features such as guardrails, centralized logging and monitoring in supported AWS Regions. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.