Posted On: Jan 24, 2023

Today we are excited to announce the launch of comprehensive controls management in AWS Control Tower, a set of new features that enhances AWS Control Tower’s governance capabilities. You can now programmatically implement controls at scale across your multi-account AWS environments within minutes, so you can more quickly vet, allow-list, and begin using AWS services. With comprehensive controls management in AWS Control Tower, you can reduce the time it takes to define, map, and manage the controls required to meet your most common control objectives such as enforcing least privilege, restricting network access, and enforcing data encryption.

As customers begin to use AWS services, many take an allow-list approach — only allowing use of AWS services that have been vetted and approved — to balance their security and compliance requirements with the need to be agile. This restricts developer access to AWS services until risks are defined and controls implemented. AWS Control Tower’s new proactive control capabilities leverages AWS CloudFormation Hooks to proactively identify and block noncompliant resources before they are provisioned by CloudFormation. AWS Control Tower’s new proactive controls complement AWS Control Tower’s existing control capabilities, enabling you to disallow actions that lead to policy violations and detect noncompliance of resources at scale. AWS Control Tower provides updated configuration and technical documentation so you can more quickly benefit from AWS services and features. AWS Control Tower provides you a consolidated view of compliance status across your multi-account environment.

AWS Control Tower offers a streamlined way to set up and govern a Well-Architected AWS environment. To learn more, visit the AWS Control Tower homepage or see the AWS Control Tower User Guide. For a full list of AWS Regions where AWS Control Tower is available, see the AWS Region Table.