AWS Control Tower launches configurable managed controls implemented using resource control policies
Today we are excited to announce the launch of AWS managed controls implemented using resource control policies (RCPs) in AWS Control Tower. These new optional preventive controls help you centrally apply organization-wide access controls around AWS resources in your organization. Additionally, you can now configure the new RCP and existing service control policies (SCP) preventive controls to specify AWS IAM (principal and resource) exemptions where applicable. Exemptions can be configured when you don’t want a principal or a resource to be governed by the control. To see a full list of the new controls, see the controls reference guide.
With this addition, AWS Control Tower now supports over 30 configurable preventive controls, providing off-the-shelf AWS-managed controls to help you scale your business using new AWS workloads and services. At launch, you can enable AWS Control Tower RCPs for Amazon Simple Storage Service, AWS Security Token Service, AWS Key Management Service, Amazon Simple Queue Service, and AWS Secrets Manager service. For example, an RCP can enforce the requirement that “Require the organization's Amazon S3 resources to be accessible only by IAM principals that belong to the organization,” regardless of the permissions granted on individual S3 bucket policies.
AWS Control Tower’s new RCP based preventive controls are available in all AWS commercial Regions where AWS Control Tower is available. For a full list of AWS regions where AWS Control Tower is available, see AWS Region Table.