AWS Cloud Operations & Migrations Blog

Best practices for applying controls with AWS Control Tower

Enabling effective governance in a multi-account environment and aligning with AWS best practices and common compliance frameworks can be a complex endeavor. Many customers, particularly those operating in regulated industries, face the challenge of investing time and resources in identifying risks and developing their own controls to address service relationships and dependencies. This process can lead to prolonged time-to-value (TTV) for implementing new services.

AWS Control Tower gives customers a comprehensive range of controls across compliance domains facilitating the establishment of a strong compliance framework. It aligns with AWS best practices and industry standards, enabling accelerated establishment of new services while ensuring compliance. By leveraging these controls, organizations can streamline governance processes, and enhance the time-to-value when adopting new services in their AWS environment.

In this blog, we discuss best practices for using controls in AWS Control Tower to help you adhere to your corporate standards and/or regulatory requirements.

Best Practices

  1. Understand and assess your workloads and OUs so you can apply the right controls. It is imperative to possess a detailed understanding of the workloads operational within your accounts, along with their corresponding requirements for fulfilling the business objectives that have been established, as well as the underlying rationale behind the organization of accounts into Organizational Units (OUs). This understanding will serve as a guidance for the scoping of necessary controls, ensuring consistent structure that aligns with your workloads and their security requirements.
  2. Consider aligning to an IT compliance framework. AWS Control Tower groups controls by AWS service, control objective, and compliance framework (such as NIST 800-53, CIS AWS Benchmark, PCI-DSS) making it easy to enable controls that achieve specific compliance objectives for customers in regulated industries.
    The alignment with an IT compliance framework can offer valuable benefits to organizations in non-regulated industries as well. While they may not have explicit compliance obligations, adopting such frameworks can help establish a consistent and repeatable foundation for risk management. Additionally, these frameworks extend their advantages to all customers by offering security configuration best practices tailored to their AWS environment.
  3. Understand the behaviors and mechanisms of AWS Control Tower’s controls before enabling them. AWS Control Tower provides comprehensive information about each control, including artifacts that give you full visibility into how the control is implemented.
    • Preventive Controls disallow actions that would lead to violations of your security policies and are implemented via Service Control Policies (SCPs)
    • Detective Controls detect non-compliance of resources within your accounts, such as policy violations, and provides alerts through the dashboard. The status of a detective control is either clear, in violation, or not enabled and they are applicable in AWS Regions supported by AWS Control Tower. They are implemented via AWS Config Rules.
    • Proactive Controls scan resources deployed via AWS CloudFormation before provisioning to ensure compliance with that control. Resources that are not compliant will not be provisioned. Proactive controls are implemented using AWS CloudFormation hooks and AWS CloudFormation Guard rules. Each proactive control has an example CloudFormation template artifact that you can use as a reference for positive and negative test cases. The status of a proactive control is PASS, FAIL, or SKIP.
  4. Apply detective controls before considering preventive controls. This enables you to assess and continually improve your security posture by identifying weaknesses or gaps in your architecture. By analyzing these trends, you can implement targeted proactive controls to prevent future compliance issues. For example, enable the detective control “[SH.S3.1] S3 Block Public Access setting should be enabled” which checks whether S3 block public access settings are enabled before enabling the proactive control “[CT.S3.PR.1] Require an Amazon S3 bucket to have block public access settings configured” which prevents non-compliant S3 buckets from being created via AWS CloudFormation.
  5. Test controls on non-production OUs. Sandbox and development environments typically involve more frequent changes and updates compared to production. By applying controls in these lower environments first, you can identify and mitigate potential risks or misconfigurations early on, and reduce the likelihood of these issues being propagated to production environments.
  6. Adopt a proactive approach of continuously monitoring and testing enabled controls. Monitor event logs in Amazon CloudTrail to identify anomalies that could indicate control non-compliance. Conduct automated assessments with AWS Audit Manager to evaluate your resource configurations against common security and compliance frameworks, allowing you to simplify the overall audit management process and focus on addressing control gaps.
    Review access patterns with AWS Identity and Access Management (IAM) Access Analyzer to make informed decisions about which preventive controls to deploy in addition to your IAM specific controls. By thinking beyond a “set it and forget it” mindset, you can instill confidence in the effective enforcement of control objectives.
  7. Adopt a policy-as-code strategy and enforce peer review across the organization. Use AWS Control Tower’s proactive controls which combine AWS CloudFormation hooks and AWS CloudFormation Guard rules. Policy-as-code provides a more efficient approach to policy enforcement, promoting consistency and automation. It also encourages collaboration between central IT and development teams which helps remove blockers and provide transparency to developers and engineers.
  8. Adopt a defense-in-depth approach by enabling controls across all behavior categories. AWS Control Tower provides dependency and relationship information for each control. You can establish a multi-layered and resilient compliance posture by evaluating the related controls and activating the ones that are applicable to your environment. Use a combination of preventive controls to protect security baselines, proactive controls to mitigate the risk of non-compliant resources being deployed via AWS CloudFormation, and detective controls to continuously monitor and respond to changes in resources.
    AWS Control Tower integrates with AWS Security Hub to provide additional detective controls via a Security Hub standard, called the Service-Managed Standard: AWS Control Tower. You can pair AWS Security Hub detective controls with AWS Control Tower proactive and preventive controls and manage them together using AWS Control Tower.
  9. Automate the detection and remediation of non-compliant resources. Automating the detection and remediation of security events reduces human effort and minimizes the potential for errors. Leverage the synergy between AWS Control Tower detective controls and AWS Systems Manager Automation. Automation powered by AWS Systems Manager simplifies various maintenance, deployment and remediation tasks, streamlining operations and enhancing efficiency.
  10. Create your own controls to extend capabilities. Should you require additional controls, apart from the AWS Control Tower managed controls, you can leverage resources like Service Control Policies (SCPs) within AWS Organizations, and custom AWS Config rules to define additional policies. You can deploy these policies using AWS CloudFormation templates in your AWS Organization. Furthermore, AWS Config conformance packs offer a general-purpose compliance framework that enhances governance and regulatory compliance within the AWS environment. The packs streamline the deployment of compliance rules at scale by bundling rules and remediation as a single entity. This simplifies the deployment process across your infrastructure.


By following the best practices for applying AWS Control Tower controls, you will be able to streamline governance processes and enhance the time-to-value when adopting new services in your AWS environment. Furthermore, you will reduce the time it takes to define, map, and manage the controls required to meet your business and compliance objectives.

In addition to applying AWS Control Tower controls, administrators have a responsibility to take a comprehensive approach to balancing governance with agility, and exercise sound security judgement when safeguarding their AWS environment. This entails leveraging additional tools and resources available within the security domain to enhance the overall security posture and address any specific requirements or vulnerabilities that may exist.

In short, by employing a multi-faceted approach, administrators can ensure comprehensive protection and mitigate potential risks effectively.

You can start enabling controls by visiting the Controls Library under the AWS Control Tower service in the AWS Management Console. You can also use the AWS Control Tower API to programmatically manage controls via AWS CloudFormation, AWS Command Line Interface (AWS CLI), AWS SDK, and AWS Cloud Development Kit (AWS CDK). Refer to the tables of control metadata for each control’s unique resource identifier.

For additional guidance on deploying AWS Control Tower controls as infrastructure as code (IaC), refer to “Deploy and manage AWS Control Tower controls by using AWS CDK and AWS CloudFormation” and “Deploy and manage AWS Control Tower controls by using Terraform” in the AWS Prescriptive Guidance catalog.

About the authors

Chezsal Kamaray

Chezsal Kamaray is a Senior Solutions Architect within the High-Tech Vertical at Amazon Web Services. Within this capacity, she strategically engages with enterprise customers to facilitate the development of scalable, secure and resilient architecture on the AWS Cloud. She brings over 15 years of experience in the intricate design and seamless integration of multifaceted cross-functional systems including technical review leadership for various infrastructure projects spanning both on-premises and cloud-based domains. Chezsal holds a Bachelor of Engineering (BEng) in Electronics and Communications Engineering and a Master’s of Science (MSc) in Telecommunications from New Jersey Institute of Technology. In her leisure time, Chezsal indulges in culinary curiosity, trying out new recipes while listening to music.

Matthew Barbieri

Matt Barbieri is a Solutions Architect at AWS, based out of New York City. He helps enterprise customers build solutions on AWS with a focus on compliance, security, and operational excellence. With nearly 10 years of experience as a former AWS customer, he brings a deep understanding of the challenges and opportunities faced by enterprises embarking on their cloud journey.