Comprehensive controls management in AWS Control Tower helps you reduce the time it takes to define, map, and manage the controls required to meet your most common control objectives such as enforcing least privilege, restricting network access, and enforcing data encryption.
Controls are prepackaged governance rules for security, operations, and compliance that you can select and apply enterprise-wide or to specific groups of accounts. A control is expressed in plain English and enforces a specific governance policy for your AWS environment that can be enabled within an AWS Organizations organizational unit (OU). Controls can be detective, preventive, or proactive and can be either mandatory or optional.
Detective controls (for example, Detect whether public read access to Amazon S3 buckets is allowed) continuously monitor deployed resources for nonconformance. Preventive controls establish intent and prevent deployment of resources that don’t conform to your policies (for example, Enable AWS CloudTrail in all accounts). Proactive control capabilities use AWS CloudFormation Hooks to proactively identify and block the CloudFormation deployment of resources that are not compliant with the controls you have enabled. You can disallow actions that lead to policy violations and detect noncompliance of resources at scale. In addition, you get updated configurations and technical documentation so you can more quickly benefit from AWS services and features.