Control Tower includes a number of guardrails to help improve your security posture. These guardrails are either preventative or detective. Preventative guardrails limit some actions and are implemented through AWS Organizations service control policies and are either enforced or not enabled. Detective guardrails detect resources in your landing zone which are in a noncompliant state. These are implemented via AWS Config] and show resources that are either clear, in violation or not enabled.
Make sure you review the mandatory guardrails and then review other guardrails you can enable. The strongly recommended guard rails follow the best practices for a Well-Architected environment. They are disabled by default but are strongly encouraged to be enabled. There are also additional elective guardrails to consider which may be suitable for your workload. If you want to add additional service control policies there is an AWS solution Customizations for AWS Control Tower to get started.
AWS Organizations policies allow you to apply additional controls to accounts. In the examples given below these are attached to the root which will affect all accounts within the organization. You can also create specific service control policies for separate organizational units within your organization.
If you are not leveraging Control Tower it is strongly recommended that you implement the below service control policy to prevent AWS CloudTrail from being disabled.
Note: AWS Control Tower already includes a mandatory guard rail preventing this
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "cloudtrail:StopLogging",
"Resource": "*"
}
]
}
#