Enable Additional Guardrails

Control Tower guardrails

Control Tower includes a number of guardrails to help improve your security posture. These guardrails are either preventative or detective. Preventative guardrails limit some actions and are implemented through AWS Organizations service control policies and are either enforced or not enabled. Detective guardrails detect resources in your landing zone which are in a noncompliant state. These are implemented via AWS Config] and show resources that are either clear, in violation or not enabled.

Make sure you review the mandatory guardrails and then review other guardrails you can enable. The strongly recommended guard rails follow the best practices for a Well-Architected environment. They are disabled by default but are strongly encouraged to be enabled. There are also additional elective guardrails to consider which may be suitable for your workload. If you want to add additional service control policies there is an AWS solution Customizations for AWS Control Tower to get started.

Service Control Policies

AWS Organizations policies allow you to apply additional controls to accounts. In the examples given below these are attached to the root which will affect all accounts within the organization. You can also create specific service control policies for separate organizational units within your organization.

Walk through for a non-control tower environment

If you are not leveraging Control Tower it is strongly recommended that you implement the below service control policy to prevent AWS CloudTrail from being disabled.

  1. Navigate to AWS Organization and select the Policies tab
  2. Click Create policy
  3. Enter a policy name for your policy and paste the policy JSON below into the policy editor
  4. Click Create policy
  5. Select the policy you have just created and in the right-hand panel select *roots
  6. Press Attach to attach the policy to your organizations root

Policy to prevent users disabling CloudTrail

Note: AWS Control Tower already includes a mandatory guard rail preventing this

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Deny",
      "Action": "cloudtrail:StopLogging",
      "Resource": "*"