Overview

  • High-level rules for governance of multi-account environment
    • Ongoing governance for entire AWS environment
  • Expressed in plain language
  • Applies to entire OU and all accounts within
  • Preventative controls—stop actions, always compliant (except for accounts imported into Control Tower)
    • Implemented with SCPs
    • States: enforced, not enabled
    • Available in all regions
  • Detective controls—detect noncompliance of resources, notify on issues, can be noncompliant
    • Implemented with AWS Config Rules
    • States: clear, in violation, not enabled
    • Available in Control Tower-enabled regions only
  • Guidance—mandatory, strongly recommended, elective
  • Compliance—visible in Control Tower console
    • Notifications via SNS and email—noisy, filter with Lambda or Event Bridge

Graph View